New security update release 2.54.3

• SECURITY UPDATE: Local privilege escalation
  • snap-confine: Add validations of the location of the snap-confine
    binary within snapd.
  • snap-confine: Fix race condition in snap-confine when preparing a
    private mount namespace for a snap.
  • CVE-2021-44730
  • CVE-2021-44731
• SECURITY UPDATE: Data injection from malicious snaps
  • interfaces: Add validations of snap content interface and layout
    paths in snapd.
  • CVE-2021-4120
  • LP: #1949368

New bugfix release 2.54.2

New snapd release 2.54.2

See https://forum.snapcraft.io/t/the-snapd-roadmap/1973 for high-level overview.

• tests: exclude interfaces-kernel-module load on arm
• tests: ensure that test-snapd-kernel-module-load is removed
• tests: do not test microk8s-smoke on arm
• tests/core/failover: replace boot-state with snap debug boot-vars
• tests: use snap info|awk to extract tracking channel
• tests: fix remodel-kernel test when running on external devices
• .github/workflows/test.yaml: also check internal snapd version for cleanliness
• packaging/ubuntu-16.04/rules: eliminate seccomp modification
• bootloader/assets/grub_*cfg_asset.go: update Copyright
• build-aux/snap/snapcraft.yaml: adjust comment about get-version
• .github/workflows/test.yaml: add check in github actions for dirty snapd snaps
• build-aux/snap/snapcraft.yaml: use build-packages, don't fail dirty builds
• data/selinux: allow poking /proc/xen

New bugfix release 2.54.1

New bugfix release for the major 2.54 release:

• buid-aux: set version before calling ./generate-packaging-dir
  This fixes the "dirty" suffix in the auto-generated version

New major release 2.54

Major update for snapd 2.54

New bugfix release 2.53.4

New snapd release 2.53.4

See https://forum.snapcraft.io/t/the-snapd-roadmap/1973 for high-level overview.

• devicestate: mock devicestate.MockTimeutilIsNTPSynchronized to avoid host env leaking into tests
• timeutil: return NoTimedate1Error if it can't connect to the system bus

And thus ends the terrible reign of snapd 2.53.3 which failed to build in launchpad giving birth to snapd 2.53.4

New bugfix release 2.53.3

New snapd release 2.53.3

See https://forum.snapcraft.io/t/the-snapd-roadmap/1973 for high-level overview.

• devicestate: Unregister deletes the device key pair as well
• daemon,tests: support forgetting device serial via API
• configcore: relax validation rules for hostname
• o/devicestate: introduce DeviceManager.Unregister
• packaging/ubuntu, packaging/debian: depend on dbus-session-bus provider
• many: wait for up to 10min for NTP synchronization before autorefresh
• interfaces/interfaces/scsi_generic: add interface for scsi generic devices
• interfaces/microstack-support: set controlsDeviceCgroup to true
• interface/builtin/log_observe: allow to access /dev/kmsg
• daemon: write formdata file parts to snaps dir
• spread: run lxd tests with version from latest/edge
• cmd/libsnap-confine-private: fix snap-device-helper device allow list modification on cgroup v2
• interfaces/builtin/dsp: add proc files for monitoring Ambarella DSP firmware
• interfaces/builtin/dsp: update proc file accordingly

Full Changelog: 2.53.2...2.53.3

New bugfix release 2.53.2

New snapd release 2.53.2

See https://forum.snapcraft.io/t/the-snapd-roadmap/1973 for high-level overview.

• interfaces/builtin/block_devices: allow blkid to print block device attributes/run/udev/data/b{major}:{minor}
• cmd/libsnap-confine-private: do not deny all devices when reusing the device cgroup
• interfaces/builtin/time-control: allow pps access
• interfaces/u2f-devices: add Trezor and Trezor v2 keys
• interfaces: timezone-control, add permission for ListTimezones DBus call
• interfaces/apparmor/template.go: allow udevadm from merged usr systems
• interface/modem-manager: allow connecting to the mbim/qmi proxy
• interfaces/network-manager-observe: Update for libnm client library
• cmd/snap-seccomp/syscalls: update syscalls to match libseccomp abad8a8f4
• sandbox/cgroup: freeze and thaw cgroups related to services and scopes only
• o/hookstate: print cohort with snapctl refresh --pending
• cmd/snap-confine: lazy set up of device cgroup, only when devices were assigned
• tests: ensure systemd-timesyncd is installed on debian
• tests/lib/pkgdb: install strace on Debian 11 and Sid
• tests/main/snapd-sigterm: flush, use retry
• tests/main/snapd-sigterm: fix race conditions
• release-tools/repack-debian-tarball.sh: fix c-vendor dir
• data/selinux: allow snap-confine to read udev's database
• interfaces/dsp: add more ambarella things* interfaces/dsp: add more ambarella things

