committing changes in /etc after apt run

Package changes:
-libc-bin 2.27-3ubuntu1 amd64
-libc-dev-bin 2.27-3ubuntu1 amd64
-libc6 2.27-3ubuntu1 amd64
-libc6 2.27-3ubuntu1 i386
-libc6-dbg 2.27-3ubuntu1 amd64
-libc6-dev 2.27-3ubuntu1 amd64
+libc-bin 2.27-3ubuntu1.2 amd64
+libc-dev-bin 2.27-3ubuntu1.2 amd64
+libc6 2.27-3ubuntu1.2 amd64
+libc6 2.27-3ubuntu1.2 i386
+libc6-dbg 2.27-3ubuntu1.2 amd64
+libc6-dev 2.27-3ubuntu1.2 amd64
-libnss3 2:3.35-2ubuntu2.8 amd64
+libnss3 2:3.35-2ubuntu2.9 amd64
-libopenexr22 2.2.0-11.1ubuntu1.2 amd64
+libopenexr22 2.2.0-11.1ubuntu1.3 amd64
-linux-base 4.5ubuntu1.1 all
+linux-base 4.5ubuntu1.2 all
-locales 2.27-3ubuntu1 all
+locales 2.27-3ubuntu1.2 all
-multiarch-support 2.27-3ubuntu1 amd64
+multiarch-support 2.27-3ubuntu1.2 amd64
-snapd 2.42.1+18.04 amd64
+snapd 2.45.1+18.04 amd64

diff --git a/.etckeeper b/.etckeeper
index 359f836edf1f574366290b4aac46b7b6efde4e1a..3551cf5dbd3971f0c4b69092f350222ac494a177 100755 (executable)
--- a/.etckeeper
+++ b/.etckeeper
@@ -2873,6 +2873,7 @@ maybe chmod 0644 'subuid-'
 maybe chmod 0440 'sudoers'
 maybe chmod 0755 'sudoers.d'
 maybe chmod 0440 'sudoers.d/0pwfeedback'
+maybe chmod 0440 'sudoers.d/99-snapd.conf'
 maybe chmod 0440 'sudoers.d/README'
 maybe chmod 0440 'sudoers.d/ctdb'
 maybe chmod 0440 'sudoers.d/mintupdate'

diff --git a/apparmor.d/usr.lib.snapd.snap-confine.real b/apparmor.d/usr.lib.snapd.snap-confine.real
index 8894343e8d7c3d4bcb5fef1de548f9370df3a200..86fe1a12d7158668c01575f6b2f1f38c19884b10 100644 (file)
--- a/apparmor.d/usr.lib.snapd.snap-confine.real
+++ b/apparmor.d/usr.lib.snapd.snap-confine.real
@@ -14,24 +14,24 @@
     # any abstractions
     /etc/ld.so.cache r,
     /etc/ld.so.preload r,
-    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
     # libc, you are funny
-    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
-    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
-    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
-    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
-    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre{,2}{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libblkid.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libuuid.so* mr,
     # normal libs in order
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
-    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
+    /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
     /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
@@ -56,25 +56,24 @@
     capability dac_read_search,
     capability dac_override,
     /sys/fs/cgroup/devices/snap{,py}.*/ w,
-    /sys/fs/cgroup/devices/snap{,py}.*/tasks w,
+    /sys/fs/cgroup/devices/snap{,py}.*/cgroup.procs w,
     /sys/fs/cgroup/devices/snap{,py}.*/devices.{allow,deny} w,
 
     # cgroup: freezer
     # Allow creating per-snap cgroup freezers and adding snap command (task)
     # invocations to the freezer. This allows for reliably enumerating all
-    # running tasks for the snap. In addition, allow enumerating processes in
-    # the cgroup to determine if it is occupied.
+    # running processes for the snap. In addition, allow enumerating processes
+    # in the cgroup to determine if it is occupied.
     /sys/fs/cgroup/freezer/ r,
     /sys/fs/cgroup/freezer/snap.*/ w,
-    /sys/fs/cgroup/freezer/snap.*/tasks w,
-    /sys/fs/cgroup/freezer/snap.*/cgroup.procs r,
+    /sys/fs/cgroup/freezer/snap.*/cgroup.procs rw,
 
