diff -Nru snapd-2.57.5+20.04/cmd/snap-confine/mount-support.c snapd-2.57.5+20.04ubuntu0.1/cmd/snap-confine/mount-support.c --- snapd-2.57.5+20.04/cmd/snap-confine/mount-support.c 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/cmd/snap-confine/mount-support.c 2022-11-28 04:54:57.000000000 +0000 @@ -21,6 +21,7 @@ #include "mount-support.h" +#include #include #include #include @@ -49,97 +50,13 @@ #include "mount-support-nvidia.h" #define MAX_BUF 1000 +#define SNAP_PRIVATE_TMP_ROOT_DIR "/tmp/snap-private-tmp" static void sc_detach_views_of_writable(sc_distro distro, bool normal_mode); -static int must_mkdir_and_open_with_perms(const char *dir, uid_t uid, gid_t gid, - mode_t mode) -{ - int retries = 10; - int fd; - - mkdir: - if (--retries == 0) { - die("lost race to create dir %s too many times", dir); - } - // Ignore EEXIST since we want to reuse and we will open with - // O_NOFOLLOW, below. - if (mkdir(dir, 0700) < 0 && errno != EEXIST) { - die("cannot create directory %s", dir); - } - fd = open(dir, O_RDONLY | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); - if (fd < 0) { - // if is not a directory then remove it and try again - if (errno == ENOTDIR && unlink(dir) == 0) { - goto mkdir; - } - die("cannot open directory %s", dir); - } - // ensure base_dir has the expected permissions since it may have - // already existed - struct stat st; - if (fstat(fd, &st) < 0) { - die("cannot stat base directory %s", dir); - } - if (st.st_uid != uid || st.st_gid != gid - || st.st_mode != (S_IFDIR | mode)) { - unsigned char random[10] = { 0 }; - char random_dir[MAX_BUF] = { 0 }; - int offset; - size_t i; - - // base_dir isn't what we expect - create a random - // directory name and rename the existing erroneous - // base_dir to this then try recreating it again - NOTE we - // don't use mkdtemp() here since we don't want to actually - // create the directory yet as we want rename() to do that - // for us -#ifdef SYS_getrandom - // use syscall(SYS_getrandom) since getrandom() is - // not available on older glibc - if (syscall(SYS_getrandom, random, sizeof(random), 0) != - sizeof(random)) { - die("cannot get random bytes"); - } -#else - // use /dev/urandom on older systems which don't support - // SYS_getrandom - int rfd = open("/dev/urandom", O_RDONLY); - if (rfd < 0) { - die("cannot open /dev/urandom"); - } - if (read(rfd, random, sizeof(random)) != sizeof(random)) { - die("cannot get random bytes"); - } - close(rfd); -#endif - offset = - sc_must_snprintf(random_dir, sizeof(random_dir), "%s.", - dir); - for (i = 0; i < sizeof(random); i++) { - offset += - sc_must_snprintf(random_dir + offset, - sizeof(random_dir) - offset, - "%02x", (unsigned int)random[i]); - } - // try and get dir which we own by renaming it to something - // else then creating it again - - // TODO - change this to use renameat2(RENAME_EXCHANGE) - // once we can use a newer version of glibc for snapd - if (rename(dir, random_dir) < 0) { - die("cannot rename base_dir to random_dir '%s'", - random_dir); - } - close(fd); - goto mkdir; - } - return fd; -} - // TODO: simplify this, after all it is just a tmpfs // TODO: fold this into bootstrap -static void setup_private_mount(const char *snap_name) +static void setup_private_tmp(const char *snap_instance) { // Create a 0700 base directory. This is the "base" directory that is // protected from other users. This directory name is NOT randomly @@ -162,37 +79,80 @@ // Because the directories are reused across invocations by distinct users // and because the directories are trivially guessable, each invocation // unconditionally chowns/chmods them to appropriate values. - char base_dir[MAX_BUF] = { 0 }; + char base[MAX_BUF] = { 0 }; char tmp_dir[MAX_BUF] = { 0 }; + int private_tmp_root_fd SC_CLEANUP(sc_cleanup_close) = -1; int base_dir_fd SC_CLEANUP(sc_cleanup_close) = -1; int tmp_dir_fd SC_CLEANUP(sc_cleanup_close) = -1; - sc_must_snprintf(base_dir, sizeof(base_dir), "/tmp/snap.%s", snap_name); - sc_must_snprintf(tmp_dir, sizeof(tmp_dir), "%s/tmp", base_dir); - /* Switch to root group so that mkdir and open calls below create filesystem - * elements that are not owned by the user calling into snap-confine. */ + /* Switch to root group so that mkdir and open calls below create + * filesystem elements that are not owned by the user calling into + * snap-confine. */ sc_identity old = sc_set_effective_identity(sc_root_group_identity()); - // Create /tmp/snap.$SNAP_NAME/ 0700 root.root. - base_dir_fd = must_mkdir_and_open_with_perms(base_dir, 0, 0, 0700); - // Create /tmp/snap.$SNAP_NAME/tmp 01777 root.root Ignore EEXIST since we + + // /tmp/snap-private-tmp should have already been created by + // systemd-tmpfiles but we can try create it anyway since snapd may have + // just been installed in which case the tmpfiles conf would not have + // got executed yet + if (mkdir(SNAP_PRIVATE_TMP_ROOT_DIR, 0700) < 0 && errno != EEXIST) { + die("cannot create /tmp/snap-private-tmp"); + } + private_tmp_root_fd = open(SNAP_PRIVATE_TMP_ROOT_DIR, + O_RDONLY | O_DIRECTORY | O_CLOEXEC | + O_NOFOLLOW); + if (private_tmp_root_fd < 0) { + die("cannot open %s", SNAP_PRIVATE_TMP_ROOT_DIR); + } + struct stat st; + if (fstat(private_tmp_root_fd, &st) < 0) { + die("cannot stat %s", SNAP_PRIVATE_TMP_ROOT_DIR); + } + if (st.st_uid != 0 || st.st_gid != 0 || st.st_mode != (S_IFDIR | 0700)) { + die("%s has unexpected ownership / permissions", + SNAP_PRIVATE_TMP_ROOT_DIR); + } + // Create /tmp/snap-private-tmp/snap.