Full Changelog: 2.53.1...2.53.2

New bugfix release 2.53.1

What's Changed

• tests: force snapd-session-agent.socket to be re-generated by @sergiocazzolato in #10556
• tests/main/services-install-hook-can-run-svcs: make variants more obvious by @anonymouse64 in #10558
• tests/many: remove lxd systemd unit to prevent unexpected leftovers by @sergiocazzolato in #10560
• tests: removing Ubuntu 20.10, adding 21.04 nested in spread by @sergiocazzolato in #10555
• snap: change snap login --help to not mention "buy" by @mvo5 in #10533
• packaging: switch ubuntu to use golang-1.13 by @mvo5 in #10440
• config: add "virtual" config via config.RegisterVirtualConfig by @mvo5 in #10264
• o/devicestate, sysconfig: refactor cloud-init config permission handling by @anonymouse64 in #10536
• overlord/devicestate: UC20 specific set-model, managers tests by @bboozzoo in #10510
• github: enable gofmt for Go 1.13 jobs by @bboozzoo in #10569
• interfaces: s/specifc/specific/ by @woodrow-shen in #10566
• cmd/libsnap-confine-private: g_spawn_check_exit_status is deprecated since glib 2.69 by @bboozzoo in #10565
• tests: skip udp protocol on latest ubuntus by @sergiocazzolato in #10564
• cmd/snap-confine: refactor device cgroup handling to enable easier v2 integration by @bboozzoo in #10547
• asserts/snapasserts: CheckPresenceInvalid and CheckPresenceRequired methods by @stolowski in #10535
• snap/squashfs: handle squashfs-tools 4.5+ by @bboozzoo in #10567
• tests/main/snapd-snap: install 4.x snapcraft to build the snapd snap by @anonymouse64 in #10579
• interfaces/builtin: allow access to per-user GTK CSS overrides by @jhenstridge in #10574
• tests: update nested wait for snapd command by @sergiocazzolato in #10582
• o/snapstate: affectedByRefresh tweaks by @stolowski in #10578
• packaging: fix build failure on bionic and simplify rules by @mvo5 in #10568
• interfaces/tee: add support for Qualcomm qseecom device node by @kubiko in #10585
• tests: fix cached-results condition in github actions workflow by @sergiocazzolato in #10587
• cmd/libsnap-confine-private: move device cgroup files, add helper to deny a device by @bboozzoo in #10576
• configcore: register virtual config for timezone reading by @mvo5 in #10562
• o/snapstate: add AffectedByRefreshCandidates helper by @stolowski in #10581
• snap: support links map in snap.yaml (and later from the store API) by @pedronis in #10467
• tests: use bigger storage on ubuntu 21.10 by @sergiocazzolato in #10596
• vendor: move to snapshot-4c814e1 branch and set fixed KDF options by @mvo5 in #10591
• {device,snap}state: skip kernel extraction in seeding by @mvo5 in #10595
• packaging: merge 2.51.4 changelog back to master by @anonymouse64 in #10603
• .github/workflows/test.yaml: use snapcraft 4.x to build the snapd snap by @anonymouse64 in #10601
• configcore: fix a bunch of incorrect error returns by @mvo5 in #10600
• tests/nested/manual: enable serial assertions on testkeys nested VM's by @anonymouse64 in #10542
• configcore: fix early config timezone handling by @mvo5 in #10599
• wrappers: measure time to enable services in StartServices() by @mvo5 in #10604
• corecfg: add "system.hostname" setting to the system settings by @mvo5 in #9094
• c/snap,o/hookstate/ctlcmd: add JSON/string strict processing flags to snap/snapctl by @miguelpires in #10593
• sysconfig/cloudinit.go: measure (but don't use) gadget cloud-init datasource by @anonymouse64 in #10572
• tests: fix core-early-config test to use tests.nested tool by @sergiocazzolato in #10612
• o/snapstate: allow auto-refresh limited to snaps affected by a specific gating snap by @stolowski in #10515
• clang-format: stop breaking my includes by @bboozzoo in #10618
• o/assertstate: implement ValidationSetAssertionForEnforce helper by @stolowski in #10563
• o/devicestate/handlers_install.go: add workaround to create dirs for install by @anonymouse64 in #10608
• cmd/libsnap-confine-private: fix coverity issues in tests, tweak uses of g_assert() by @bboozzoo in #10616
