Update snapd 2.62 -> 2.67 (#17)

nix-community · Dec 23, 2024 · 355a1ed · 355a1ed
1 parent 5215b82
commit 355a1ed
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 63 deletions.
diff --git a/src/nixify.patch b/src/nixify.patch
@@ -1,58 +1,57 @@
 diff --git a/cmd/Makefile.am b/cmd/Makefile.am
-index e4c260bfd0..b5c8b5a52b 100644
+index b1923adf44..f17cce66d8 100644
 --- a/cmd/Makefile.am
 +++ b/cmd/Makefile.am
-@@ -95,9 +95,8 @@ fmt:: $(filter-out $(addprefix %,$(new_format)),$(foreach dir,$(subdirs),$(wildc
+@@ -98,7 +98,7 @@ fmt:: $(filter-out $(addprefix %,$(new_format)),$(foreach dir,$(subdirs),$(wildc
  # installing a fresh copy of snap confine and the appropriate apparmor profile.
  .PHONY: hack
  hack: snap-confine/snap-confine-debug snap-confine/snap-confine.apparmor snap-update-ns/snap-update-ns snap-seccomp/snap-seccomp snap-discard-ns/snap-discard-ns snap-device-helper/snap-device-helper snapd-apparmor/snapd-apparmor
 -	sudo install -D -m 4755 snap-confine/snap-confine-debug $(DESTDIR)$(libexecdir)/snap-confine
 +	sudo install -D -m 755 snap-confine/snap-confine-debug $(DESTDIR)$(libexecdir)/snap-confine
- 	if [ -d /etc/apparmor.d ]; then sudo install -m 644 snap-confine/snap-confine.apparmor $(DESTDIR)/etc/apparmor.d/$(patsubst .%,%,$(subst /,.,$(libexecdir))).snap-confine.real; fi
--	sudo install -d -m 755 $(DESTDIR)/var/lib/snapd/apparmor/snap-confine/
+ 	if [ -d $(DESTDIR)$(APPARMOR_SYSCONFIG) ]; then sudo install -m 644 snap-confine/snap-confine.apparmor $(DESTDIR)$(APPARMOR_SYSCONFIG)/$(patsubst .%,%,$(subst /,.,$(libexecdir))).snap-confine.real; fi
+ 	sudo install -d -m 755 $(DESTDIR)$(snapdstatedir)/apparmor/snap-confine/
  	if [ "$$(command -v apparmor_parser)" != "" ]; then sudo apparmor_parser -r snap-confine/snap-confine.apparmor; fi
- 	sudo install -m 755 snap-update-ns/snap-update-ns $(DESTDIR)$(libexecdir)/snap-update-ns
- 	sudo install -m 755 snap-discard-ns/snap-discard-ns $(DESTDIR)$(libexecdir)/snap-discard-ns
-@@ -387,18 +386,16 @@ snap-confine/snap-confine.apparmor: snap-confine/snap-confine.apparmor.in Makefi
- # patsubst strips the leading dot
- install-data-local:: snap-confine/snap-confine.apparmor
- if APPARMOR
--	install -d -m 755 $(DESTDIR)/etc/apparmor.d/
--	install -m 644 snap-confine/snap-confine.apparmor $(DESTDIR)/etc/apparmor.d/$(patsubst .%,%,$(subst /,.,$(libexecdir))).snap-confine
-+	install -d -m 755 $(out)/etc/apparmor.d/
-+	install -m 644 snap-confine/snap-confine.apparmor $(out)/etc/apparmor.d/$(patsubst .%,%,$(subst /,.,$(libexecdir))).snap-confine
- endif
--	install -d -m 755 $(DESTDIR)/var/lib/snapd/apparmor/snap-confine/
+@@ -418,7 +418,7 @@ endif
 