$SNAP_INSTANCE_NAME/ 0700 root.root. + sc_must_snprintf(base, sizeof(base), "snap.%s", snap_instance); + if (mkdirat(private_tmp_root_fd, base, 0700) < 0 && errno != EEXIST) { + die("cannot create base directory: %s", base); + } + base_dir_fd = + openat(private_tmp_root_fd, base, + O_RDONLY | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); + if (base_dir_fd < 0) { + die("cannot open base directory: %s", base); + } + if (fstat(base_dir_fd, &st) < 0) { + die("cannot stat %s/%s", SNAP_PRIVATE_TMP_ROOT_DIR, base); + } + if (st.st_uid != 0 || st.st_gid != 0 || st.st_mode != (S_IFDIR | 0700)) { + die("%s/%s has unexpected ownership / permissions", + SNAP_PRIVATE_TMP_ROOT_DIR, base); + } + // Create /tmp/$PRIVATE/snap.$SNAP_NAME/tmp 01777 root.root Ignore EEXIST since we // want to reuse and we will open with O_NOFOLLOW, below. if (mkdirat(base_dir_fd, "tmp", 01777) < 0 && errno != EEXIST) { - die("cannot create private tmp directory %s/tmp", base_dir); + die("cannot create private tmp directory %s/tmp", base); } (void)sc_set_effective_identity(old); tmp_dir_fd = openat(base_dir_fd, "tmp", O_RDONLY | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); if (tmp_dir_fd < 0) { - die("cannot open private tmp directory %s/tmp", base_dir); + die("cannot open private tmp directory %s/tmp", base); } - if (fchown(tmp_dir_fd, 0, 0) < 0) { - die("cannot chown private tmp directory %s/tmp to root.root", - base_dir); - } - if (fchmod(tmp_dir_fd, 01777) < 0) { - die("cannot chmod private tmp directory %s/tmp to 01777", - base_dir); + if (fstat(tmp_dir_fd, &st) < 0) { + die("cannot stat %s/%s/tmp", SNAP_PRIVATE_TMP_ROOT_DIR, base); } + if (st.st_uid != 0 || st.st_gid != 0 || st.st_mode != (S_IFDIR | 01777)) { + die("%s/%s/tmp has unexpected ownership / permissions", + SNAP_PRIVATE_TMP_ROOT_DIR, base); + } + // use the path to the file-descriptor in proc as the source mount point + // as this is a symlink itself to the real directory at + // /tmp/snap-private-tmp/snap.$SNAP_INSTANCE/tmp but doing it this way + // helps avoid any potential race + sc_must_snprintf(tmp_dir, sizeof(tmp_dir), + "/proc/self/fd/%d", tmp_dir_fd); sc_do_mount(tmp_dir, "/tmp", NULL, MS_BIND, NULL); sc_do_mount("none", "/tmp", NULL, MS_PRIVATE, NULL); } @@ -781,7 +741,7 @@ } // TODO: rename this and fold it into bootstrap - setup_private_mount(inv->snap_instance); + setup_private_tmp(inv->snap_instance); // set up private /dev/pts // TODO: fold this into bootstrap setup_private_pts(); diff -Nru snapd-2.57.5+20.04/cmd/snap-confine/mount-support-test.c snapd-2.57.5+20.04ubuntu0.1/cmd/snap-confine/mount-support-test.c --- snapd-2.57.5+20.04/cmd/snap-confine/mount-support-test.c 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/cmd/snap-confine/mount-support-test.c 2022-11-28 04:54:57.000000000 +0000 @@ -92,50 +92,10 @@ g_assert_false(is_subdir("/", "")); } -static void test_must_mkdir_and_open_with_perms(void) -{ - // make a directory with some contents and check we can - // must_mkdir_and_open_with_perms() to get control of it - GError *error = NULL; - GStatBuf st; - gchar *test_dir = g_dir_make_tmp("test-mkdir-XXXXXX", &error); - g_assert_no_error(error); - g_assert_nonnull(test_dir); - g_assert_cmpint(chmod(test_dir, 0755), ==, 0); - g_assert_true(g_file_test - (test_dir, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_DIR)); - g_assert_cmpint(g_stat(test_dir, &st), ==, 0); - g_assert_true(st.st_uid == getuid()); - g_assert_true(st.st_gid == getgid()); - g_assert_true(st.st_mode == (S_IFDIR | 0755)); - - gchar *test_subdir = g_build_filename(test_dir, "foo", NULL); - g_assert_cmpint(g_mkdir_with_parents(test_dir, 0755), ==, 0); - g_file_test(test_subdir, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_DIR); - - // take over dir - int fd = - must_mkdir_and_open_with_perms(test_dir, getuid(), getgid(), 0700); - // check can unlink dir itself with no contents successfully and it - // still exists - g_assert_cmpint(fd, >=, 0); - g_assert_false(g_file_test - (test_subdir, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_DIR)); - g_assert_true(g_file_test - (test_dir, G_FILE_TEST_EXISTS | G_FILE_TEST_IS_DIR)); - g_assert_cmpint(g_stat(test_dir, &st), ==, 0); - g_assert_true(st.st_uid == getuid()); - g_assert_true(st.st_gid == getgid()); - g_assert_true(st.st_mode == (S_IFDIR | 0700)); - close(fd); -} - static void __attribute__((constructor)) init(void) { g_test_add_func("/mount/get_nextpath/typical", test_get_nextpath__typical); g_test_add_func("/mount/get_nextpath/weird", test_get_nextpath__weird); g_test_add_func("/mount/is_subdir", test_is_subdir); - g_test_add_func("/mount/must_mkdir_and_open_with_perms", - test_must_mkdir_and_open_with_perms); } diff -Nru snapd-2.57.5+20.04/cmd/snap-confine/snap-confine.apparmor.in snapd-2.57.5+20.04ubuntu0.1/cmd/snap-confine/snap-confine.apparmor.in --- snapd-2.57.5+20.04/cmd/snap-confine/snap-confine.apparmor.in 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/cmd/snap-confine/snap-confine.apparmor.in 2022-11-28 04:54:57.000000000 +0000 @@ -161,6 +161,7 @@ mount options=(rw rshared) -> /var/lib/snapd/snap/, # boostrapping the mount namespace + /tmp/snap.rootfs_*/ rw, mount options=(rw rshared) -> /, mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/, mount options=(rw unbindable) -> /tmp/snap.rootfs_*/, @@ -313,10 +314,11 @@ # set up snap-specific private /tmp dir capability chown, /tmp/ rw, - /tmp/snap.*/ rw, - /tmp/snap.*/tmp/ rw, + /tmp/snap-private-tmp/ rw, + /tmp/snap-private-tmp/snap.*/ rw, + /tmp/snap-private-tmp/snap.*/tmp/ rw, mount options=(rw private) -> /tmp/, - mount options=(rw bind) /tmp/snap.*/tmp/ -> /tmp/, + mount options=(rw bind) /tmp/snap-private-tmp/snap.*/tmp/ -> /tmp/, mount fstype=devpts options=(rw) devpts -> /dev/pts/, mount options=(rw bind) /dev/pts/ptmx -> /dev/ptmx, # for bind mounting mount options=(rw bind) /dev/pts/ptmx -> /dev/pts/ptmx, # for bind mounting under LXD diff -Nru snapd-2.57.5+20.04/cmd/snap-update-ns/system.go snapd-2.57.5+20.04ubuntu0.1/cmd/snap-update-ns/system.go --- snapd-2.57.5+20.04/cmd/snap-update-ns/system.go 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/cmd/snap-update-ns/system.go 2022-11-28 04:54:57.000000000 +0000 @@ -80,12 +80,12 @@ // the slot-side snap, as there is no mechanism to convey this information. // As such, provide write access to all of /tmp. as.AddUnrestrictedPaths("/var/lib/snapd/hostfs/tmp") - as.AddModeHint("/var/lib/snapd/hostfs/tmp/snap.*", 0700) - as.AddModeHint("/var/lib/snapd/hostfs/tmp/snap.*/tmp", 0777|os.ModeSticky) + as.AddModeHint("/var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.*", 0700) + as.AddModeHint("/var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.*/tmp", 0777|os.ModeSticky) // This is to ensure that unprivileged users can create the socket. This // permission only matters if the plug-side app constructs its mount // namespace before the slot-side app is launched. - as.AddModeHint("/var/lib/snapd/hostfs/tmp/snap.*/tmp/.X11-unix", 0777|os.ModeSticky) + as.AddModeHint("/var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.*/tmp/.X11-unix", 0777|os.ModeSticky) // This is to ensure private shared-memory directories have // the right permissions. as.AddModeHint("/dev/shm/snap.*", 0777|os.ModeSticky) diff -Nru snapd-2.57.5+20.04/cmd/snap-update-ns/system_test.go snapd-2.57.5+20.04ubuntu0.1/cmd/snap-update-ns/system_test.go --- snapd-2.57.5+20.04/cmd/snap-update-ns/system_test.go 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/cmd/snap-update-ns/system_test.go 2022-11-28 04:54:57.000000000 +0000 @@ -78,10 +78,10 @@ c.Check(as.ModeForPath("/stuff"), Equals, os.FileMode(0755)) c.Check(as.ModeForPath("/tmp"), Equals, os.FileMode(0755)) c.Check(as.ModeForPath("/var/lib/snapd/hostfs/tmp"), Equals, os.FileMode(0755)) - c.Check(as.ModeForPath("/var/lib/snapd/hostfs/tmp/snap.x11-server"), Equals, os.FileMode(0700)) - c.Check(as.ModeForPath("/var/lib/snapd/hostfs/tmp/snap.x11-server/tmp"), Equals, os.FileMode(0777)|os.ModeSticky) - c.Check(as.ModeForPath("/var/lib/snapd/hostfs/tmp/snap.x11-server/foo"), Equals, os.FileMode(0755)) - c.Check(as.ModeForPath("/var/lib/snapd/hostfs/tmp/snap.x11-server/tmp/.X11-unix"), Equals, os.FileMode(0777)|os.ModeSticky) + c.Check(as.ModeForPath("/var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.x11-server"), Equals, os.FileMode(0700)) + c.Check(as.ModeForPath("/var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.x11-server/tmp"), Equals, os.FileMode(0777)|os.ModeSticky) + c.Check(as.ModeForPath("/var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.x11-server/foo"), Equals, os.FileMode(0755)) + c.Check(as.ModeForPath("/var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.x11-server/tmp/.X11-unix"), Equals, os.FileMode(0777)|os.ModeSticky) c.Check(as.ModeForPath("/dev/shm/snap.some-snap"), Equals, os.FileMode(0777)|os.ModeSticky) // Instances can, in addition, access /snap/$SNAP_INSTANCE_NAME diff -Nru snapd-2.57.5+20.04/data/Makefile snapd-2.57.5+20.04ubuntu0.1/data/Makefile --- snapd-2.57.5+20.04/data/Makefile 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/data/Makefile 2022-11-28 04:54:53.000000000 +0000 @@ -2,6 +2,7 @@ $(MAKE) -C systemd $@ $(MAKE) -C systemd-user $@ $(MAKE) -C systemd-env $@ + $(MAKE) -C systemd-tmpfiles $@ $(MAKE) -C dbus $@ $(MAKE) -C env $@ $(MAKE) -C desktop $@ diff -Nru snapd-2.57.5+20.04/data/systemd-tmpfiles/Makefile snapd-2.57.5+20.04ubuntu0.1/data/systemd-tmpfiles/Makefile --- snapd-2.57.5+20.04/data/systemd-tmpfiles/Makefile 1970-01-01 00:00:00.