     # cgroup: pids
     # allow creating per snap-security-tag hierarchy and adding snap command (task)
     # invocations to the controller.
     /sys/fs/cgroup/pids/ r,
     /sys/fs/cgroup/pids/snap.*/ w,
-    /sys/fs/cgroup/pids/snap.*/tasks w,
+    /sys/fs/cgroup/pids/snap.*/cgroup.procs w,
 
     # querying udev
     /etc/udev/udev.conf r,
@@ -131,9 +130,11 @@
     # reading seccomp filters
     /{tmp/snap.rootfs_*/,}var/lib/snapd/seccomp/bpf/*.bin r,
 
-    # LP: #1668659
+    # LP: #1668659 and parallel instaces of classic snaps
     mount options=(rw rbind) /snap/ -> /snap/,
     mount options=(rw rshared) -> /snap/,
+    mount options=(rw rbind) /var/lib/snapd/snap/ -> /var/lib/snapd/snap/,
+    mount options=(rw rshared) -> /var/lib/snapd/snap/,
 
     # boostrapping the mount namespace
     mount options=(rw rshared) -> /,
@@ -175,6 +176,9 @@
     mount options=(rw rbind) /tmp/ -> /tmp/snap.rootfs_*/tmp/,
     mount options=(rw rslave) -> /tmp/snap.rootfs_*/tmp/,
 
+    mount options=(rw rbind) /var/lib/dhcp/ -> /tmp/snap.rootfs_*/var/lib/dhcp/,
+    mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/dhcp/,
+
     mount options=(rw rbind) /var/lib/snapd/ -> /tmp/snap.rootfs_*/var/lib/snapd/,
     mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/snapd/,
 
@@ -232,8 +236,17 @@
     # pivot_root preparation and execution
     mount options=(rw bind) /tmp/snap.rootfs_*/var/lib/snapd/hostfs/ -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
     mount options=(rw private) -> /tmp/snap.rootfs_*/var/lib/snapd/hostfs/,
-    # pivot_root mediation in AppArmor is not complete. See LP: #1791711
-    pivot_root,
+
+    # pivot_root mediation in AppArmor is not complete. See LP: #1791711.
+    # However, we can mediate the new_root and put_old to be what we expect,
+    # and then deny directory creation within old_root to prevent trivial
+    # pivoting into a whitelisted path.
+    pivot_root oldroot=/tmp/snap.rootfs_*/var/lib/snapd/hostfs/ /tmp/snap.rootfs_*/,
+    # Explicitly deny creating the old_root directory in case it is
+    # inadvertently added somewhere else. While this doesn't resolve
+    # LP: #1791711, it provides some hardening.
+    audit deny /tmp/snap.rootfs_*/{var/,var/lib/,var/lib/snapd/,var/lib/snapd/hostfs/} w,
+
     # cleanup
     umount /var/lib/snapd/hostfs/tmp/snap.rootfs_*/,
     umount /var/lib/snapd/hostfs/sys/,
@@ -241,9 +254,20 @@
     umount /var/lib/snapd/hostfs/proc/,
     mount options=(rw rslave) -> /var/lib/snapd/hostfs/,
 
+    # Hide /writable from view of snaps.
+    mount options=(rprivate) -> /{,var/lib/snapd/hostfs/}writable/,
+    umount /{,var/lib/snapd/hostfs/}writable/,
+
     # set up user mount namespace
     mount options=(rslave) -> /,
 