- # NOTE: The 'void' directory *has to* be chmod 111
- install-data-local::
--	install -d -m 111 $(DESTDIR)/var/lib/snapd/void
-
- install-exec-hook::
+ install-exec-hook:
  # Ensure that snap-confine is u+s (setuid)
 -	chmod 4755 $(DESTDIR)$(libexecdir)/snap-confine
 +	chmod 755 $(DESTDIR)$(libexecdir)/snap-confine
 
  ##
  ## snap-mgmt
+diff --git a/cmd/configure.ac b/cmd/configure.ac
+index 9df43ac860..78c8f428b3 100644
+--- a/cmd/configure.ac
++++ b/cmd/configure.ac
+@@ -232,9 +232,6 @@ fi
+ dnl FIXME: get this via something like pkgconf once it is defined there
+ dnl FIXME: Use PKG_CHECK_VAR when we have dropped Trusty (14.04)
+ AC_ARG_VAR([SYSTEMD_PREFIX], [value for systemd prefix (overriding pkg-config)])
+-if test -z "${SYSTEMD_PREFIX}"; then
+-  SYSTEMD_PREFIX="$($PKG_CONFIG --variable=prefix systemd)"
+-fi
+ if test -n "${SYSTEMD_PREFIX}"; then
+   SYSTEMD_SYSTEM_ENV_GENERATOR_DIR="${SYSTEMD_PREFIX}/lib/systemd/system-environment-generators"
+ else
 diff --git a/cmd/libsnap-confine-private/utils.c b/cmd/libsnap-confine-private/utils.c
-index b5049c0919..23eb80e2a2 100644
+index f39e498a65..7288297508 100644
 --- a/cmd/libsnap-confine-private/utils.c
 +++ b/cmd/libsnap-confine-private/utils.c
 @@ -242,7 +242,7 @@ int sc_nonfatal_mkpath(const char *const path, mode_t mode)
  bool sc_is_expected_path(const char *path)
  {
  	const char *expected_path_re =
--	    "^(/snap/(snapd|core)/x?[0-9]+/usr/lib|/usr/lib(exec)?)/snapd/snap-confine$";
-+	    "^(/snap/(snapd|core)/x?[0-9]+/usr/lib|(/usr|@out@)/lib(exec)?)/snapd/snap-confine(-unwrapped)?$";
+-	    "^((/var/lib/snapd)?/snap/(snapd|core)/x?[0-9]+/usr/lib|/usr/lib(exec)?)/snapd/snap-confine$";
++	    "^((/var/lib/snapd)?/snap/(snapd|core)/x?[0-9]+/usr/lib|(/usr|@out@)/lib(exec)?)/snapd/snap-confine(-unwrapped)?$";
  	regex_t re;
  	if (regcomp(&re, expected_path_re, REG_EXTENDED | REG_NOSUB) != 0)
  		die("can not compile regex %s", expected_path_re);
 diff --git a/cmd/snap-confine/mount-support.c b/cmd/snap-confine/mount-support.c
-index c6f804423a..273f9e4a31 100644
+index 513c6794d2..706fedbbe4 100644
 --- a/cmd/snap-confine/mount-support.c
 +++ b/cmd/snap-confine/mount-support.c
-@@ -972,7 +972,7 @@ void sc_populate_mount_ns(struct sc_apparmor *apparmor, int snap_update_ns_fd,
+@@ -976,7 +976,7 @@ void sc_populate_mount_ns(struct sc_apparmor *apparmor, int snap_update_ns_fd,
  			{.path = "/run"},	// to get /run with sockets and what not
  			{.path = "/lib/modules",.is_optional = true},	// access to the modules of the running kernel
  			{.path = "/lib/firmware",.is_optional = true},	// access to the firmware of the running kernel
@@ -62,10 +61,10 @@ index c6f804423a..273f9e4a31 100644
  #ifdef MERGED_USR
  			{.path = "/run/media",.is_bidirectional = true,.altpath = "/media"},	// access to the users removable devices
 diff --git a/cmd/snap-confine/seccomp-support.c b/cmd/snap-confine/seccomp-support.c
-index 4722b8baf0..dd7e48318b 100644
+index 5bf3338819..1eea7ea22e 100644
 --- a/cmd/snap-confine/seccomp-support.c
 +++ b/cmd/snap-confine/seccomp-support.c
-@@ -57,10 +57,6 @@ static void validate_path_has_strict_perms(const char *path)
+@@ -83,10 +83,6 @@ static void validate_path_has_strict_perms(const char *path)
  		die("%s not root-owned %i:%i", path, stat_buf.st_uid,
  		    stat_buf.st_gid);
  	}
@@ -77,10 +76,10 @@ index 4722b8baf0..dd7e48318b 100644
 