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/data/systemd-tmpfiles/Makefile 2022-11-28 04:54:53.000000000 +0000 @@ -0,0 +1,31 @@ +# +# Copyright (C) 2022 Canonical Ltd +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +LIBEXECDIR := /usr/lib +TMPFILESDIR := $(LIBEXECDIR)/tmpfiles.d + +TMPFILES_CONF = $(wildcard *.conf) + +.PHONY: all +all: $(TMPFILES_CONF) + +.PHONY: install +install: $(TMPFILES_CONF) + install -d -m 0755 $(DESTDIR)/$(TMPFILESDIR) + install -m 0644 -t $(DESTDIR)/$(TMPFILESDIR) $^ + +.PHONY: clean +clean: + echo "Nothing to see here." diff -Nru snapd-2.57.5+20.04/data/systemd-tmpfiles/snapd.conf snapd-2.57.5+20.04ubuntu0.1/data/systemd-tmpfiles/snapd.conf --- snapd-2.57.5+20.04/data/systemd-tmpfiles/snapd.conf 1970-01-01 00:00:00.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/data/systemd-tmpfiles/snapd.conf 2022-11-28 04:54:53.000000000 +0000 @@ -0,0 +1 @@ +D! /tmp/snap-private-tmp 0700 root root - diff -Nru snapd-2.57.5+20.04/debian/changelog snapd-2.57.5+20.04ubuntu0.1/debian/changelog --- snapd-2.57.5+20.04/debian/changelog 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/debian/changelog 2022-11-28 04:55:10.000000000 +0000 @@ -1,3 +1,12 @@ +snapd (2.57.5+20.04ubuntu0.1) focal-security; urgency=medium + + * SECURITY UPDATE: Local privilege escalation + - snap-confine: Fix race condition in snap-confine when preparing a + private tmp mount namespace for a snap + - CVE-2022-3328 + + -- Alex Murray Mon, 28 Nov 2022 15:25:10 +1030 + snapd (2.57.5+20.04) focal; urgency=medium * New upstream release, LP: #1983035 diff -Nru snapd-2.57.5+20.04/interfaces/builtin/x11.go snapd-2.57.5+20.04ubuntu0.1/interfaces/builtin/x11.go --- snapd-2.57.5+20.04/interfaces/builtin/x11.go 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/interfaces/builtin/x11.go 2022-11-28 04:54:57.000000000 +0000 @@ -193,7 +193,7 @@ } slotSnapName := slot.Snap().InstanceName() return spec.AddMountEntry(osutil.MountEntry{ - Name: fmt.Sprintf("/var/lib/snapd/hostfs/tmp/snap.%s/tmp/.X11-unix", slotSnapName), + Name: fmt.Sprintf("/var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.%s/tmp/.X11-unix", slotSnapName), Dir: "/tmp/.X11-unix", Options: []string{"bind", "ro"}, }) @@ -220,8 +220,8 @@ slotSnapName := slot.Snap().InstanceName() spec.AddUpdateNS(fmt.Sprintf(` /tmp/.X11-unix/ rw, - /var/lib/snapd/hostfs/tmp/snap.%s/tmp/.X11-unix/ rw, - mount options=(rw, bind) /var/lib/snapd/hostfs/tmp/snap.%s/tmp/.X11-unix/ -> /tmp/.X11-unix/, + /var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.%s/tmp/.X11-unix/ rw, + mount options=(rw, bind) /var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.%s/tmp/.X11-unix/ -> /tmp/.X11-unix/, mount options=(ro, remount, bind) -> /tmp/.X11-unix/, mount options=(rslave) -> /tmp/.X11-unix/, umount /tmp/.X11-unix/, diff -Nru snapd-2.57.5+20.04/interfaces/builtin/x11_test.go snapd-2.57.5+20.04ubuntu0.1/interfaces/builtin/x11_test.go --- snapd-2.57.5+20.04/interfaces/builtin/x11_test.go 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/interfaces/builtin/x11_test.go 2022-11-28 04:54:57.000000000 +0000 @@ -119,7 +119,7 @@ spec = &mount.Specification{} c.Assert(spec.AddConnectedPlug(s.iface, s.plug, s.coreSlot), IsNil) c.Assert(spec.MountEntries(), DeepEquals, []osutil.MountEntry{{ - Name: "/var/lib/snapd/hostfs/tmp/snap.x11/tmp/.X11-unix", + Name: "/var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.x11/tmp/.X11-unix", Dir: "/tmp/.X11-unix", Options: []string{"bind", "ro"}, }}) @@ -155,7 +155,7 @@ c.Assert(spec.SecurityTags(), DeepEquals, []string{"snap.consumer.app"}) c.Assert(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "fontconfig") c.Assert(spec.UpdateNS(), HasLen, 1) - c.Assert(spec.UpdateNS()[0], testutil.Contains, `mount options=(rw, bind) /var/lib/snapd/hostfs/tmp/snap.x11/tmp/.X11-unix/ -> /tmp/.X11-unix/,`) + c.Assert(spec.UpdateNS()[0], testutil.Contains, `mount options=(rw, bind) /var/lib/snapd/hostfs/tmp/snap-private-tmp/snap.x11/tmp/.X11-unix/ -> /tmp/.X11-unix/,`) // Slot side connection permissions spec = &apparmor.Specification{} diff -Nru snapd-2.57.5+20.04/overlord/snapstate/snapmgr.go snapd-2.57.5+20.04ubuntu0.1/overlord/snapstate/snapmgr.go --- snapd-2.57.5+20.04/overlord/snapstate/snapmgr.go 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/overlord/snapstate/snapmgr.go 2022-11-28 04:55:04.000000000 +0000 @@ -669,7 +669,7 @@ // in them from being available to abuse for fixed vulnerabilies that are // not exploitable in the current versions of snapd/core snaps. var alreadyRemoved bool - key := fmt.Sprintf("%s-snap-cve-2021-44731-vuln-removed", name) + key := fmt.Sprintf("%s-snap-cve-2022-3328-vuln-removed", name) if err := m.state.Get(key, &alreadyRemoved); err != nil && !errors.Is(err, state.ErrNoState) { return err } @@ -696,8 +696,8 @@ if err != nil { return err } - // res is < 0 if "ver" is lower than "2.54.3" - res, err := strutil.VersionCompare(ver, "2.54.3") + // res is < 0 if "ver" is lower than "2.57.6" + res, err := strutil.VersionCompare(ver, "2.57.6") if err != nil { return err } @@ -772,7 +772,7 @@ // we have to remove vulnerable versions of both the core and snapd snaps // only when we now have