| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-cmd-snap-seccomp-use-upstream-seccomp-package.patch | [PATCH 1/9] cmd/snap-seccomp: use upstream seccomp package Upstream snapd uses a fork that carries additional compatibility patch required to build snapd for Ubuntu 14.04. This patch is not required with the latest snapshot of the upstream seccomp golang bindings but they are neither released upstream nor backported (in their entirety) to Ubuntu 14.04. The forked seccomp library is not packaged in Debian. As such, to build snapd, we need to switch to the regular, non-forked package name. |
Zygmunt Krynicki <me@zygoon.pl> | no | 2019-01-17 | ||
| 0002-cmd-snap-seccomp-skip-tests-that-fail-on-4.19.patch | [PATCH 2/9] cmd/snap-seccomp: skip tests that fail on 4.19 It seems that the Debian 4.19.0-1 kernel contains a regression in seccomp execution. While this issue is investigated in parallel along with the security team, the release of updated snapd package should not be held by this issue. |
Zygmunt Krynicki <me@zygoon.pl> | no | 2019-01-17 | ||
| 0003-cmd-snap-seccomp-skip-tests-that-use-m32.patch | [PATCH 3/9] cmd/snap-seccomp: skip tests that use -m32 Apparently Debian's amd64 compiler somehow cannot compile -m32 mode binaries. The compilation error is: multipass@debian-10:~/packaging/snapd/cmd/snap-seccomp$ go test cannot build multi-lib syscall runner: exit status 1 In file included from /usr/include/errno.h:25, from /tmp/check-3806730340354206876/1/seccomp_syscall_runner.c:3: /usr/include/features.h:424:12: fatal error: sys/cdefs.h: No such file or directory # include <sys/cdefs.h> ^~~~~~~~~~~~~ compilation terminated. OK: 2 passed, 11 skipped I was unable to resolve this issue, let's disable this test until we can get to the bottom of it. |
Zygmunt Krynicki <me@zygoon.pl> | no | 2019-01-17 | ||
| 0004-cmd-snap-skip-tests-depending-on-text-wrapping.patch | [PATCH 4/9] cmd/snap: skip tests depending on text wrapping Upstream snapd contains tests that check the output of various commands along with the --help command-line argument. The output is wrapped to match terminal width and for readability. The algorithm for wrapping has apparently changed across versions of github.com/jessevdk/go-flags. Since this test is not critical for anything it can be disabled to let the package build. |
Zygmunt Krynicki <me@zygoon.pl> | no | 2019-01-17 | ||
| 0005-advisor-errtracker-use-upstream-bolt-package.patch | [PATCH 5/9] advisor,errtracker: use upstream bolt package Upstream snapd uses a fork of the bolt package that carries additional patches for bugs that were discovered by snapd developers. Bolt itself appears to be an abandoned project and is not accepting any new patches. In various distributions the upstream bolt package may or may not have been patched but the forked version was definitely not packaged. As such, to build snapd in Debian the upstream bolt package name must be used. |
Zygmunt Krynicki <me@zygoon.pl> | no | 2019-01-17 | ||
| 0006-systemd-disable-snapfuse-system.patch | [PATCH 6/9] systemd: disable snapfuse system Upstream snapd uses an elaborate hack to bundle squashfuse under the name snapfuse, and built as a fake go package. This component is not available in Debian where bundling elements is not allowed. |
Zygmunt Krynicki <me@zygoon.pl> | no | 2019-01-17 | ||
| 0007-i18n-use-dummy-localizations-to-avoid-dependencies.patch | [PATCH 7/9] i18n: use dummy localizations to avoid dependencies Upstream snapd uses the github.com/ojii/gettext.go package for access to translation catalogs. This package is currently not available in Debian and prevents building the package. As such, replace the real implementation with a simple dummy one that always uses the English input strings. |
Zygmunt Krynicki <me@zygoon.pl> | no | 2019-01-17 | ||
| 0010-man-page-sections.patch | no | |||||
| 0013-cherry-pick-pr9936.patch | commit 5c7c00e13285487a472e615d0e483e64b2cfad78 Remove apparmor downgrade feature Apparmor downgrade was automatically enabled when the running kernel supported some, but not all of the features. Since the complete set was never upstreamed, this effectively meant that users had less features than they otherwise would have. Since apparmor is still reported as "partial", nothing changes from the point of view of not sending any misleading messages. For certain classes of snap packages, this improves the effective confinement on systems such as Debian or openSUSE Leap. Perfect confinement is still way off, this doesn't change that. Signed-off-by: Zygmunt Krynicki <me@zygoon.pl> diff --git a/interfaces/apparmor/backend.go b/interfaces/apparmor/backend.go index 1819525c2b..73b9c3ade8 100644 |
Zygmunt Krynicki <me@zygoon.pl> | no | 2021-02-15 | ||
| 0015-cve-2021-44730-44731-4120.patch | =================================================================== | no | ||||
| 0016-cve-2021-2021-44730-44731-4120-auto-remove.patch | =================================================================== | no | ||||
| 0017-cve-2022-3328-1.patch | [PATCH 1/4] data: Add systemd-tmpfiles configuration to create private tmp dir Use systemd-tmpfiles to create the private tmp mount namespace root dir (/tmp/snap-private-tmp) on boot as owned by root with restrictive permissions. We can use this as a known location to then create per-snap private tmp mount namespace dirs (/tmp/snap-private-tmp/snap.$SNAP_INSTANCE) etc. |
Alex Murray <alex.murray@canonical.com> | no | 2022-10-20 | ||
| 0018-cve-2022-3328-2.patch | [PATCH 2/4] many: Use /tmp/snap-private-tmp for per-snap private tmps To avoid unprivileged users being able to interfere with the creation of the private snap mount namespace, instead of creating this as /tmp/snap.$SNAP_NAME/ we can now use the systemd-tmpfiles configuration to do this for us at boot with a known fixed name (/tmp/snap-private-tmp/) and then use that as the base dir for creating per-snap private tmp mount namespaces (eg. /tmp/snap-private-tmp/snap.$SNAP_INSTANCE/tmp) etc. |
Alex Murray <alex.murray@canonical.com> | no | 2022-09-19 | ||
| 0019-cve-2022-3328-3.patch | [PATCH 4/4] overlord/snapmgr: Bump vulnerable snap version check This should ensure that any older versions of snapd that are vulnerable to this new CVE-2022-3328 are uninstalled on upgrade to the fixed version. |
Alex Murray <alex.murray@canonical.com> | no | 2022-09-26 |