  static void validate_bpfpath_is_safe(const char *path)
 diff --git a/cmd/snap-confine/snap-confine.c b/cmd/snap-confine/snap-confine.c
-index 29534678c1..4c27f9255f 100644
+index 6392657054..8dfb4a89e7 100644
 --- a/cmd/snap-confine/snap-confine.c
 +++ b/cmd/snap-confine/snap-confine.c
-@@ -422,7 +422,7 @@ int main(int argc, char **argv)
+@@ -436,7 +436,7 @@ int main(int argc, char **argv)
  		 * one, which definitely doesn't run in a snap-specific namespace, has a
  		 * predictable PID and is long lived.
  		 */
@@ -90,27 +89,19 @@ index 29534678c1..4c27f9255f 100644
  		int global_lock_fd = sc_lock_global();
  		// Ensure that "/" or "/snap" is mounted with the
 diff --git a/dirs/dirs.go b/dirs/dirs.go
-index f2209c9d7b..cc2ce18f2f 100644
+index f1d441ee33..4e8bc24513 100644
 --- a/dirs/dirs.go
 +++ b/dirs/dirs.go
 @@ -378,7 +378,7 @@ func SnapSystemdConfDirUnder(rootdir string) string {
- // SnapSystemdConfDirUnder returns the path to the systemd conf dir under
- // rootdir.
+ // SnapServicesDirUnder returns the path to the systemd services
+ // conf dir under rootdir.
  func SnapServicesDirUnder(rootdir string) string {
 -	return filepath.Join(rootdir, "/etc/systemd/system")
 +	return filepath.Join(rootdir, "/var/lib/snapd/nix-systemd-system")
  }
 
- // SnapBootAssetsDirUnder returns the path to boot assets directory under a
-@@ -510,14 +510,14 @@ func SetRootDir(rootdir string) {
- 	SnapRollbackDir = filepath.Join(rootdir, snappyDir, "rollback")
-
- 	SnapBinariesDir = filepath.Join(SnapMountDir, "bin")
--	SnapServicesDir = filepath.Join(rootdir, "/etc/systemd/system")
-+	SnapServicesDir = filepath.Join(rootdir, "/var/lib/snapd/nix-systemd-system")
- 	SnapRuntimeServicesDir = filepath.Join(rootdir, "/run/systemd/system")
- 	SnapUserServicesDir = filepath.Join(rootdir, "/etc/systemd/user")
- 	SnapSystemdConfDir = SnapSystemdConfDirUnder(rootdir)
+ func SnapRuntimeServicesDirUnder(rootdir string) string {
+@@ -533,7 +533,7 @@ func SetRootDir(rootdir string) {
  	SnapSystemdDir = filepath.Join(rootdir, "/etc/systemd")
  	SnapSystemdRunDir = filepath.Join(rootdir, "/run/systemd")
 
@@ -119,7 +110,7 @@ index f2209c9d7b..cc2ce18f2f 100644
  	SnapDBusSessionPolicyDir = filepath.Join(rootdir, "/etc/dbus-1/session.d")
  	// Use 'dbus-1/services' and `dbus-1/system-services' to mirror
  	// '/usr/share/dbus-1' hierarchy.
-@@ -528,7 +528,7 @@ func SetRootDir(rootdir string) {
+@@ -544,7 +544,7 @@ func SetRootDir(rootdir string) {
 