+    # set up mount namespace for parallel instances of classic snaps
+    mount options=(rw rbind) /snap/{,*/} -> /snap/{,*/},
+    mount options=(rslave) -> /snap/,
+    mount options=(rslave) -> /var/snap/,
+    mount options=(rw rbind) /var/snap/{,*/} -> /var/snap/{,*/},
+    mount options=(rw rshared) -> /var/snap/,
+
     # Allow reading the os-release file (possibly a symlink to /usr/lib).
     /{etc/,usr/lib/}os-release r,
 
@@ -419,15 +443,15 @@
         # We run privileged, so be fanatical about what we include and don't use
         # any abstractions
         /etc/ld.so.cache r,
-        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}ld-*.so mrix,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}ld-*.so mrix,
         # libc, you are funny
-        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libc{,-[0-9]*}.so* mr,
-        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpthread{,-[0-9]*}.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libc{,-[0-9]*}.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libpthread{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libreadline{,-[0-9]*}.so* mr,
-        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}librt{,-[0-9]*}.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}librt{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libgcc_s.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libncursesw{,-[0-9]*}.so* mr,
-        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libresolv{,-[0-9]*}.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libresolv{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libselinux.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libpcre.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libmount.so* mr,
@@ -436,7 +460,7 @@
         # normal libs in order
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libapparmor.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libcgmanager.so* mr,
-        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdl{,-[0-9]*}.so* mr,
+        /{,usr/}lib{,32,64,x32}/{,@{multiarch}/{,atomics/}}libdl{,-[0-9]*}.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnih-dbus.so* mr,
         /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libdbus-1.so* mr,
@@ -531,4 +555,22 @@
     # Allow mounting /var/lib/jenkins from the host into the snap.
     mount options=(rw rbind) /var/lib/jenkins/ -> /tmp/snap.rootfs_*/var/lib/jenkins/,
     mount options=(rw rslave) -> /tmp/snap.rootfs_*/var/lib/jenkins/,
+
+    # Suppress noisy file_inherit denials (LP: #1850552) until LP: #1849753 is
+    # fixed.
+    deny /dev/shm/.org.chromium.Chromium.* rw,
+
+    # While snap-confine itself doesn't require unix rules and therefore all
+    # unix rules are implicitly denied, adding an explicit deny for unix to
+    # silence noisy denials breaks nested lxd. Until the cause is determined,
+    # do not use an explicit deny for unix. (LP: #1855355)
+    #deny unix,
+
+    # Explicitly deny these accesses which show up on Arch to silence the
+    # denials for this unneeded access.
+    deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_files-[0-9]*.so* mr,
+    deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_mymachines.[0-9]*.so* mr,
+    deny /{,usr/}lib{,32,64,x32}/{,@{multiarch}/}libnss_systemd.[0-9]*.so* mr,
+    deny /etc/nsswitch.conf r,
+    deny /etc/passwd r,
 }

diff --git a/sudoers.d/99-snapd.conf b/sudoers.d/99-snapd.conf
new file mode 100644 (file)
index 0000000..2b03d48
--- /dev/null
+++ b/sudoers.d/99-snapd.conf
@@ -0,0 +1,3 @@
+# Allow snap-provided applications to work with sudo
+
+Defaults    secure_path += /snap/bin

diff --git a/systemd/system/multi-user.target.wants/snapd.apparmor.service b/systemd/system/multi-user.target.wants/snapd.apparmor.service
new file mode 120000 (symlink)
index 0000000..93661da
--- /dev/null
+++ b/systemd/system/multi-user.target.wants/snapd.apparmor.service
@@ -0,0 +1 @@
+/lib/systemd/system/snapd.apparmor.service
\ No newline at end of file

diff --git a/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service b/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service
new file mode 120000 (symlink)
index 0000000..ea555fd
--- /dev/null
+++ b/systemd/system/multi-user.target.wants/snapd.recovery-chooser-trigger.service
@@ -0,0 +1 @@
+/lib/systemd/system/snapd.recovery-chooser-trigger.service
\ No newline at end of file