• cmd/snap-device-helper: reimplement snap-device-helper by @bboozzoo in #10577
• o/snapstate: remove commented out code by @stolowski in #10627
• interfaces/builtin/raw_usb: fix platform typo, fix access to usb devices accessible through platform by @bboozzoo in #10624
• devicestate: add snap debug timings --ensure=install-system by @mvo5 in #10529
• config: rename "virtual" config to "external" config by @mvo5 in #10597
• build-aux: build with go-1.13 in the snapcraft build too by @mvo5 in #10629
• packaging: changelog for 2.51.5 to master by @anonymouse64 in #10621
• cmd/snap: print logs in local timezone by @miguelpires in #10625
• cmd/libsnap-confine-private: fix issues identified by coverity by @bboozzoo in #10631
• o/hookstate: allow snapctl refresh --proceed from snaps by @stolowski in #10528
• usersession/agent: refactor common JSON validation into own function by @mardy in #10623
• daemon, o/snapstate: handle IgnoreValidation flag on install (2/3) by @stolowski in #10546
• spread: temporarily fix the ownership of /home/ubuntu/.ssh on 21.10 by @bboozzoo in #10632
• tests: remove the test user just when it was installed on create-user-2 test by @sergiocazzolato in #10637
• secboot: switch main key KDF memory cost to 32KB by @mvo5 in #10645
• secboot: use half the mem for KDF in AddRecoveryKey by @mvo5 in #10619
• packaging: merge 2.51.6 changelog back to master by @anonymouse64 in #10650
• packaging: remove TEST_GITHUB_AUTOPKGTEST support by @mvo5 in #10641
• tests: stop the service when is active in test interfaces-firewall-control test by @sergiocazzolato in #10638
• secboot: remove duplicate import by @xnox in #10654
• .github/workflows: add codedov again by @anonymouse64 in #10648
• tests: update systems for sru validation by @sergiocazzolato in #10635
• tests: fix timing issue on security-dev-input-event-denied test by @sergiocazzolato in #10652
• tests: clean snaps.sh helper by @sergiocazzolato in #10343
• tests: fix services-refresh-mode test by @sergiocazzolato in #10646
• cmd, packaging: import BPF headers from kernel, detect whether host headers are usable by @bboozzoo in #10640
• testutil: add DeepUnsortedMatches Checker by @miguelpires in #10643
• interfaces/u2f-devices: add Nitrokey FIDO2 by @kkeijzer in #10642
• tests/main/services-install-hook-can-run-svcs: shellcheck issue fix by @bboozzoo in #10663
• github: do not try to upload coverage when working with cached run by @bboozzoo in #10665
• cmd/snap-seccomp/syscalls: update syscalls list to libseccomp v2.2.0-428-g5c22d4b by @bboozzoo in #10667
• i18n/xgettext-go: preserve already escaped quotes by @miguelpires in #10668
• .github/workflows/test.yaml: test github.events key by @anonymouse64 in #10662
• tests: set to 10 minutes the kill timeout for tests failing on slow boards by @sergiocazzolato in #10664
• gadget: Export mkfs functions for use in ubuntu-image by @GlenPickle in #10592
• cgroup-sup...

New major release 2.53

New major release

New bugfix release 2.52.1

Bugfixes:

• snap-bootstrap: wait in mountNonDataPartitionMatchingKernelDisk for the disk (if not present already)
• many: support an API flag system-restart-immediate to make snap ops proceed immediately with system restarts
• cmd/libsnap-confine-private: g_spawn_check_exit_status is deprecated since glib 2.69
• interfaces/seccomp: add clone3 to default template
• interfaces/apparmor/template.go: allow inspection of dbus mediation level
• interfaces/dsp: add a usb rule to the ambarella flavor
• cmd/snap-confine: update s-c apparmor profile to allow versioned ld.so
• o/ifacestate: don't lose connections if snaps are broken
• interfaces/builtin/opengl.go: add libOpenGL.so* too
• interfaces/hardware-observe: add some dmi properties
• build-aux: stage libgcc1 library into snapd snap
• interfaces/block-devices: support to access the state of block devices
• packaging: ship the snapd.apparmor.service unit in debian