  	CloudInstanceDataFile = filepath.Join(rootdir, "/run/cloud-init/instance-data.json")
 
@@ -128,7 +119,7 @@ index f2209c9d7b..cc2ce18f2f 100644
 
  	SnapKModModulesDir = filepath.Join(rootdir, "/etc/modules-load.d/")
  	SnapKModModprobeDir = filepath.Join(rootdir, "/etc/modprobe.d/")
-@@ -560,7 +560,7 @@ func SetRootDir(rootdir string) {
+@@ -589,7 +589,7 @@ func SetRootDir(rootdir string) {
  		// both RHEL and CentOS list "fedora" in ID_LIKE
  		DistroLibExecDir = filepath.Join(rootdir, "/usr/libexec/snapd")
  	} else {
@@ -138,10 +129,10 @@ index f2209c9d7b..cc2ce18f2f 100644
 
  	XdgRuntimeDirBase = filepath.Join(rootdir, "/run/user")
 diff --git a/interfaces/system_key.go b/interfaces/system_key.go
-index 008637492a..f4c3a42875 100644
+index d6595154b3..52df93e914 100644
 --- a/interfaces/system_key.go
 +++ b/interfaces/system_key.go
-@@ -104,7 +104,7 @@ func generateSystemKey() (*systemKey, error) {
+@@ -107,7 +107,7 @@ func generateSystemKey() (*systemKey, error) {
  	sk := &systemKey{
  		Version: systemKeyVersion,
  	}
@@ -150,20 +141,20 @@ index 008637492a..f4c3a42875 100644
  	if err != nil {
  		return nil, err
  	}
-@@ -250,7 +250,7 @@ func SystemKeyMismatch() (bool, error) {
+@@ -274,7 +274,7 @@ func SystemKeyMismatch(extraData SystemKeyExtraData) (bool, error) {
  	if mockedSystemKey == nil {
  		if exe, err := os.Readlink("/proc/self/exe"); err == nil {
  			// detect running local local builds
--			if !strings.HasPrefix(exe, "/usr") && !strings.HasPrefix(exe, "/snap") {
-+			if !strings.HasPrefix(exe, "/usr") && !strings.HasPrefix(exe, "/snap") && !strings.HasPrefix(exe, "@out@") {
+-			if !strings.HasPrefix(exe, "/usr") && !strings.HasPrefix(exe, dirs.SnapMountDir) {
++			if !strings.HasPrefix(exe, "/usr") && !strings.HasPrefix(exe, dirs.SnapMountDir) && !strings.HasPrefix(exe, "@out@") {
  				logger.Noticef("running from non-installed location %s: ignoring system-key", exe)
  				return false, ErrSystemKeyVersion
  			}
 diff --git a/snap/info.go b/snap/info.go
-index a2470c0eef..4bbd2140ba 100644
+index 96b7356e30..f481e94f8e 100644
 --- a/snap/info.go
 +++ b/snap/info.go
-@@ -1289,9 +1289,9 @@ func (app *AppInfo) launcherCommand(command string) string {
+@@ -1501,9 +1501,9 @@ func (app *AppInfo) launcherCommand(command string) string {
  		command = " " + command
  	}
  	if app.Name == app.Snap.SnapName() {
@@ -176,10 +167,10 @@ index a2470c0eef..4bbd2140ba 100644
 
  // LauncherCommand returns the launcher command line to use when invoking the
 diff --git a/systemd/systemd.go b/systemd/systemd.go
-index a2f2c34dbb..c1ed85e6c9 100644
+index a6ad62a771..e5ea856068 100644
 --- a/systemd/systemd.go
 +++ b/systemd/systemd.go
-@@ -602,6 +602,14 @@ func (s *systemd) EnableNoReload(serviceNames []string) error {
+@@ -616,6 +616,14 @@ func (s *systemd) EnableNoReload(serviceNames []string) error {
  	if len(serviceNames) == 0 {
  		return nil
  	}
@@ -194,15 +185,15 @@ index a2f2c34dbb..c1ed85e6c9 100644
  	var args []string
  	if s.rootDir != "" {
  		// passing root already implies no reload
-@@ -609,6 +617,7 @@ func (s *systemd) EnableNoReload(serviceNames []string) error {
+@@ -623,6 +631,7 @@ func (s *systemd) EnableNoReload(serviceNames []string) error {
  	} else {
  		args = append(args, "--no-reload")
  	}
 +	args = append(args, "--runtime")
  	args = append(args, "enable")
  	args = append(args, serviceNames...)
  	_, err := s.systemctl(args...)
-@@ -629,6 +638,14 @@ func (s *systemd) DisableNoReload(serviceNames []string) error {
+@@ -643,6 +652,14 @@ func (s *systemd) DisableNoReload(serviceNames []string) error {
  	if len(serviceNames) == 0 {
  		return nil
  	}
@@ -217,7 +208,7 @@ index a2f2c34dbb..c1ed85e6c9 100644
  	var args []string
  	if s.rootDir != "" {
  		// passing root already implies no reload
-@@ -636,6 +653,7 @@ func (s *systemd) DisableNoReload(serviceNames []string) error {
+@@ -650,6 +667,7 @@ func (s *systemd) DisableNoReload(serviceNames []string) error {
  	} else {
  		args = append(args, "--no-reload")
  	}

diff --git a/src/package.nix b/src/package.nix
@@ -12,20 +12,20 @@
 }:
 
 let
-  version = "2.62";
+  version = "2.67";
 
   src = fetchFromGitHub {
-    owner = "snapcore";
+    owner = "canonical";
     repo = "snapd";
     rev = version;
-    hash = "sha256-4tUbPqAoaXmJIIMhnVZX+f2P2Wc+EUFR/d/yAxAKK80=";
+    hash = "sha256-WiUgLV8/Luxb3T9u1nT/rCk8YduzyyjPaCuiJszuEZU=";
   };
 
   goModules =
     (buildGoModule {
       pname = "snap-go-mod";
       inherit version src;
-      vendorHash = "sha256-1l04iE849WpIBFePEUjJcIP5akVLGy2mT1reGJCwoiM=";
+      vendorHash = "sha256-A/L4Bnx0MIvOUedF8MojXwyE09i0cImrz5fR4zqRWxM=";
     }).goModules;
 
   insecureBubblewrap = bubblewrap.overrideAttrs (o: {
@@ -163,6 +163,7 @@ stdenv.mkDerivation {
     make $makeFlagsPackaging install
     make $makeFlagsData install
     make $makeFlagsCmd install
+    rm -rf $out/var
   '';
 
   postFixup = ''

diff --git a/src/test/pinned-snap-versions.toml b/src/test/pinned-snap-versions.toml
@@ -1,6 +1,7 @@
 [x86_64-linux]
-hash = "sha256-qWyIkUwarH1t4mZ+rrFuThARbhfguQSXR+Iag1K7H0g="
+hash = "sha256-B/iV42aWorzqU27LGDCCorR/JLw3yz9Xi9P3fw/CdMo="
 snaps = [
+    { name = "snapd", rev = 23258 },
     { name = "bare", rev = 5 },
     { name = "core", rev = 16928 },
     { name = "core20", rev = 2318 },
@@ -12,8 +13,9 @@ snaps = [
 ]
 
 [aarch64-linux]
-hash = "sha256-wzeVDwCLPxJQPFbyaVpbDncX8GJMX8uL0oliteokZZo="
+hash = "sha256-mrw+15QmGGC4JphzZijB942ef6j47wZiicWx0RUecro="
 snaps = [
+    { name = "snapd", rev = 23259 },
     { name = "bare", rev = 5 },
     { name = "core", rev = 16931 },
     { name = "core20", rev = 2321 },