fixed versions installed / active - // the fixed version is 2.54.3, so if the version of the current core/snapd + // the fixed version is 2.57.6, so if the version of the current core/snapd // snap is that or higher, then we proceed (if we didn't already do this) if err := m.ensureVulnerableSnapRemoved("snapd"); err != nil { diff -Nru snapd-2.57.5+20.04/overlord/snapstate/snapstate_test.go snapd-2.57.5+20.04ubuntu0.1/overlord/snapstate/snapstate_test.go --- snapd-2.57.5+20.04/overlord/snapstate/snapstate_test.go 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/overlord/snapstate/snapstate_test.go 2022-11-28 04:55:04.000000000 +0000 @@ -3447,11 +3447,11 @@ // make the currently installed snap info file fixed but an old version // vulnerable fixedInfoFile := ` -VERSION=2.54.3+git1.g479e745-dirty +VERSION=2.57.6+git1.g479e745-dirty SNAPD_APPARMOR_REEXEC=1 ` vulnInfoFile := ` -VERSION=2.54.2+git1.g479e745-dirty +VERSION=2.57.5+git1.g479e745-dirty SNAPD_APPARMOR_REEXEC=1 ` @@ -3532,7 +3532,7 @@ // and we set the appropriate key in the state var removeDone bool - st.Get(snapName+"-snap-cve-2021-44731-vuln-removed", &removeDone) + st.Get(snapName+"-snap-cve-2022-3328-vuln-removed", &removeDone) c.Assert(removeDone, Equals, true) } @@ -3615,7 +3615,7 @@ c.Assert(ensureErr, ErrorMatches, fmt.Sprintf(`cannot open snapd info file "%s".*`, infoFileFor("snapd"))) st.Lock() - st.Set("snapd-snap-cve-2021-44731-vuln-removed", true) + st.Set("snapd-snap-cve-2022-3328-vuln-removed", true) st.Unlock() // still unhappy about core file missing @@ -3624,7 +3624,7 @@ // but with core state flag set too, we are now happy st.Lock() - st.Set("core-snap-cve-2021-44731-vuln-removed", true) + st.Set("core-snap-cve-2022-3328-vuln-removed", true) st.Unlock() ensureErr = s.snapmgr.Ensure() @@ -3650,7 +3650,7 @@ // now it should stop trying to check if state says so st := s.state st.Lock() - st.Set(snapName+"-snap-cve-2021-44731-vuln-removed", true) + st.Set(snapName+"-snap-cve-2022-3328-vuln-removed", true) st.Unlock() ensureErr = s.snapmgr.Ensure() diff -Nru snapd-2.57.5+20.04/packaging/amzn-2/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/amzn-2/snapd.spec --- snapd-2.57.5+20.04/packaging/amzn-2/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/amzn-2/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -92,6 +92,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -824,6 +826,7 @@ %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff -Nru snapd-2.57.5+20.04/packaging/centos-7/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/centos-7/snapd.spec --- snapd-2.57.5+20.04/packaging/centos-7/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/centos-7/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -92,6 +92,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -824,6 +826,7 @@ %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff -Nru snapd-2.57.5+20.04/packaging/centos-8/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/centos-8/snapd.spec --- snapd-2.57.5+20.04/packaging/centos-8/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/centos-8/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -92,6 +92,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -824,6 +826,7 @@ %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff -Nru snapd-2.57.5+20.04/packaging/centos-9/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/centos-9/snapd.spec --- snapd-2.57.5+20.04/packaging/centos-9/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/centos-9/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -92,6 +92,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -824,6 +826,7 @@ %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff -Nru snapd-2.57.5+20.04/packaging/fedora/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/fedora/snapd.spec --- snapd-2.57.5+20.04/packaging/fedora/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/fedora/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -92,6 +92,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -824,6 +826,7 @@ %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff -Nru snapd-2.57.5+20.04/packaging/fedora-34/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/fedora-34/snapd.spec --- snapd-2.57.5+20.04/packaging/fedora-34/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/fedora-34/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -92,6 +92,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -824,6 +826,7 @@ %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff -Nru snapd-2.57.5+20.04/packaging/fedora-35/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/fedora-35/snapd.spec --- snapd-2.57.5+20.04/packaging/fedora-35/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/fedora-35/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -92,6 +92,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -824,6 +826,7 @@ %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff -Nru snapd-2.57.5+20.04/packaging/fedora-36/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/fedora-36/snapd.spec --- snapd-2.57.5+20.04/packaging/fedora-36/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/fedora-36/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -92,6 +92,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -824,6 +826,7 @@ %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff -Nru snapd-2.57.5+20.04/packaging/fedora-rawhide/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/fedora-rawhide/snapd.spec --- snapd-2.57.5+20.04/packaging/fedora-rawhide/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/fedora-rawhide/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -92,6 +92,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -619,6 +620,7 @@ install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -824,6 +826,7 @@ %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff -Nru snapd-2.57.5+20.04/packaging/opensuse/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/opensuse/snapd.spec --- snapd-2.57.5+20.04/packaging/opensuse/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/opensuse/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -47,6 +47,7 @@ %{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators} %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} %{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # This is fixed in SUSE Linux 15 # Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396 @@ -416,6 +417,7 @@ %dir %{_sharedstatedir}/snapd/sequence %dir %{_sharedstatedir}/snapd/snaps %dir %{_systemd_system_env_generator_dir} +%dir %{_tmpfilesdir} %dir %{_systemdgeneratordir} %dir %{_userunitdir} %dir %{snap_mount_dir} @@ -474,6 +476,7 @@ %{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop %{_systemd_system_env_generator_dir}/snapd-env-generator %{_systemdgeneratordir}/snapd-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.failure.service %{_unitdir}/snapd.seeded.service %{_unitdir}/snapd.service diff -Nru snapd-2.57.5+20.04/packaging/opensuse-15.3/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/opensuse-15.3/snapd.spec --- snapd-2.57.5+20.04/packaging/opensuse-15.3/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/opensuse-15.3/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -47,6 +47,7 @@ %{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators} %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} %{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # This is fixed in SUSE Linux 15 # Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396 @@ -416,6 +417,7 @@ %dir %{_sharedstatedir}/snapd/sequence %dir %{_sharedstatedir}/snapd/snaps %dir %{_systemd_system_env_generator_dir} +%dir %{_tmpfilesdir} %dir %{_systemdgeneratordir} %dir %{_userunitdir} %dir %{snap_mount_dir} @@ -474,6 +476,7 @@ %{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop %{_systemd_system_env_generator_dir}/snapd-env-generator %{_systemdgeneratordir}/snapd-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.failure.service %{_unitdir}/snapd.seeded.service %{_unitdir}/snapd.service diff -Nru snapd-2.57.5+20.04/packaging/opensuse-15.4/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/opensuse-15.4/snapd.spec --- snapd-2.57.5+20.04/packaging/opensuse-15.4/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/opensuse-15.4/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -47,6 +47,7 @@ %{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators} %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} %{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # This is fixed in SUSE Linux 15 # Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396 @@ -416,6 +417,7 @@ %dir %{_sharedstatedir}/snapd/sequence %dir %{_sharedstatedir}/snapd/snaps %dir %{_systemd_system_env_generator_dir} +%dir %{_tmpfilesdir} %dir %{_systemdgeneratordir} %dir %{_userunitdir} %dir %{snap_mount_dir} @@ -474,6 +476,7 @@ %{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop %{_systemd_system_env_generator_dir}/snapd-env-generator %{_systemdgeneratordir}/snapd-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.failure.service %{_unitdir}/snapd.seeded.service %{_unitdir}/snapd.service diff -Nru snapd-2.57.5+20.04/packaging/opensuse-tumbleweed/snapd.spec snapd-2.57.5+20.04ubuntu0.1/packaging/opensuse-tumbleweed/snapd.spec --- snapd-2.57.5+20.04/packaging/opensuse-tumbleweed/snapd.spec 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/opensuse-tumbleweed/snapd.spec 2022-11-28 04:54:53.000000000 +0000 @@ -47,6 +47,7 @@ %{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators} %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} %{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # This is fixed in SUSE Linux 15 # Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396 @@ -416,6 +417,7 @@ %dir %{_sharedstatedir}/snapd/sequence %dir %{_sharedstatedir}/snapd/snaps %dir %{_systemd_system_env_generator_dir} +%dir %{_tmpfilesdir} %dir %{_systemdgeneratordir} %dir %{_userunitdir} %dir %{snap_mount_dir} @@ -474,6 +476,7 @@ %{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop %{_systemd_system_env_generator_dir}/snapd-env-generator %{_systemdgeneratordir}/snapd-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.failure.service %{_unitdir}/snapd.seeded.service %{_unitdir}/snapd.service diff -Nru snapd-2.57.5+20.04/packaging/ubuntu-16.04/changelog snapd-2.57.5+20.04ubuntu0.1/packaging/ubuntu-16.04/changelog --- snapd-2.57.5+20.04/packaging/ubuntu-16.04/changelog 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/packaging/ubuntu-16.04/changelog 2022-11-28 04:55:10.000000000 +0000 @@ -1,3 +1,12 @@ +snapd (2.57.5+20.04ubuntu0.1) focal-security; urgency=medium + + * SECURITY UPDATE: Local privilege escalation + - snap-confine: Fix race condition in snap-confine when preparing a + private tmp mount namespace for a snap + - CVE-2022-3328 + + -- Alex Murray Mon, 28 Nov 2022 15:25:10 +1030 + snapd (2.57.5+20.04) focal; urgency=medium * New upstream release, LP: #1983035 diff -Nru snapd-2.57.5+20.04/tests/lib/reset.sh snapd-2.57.5+20.04ubuntu0.1/tests/lib/reset.sh --- snapd-2.57.5+20.04/tests/lib/reset.sh 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/tests/lib/reset.sh 2022-11-28 04:54:57.000000000 +0000 @@ -53,7 +53,7 @@ ls -lR "$SNAP_MOUNT_DIR"/ /var/snap/ exit 1 fi - rm -rf /tmp/snap.* + rm -rf /tmp/snap-private-tmp case "$SPREAD_SYSTEM" in fedora-*|centos-*) @@ -144,7 +144,7 @@ systemctl stop snapd.service snapd.socket restore_snapd_state rm -rf /root/.snap - rm -rf /tmp/snap.* + rm -rf /tmp/snap-private-tmp/snap.* if [ "$1" != "--keep-stopped" ]; then systemctl start snapd.service snapd.socket fi diff -Nru snapd-2.57.5+20.04/tests/main/cgroup-tracking/task.yaml snapd-2.57.5+20.04ubuntu0.1/tests/main/cgroup-tracking/task.yaml --- snapd-2.57.5+20.04/tests/main/cgroup-tracking/task.yaml 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/tests/main/cgroup-tracking/task.yaml 2022-11-28 04:54:57.000000000 +0000 @@ -111,7 +111,7 @@ trap "pkill sleep || true" EXIT echo "Ensure that snap-confine has finished its task and that the snap process" echo "is active. Note that we don't want to wait forever either." - retry -n 30 test -e /tmp/snap.test-snapd-tracking/tmp/1.stamp + retry -n 30 test -e /tmp/snap-private-tmp/snap.test-snapd-tracking/tmp/1.stamp pid1_sleep=$(cat /tmp/1.pid) echo "During startup snap-run has asked systemd to move the process to a" @@ -130,7 +130,7 @@ #shellcheck disable=SC2016 tests.session -p /tmp/2.pid -u "$USER" exec snap run test-snapd-tracking.sh -c 'touch /tmp/2.stamp && exec sleep 2m' & session2_pid=$! - retry -n 30 test -e /tmp/snap.test-snapd-tracking/tmp/2.stamp + retry -n 30 test -e /tmp/snap-private-tmp/snap.test-snapd-tracking/tmp/2.stamp pid2_sleep=$(cat /tmp/2.pid) pid2_tracking_cg_path="$(grep -E "^$base_cg_id:" < "/proc/$pid2_sleep/cgroup" | cut -d : -f 3)" echo "$pid2_tracking_cg_path" | MATCH '.*/snap\.test-snapd-tracking\.sh\.[0-9a-f-]+\.scope' @@ -153,7 +153,7 @@ #shellcheck disable=SC2016 tests.session -p /tmp/3.pid -u "$USER" exec snap run test-snapd-tracking.sh -c 'touch /tmp/3.stamp && sleep 1m' & session3_pid=$! - retry -n 30 test -e /tmp/snap.test-snapd-tracking/tmp/3.stamp + retry -n 30 test -e /tmp/snap-private-tmp/snap.test-snapd-tracking/tmp/3.stamp pid3_sh=$(cat /tmp/3.pid) pid3_tracking_cg_path="$(grep -E "^$base_cg_id:" < "/proc/$pid3_sh/cgroup" | cut -d : -f 3)" MATCH "$pid3_sh" < "${base_cg_path}${pid3_tracking_cg_path}/cgroup.procs" diff -Nru snapd-2.57.5+20.04/tests/main/install-refresh-remove-hooks/task.yaml snapd-2.57.5+20.04ubuntu0.1/tests/main/install-refresh-remove-hooks/task.yaml --- snapd-2.57.5+20.04/tests/main/install-refresh-remove-hooks/task.yaml 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/tests/main/install-refresh-remove-hooks/task.yaml 2022-11-28 04:54:57.000000000 +0000 @@ -4,8 +4,8 @@ backends: [-autopkgtest] environment: - REMOVE_HOOK_FILE/regular: "/tmp/snap.snap-hooks/tmp/remove-hook-executed" - REMOVE_HOOK_FILE/parallel: "/tmp/snap.snap-hooks_instance/tmp/remove-hook-executed" + REMOVE_HOOK_FILE/regular: "/tmp/snap-private-tmp/snap.snap-hooks/tmp/remove-hook-executed" + REMOVE_HOOK_FILE/parallel: "/tmp/snap-private-tmp/snap.snap-hooks_instance/tmp/remove-hook-executed" NAME/regular: snap-hooks NAME/parallel: snap-hooks_instance diff -Nru snapd-2.57.5+20.04/tests/main/interfaces-x11-unix-socket/task.yaml snapd-2.57.5+20.04ubuntu0.1/tests/main/interfaces-x11-unix-socket/task.yaml --- snapd-2.57.5+20.04/tests/main/interfaces-x11-unix-socket/task.yaml 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/tests/main/interfaces-x11-unix-socket/task.yaml 2022-11-28 04:54:57.000000000 +0000 @@ -26,7 +26,7 @@ echo "The snaps can communicate via the unix domain socket in /tmp" x11-server & - retry -n 4 --wait 0.5 test -e /tmp/snap.x11-server/tmp/.X11-unix/X0 + retry -n 4 --wait 0.5 test -e /tmp/snap-private-tmp/snap.x11-server/tmp/.X11-unix/X0 x11-client | MATCH "Hello from xserver" echo "The client cannot remove the unix domain sockets shared with it" diff -Nru snapd-2.57.5+20.04/tests/main/security-private-tmp/task.yaml snapd-2.57.5+20.04ubuntu0.1/tests/main/security-private-tmp/task.yaml --- snapd-2.57.5+20.04/tests/main/security-private-tmp/task.yaml 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/tests/main/security-private-tmp/task.yaml 2022-11-28 04:54:57.000000000 +0000 @@ -20,7 +20,7 @@ tests.session -u test prepare restore: | - rm -rf "$SNAP_INSTALL_DIR" /tmp/foo /tmp/snap.not-test-snapd-sh /tmp/snap.test-snapd-sh/ + rm -rf "$SNAP_INSTALL_DIR" /tmp/foo /tmp/snap-private-tmp/snap.not-test-snapd-sh /tmp/snap-private-tmp/snap.test-snapd-sh/ tests.session -u test restore execute: | diff -Nru snapd-2.57.5+20.04/tests/main/snap-confine-tmp-mount/task.yaml snapd-2.57.5+20.04ubuntu0.1/tests/main/snap-confine-tmp-mount/task.yaml --- snapd-2.57.5+20.04/tests/main/snap-confine-tmp-mount/task.yaml 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/tests/main/snap-confine-tmp-mount/task.yaml 2022-11-28 04:54:57.000000000 +0000 @@ -1,10 +1,8 @@ -summary: ensure snap-confine controls private mount namespace +summary: ensure snap-confine correctly setups up the private tmp mount namespace details: | - Ensure that when creating the private mount namespace for a snap that - if it already exists but is not owned by root then any existing - contents within the private mount directory is first removed before the - mount is created. + Ensure that when creating the private tmp mount namespace for a snap that it + is done so under /tmp/snap-private-tmp/snap.SNAP_NAME which is owned by root # ubuntu-14.04: the test sets up a user session, which requires more recent systemd systems: [-ubuntu-14.04-*] @@ -25,23 +23,6 @@ cat /tmp/snap-confine-stderr.log || true execute: | - rm -rf /tmp/snap.test-snapd-sh - # create /tmp/snap.test-snapd-sh as a regular user - tests.session -u test exec sh -c "mkdir /tmp/snap.test-snapd-sh" - test_umask=$(tests.session -u test exec sh -c "umask") - # check permissions are as expected - expected=$(printf "%o" $((0777-test_umask))) - stat -c "%U %G %a" /tmp/snap.test-snapd-sh | MATCH "test test $expected" - # and place other contents there - tests.session -u test exec sh -c "mkdir /tmp/snap.test-snapd-sh/tmp" - tests.session -u test exec sh -c "touch /tmp/snap.test-snapd-sh/tmp/foo" - stat -c "%U %G %a" /tmp/snap.test-snapd-sh/tmp | MATCH "test test $expected" - expected=$(printf "%o" $((0666-test_umask))) - stat -c "%U %G %a" /tmp/snap.test-snapd-sh/tmp/foo | MATCH "test test $expected" - - # then execute snap-confine - this should take over our imposter base - # dir but execute id successfully - snap-confine outputs to stderr and - # id will output to stdout so capture each separately SNAP_CONFINE=$(os.paths libexec-dir)/snapd/snap-confine # on Ubuntu Core we need to use the correct path to ensure it is @@ -57,16 +38,14 @@ SNAPD_SNAP_REV=$(snap list snapd | tail -n +2 | awk '{print $3}') SNAP_CONFINE="/snap/snapd/$SNAPD_SNAP_REV/usr/lib/snapd/snap-confine" fi + # execute snap-confine as a standard user - this should create a private tmp + # dir as /tmp/snap-private-tmp/snap.test-snapd-sh/ - snap-confine outputs to + # stderr and id will output to stdout so capture each separately tests.session -u test exec sh -c "env -i SNAPD_DEBUG=1 SNAP_INSTANCE_NAME=test-snapd-sh $SNAP_CONFINE --base core snap.test-snapd-sh.sh /bin/bash -c id 1>/tmp/snap-confine-stdout.log 2>/tmp/snap-confine-stderr.log" tests.cleanup defer rm -f /tmp/snap-confine-stdout.log /tmp/snap-confine-stderr.log - stat -c "%U %G %a" /tmp/snap.test-snapd-sh | MATCH "root root 700" + stat -c "%U %G %a" /tmp/snap-private-tmp/snap.test-snapd-sh | MATCH "root root 700" - # contents should have been removed and tmp dir recreated with root - # ownership but foo file should have been removed - stat -c "%U %G %a" /tmp/snap.test-snapd-sh/tmp | MATCH "root root 1777" - [ -f /tmp/snap.test-snapd-sh/tmp/foo ] && exit 1 - # actual dir should be owned by root now - stat -c "%U %G %a" /tmp/snap.test-snapd-sh | MATCH "root root 700" + stat -c "%U %G %a" /tmp/snap-private-tmp/snap.test-snapd-sh/tmp | MATCH "root root 1777" # and snap-confine should ensure the target binary is executed as the test user MATCH "uid=12345\(test\) gid=12345\(test\)" /tmp/snap-confine-stdout.log diff -Nru snapd-2.57.5+20.04/tests/main/snap-confine-undesired-mode-group/task.yaml snapd-2.57.5+20.04ubuntu0.1/tests/main/snap-confine-undesired-mode-group/task.yaml --- snapd-2.57.5+20.04/tests/main/snap-confine-undesired-mode-group/task.yaml 2022-10-17 16:25:18.000000000 +0000 +++ snapd-2.57.5+20.04ubuntu0.1/tests/main/snap-confine-undesired-mode-group/task.yaml 2022-11-28 04:54:57.000000000 +0000 @@ -15,7 +15,7 @@ restore: | tests.session -u test restore - rm -rf /tmp/snap.test-snapd-app + rm -rf /tmp/snap-private-tmp/snap.test-snapd-app execute: | # Run the snap as a non-root user. @@ -26,7 +26,7 @@ # trees. Such files may indicate that parts of code invomed from # snap-confine (which includes snap-update-ns and snap-discard-ns) ran as # the group of the calling user and did not manage that properly. - for dname in /run/snapd /sys/fs/cgroup /tmp/snap.*; do + for dname in /run/snapd /sys/fs/cgroup /tmp/snap-private-tmp/snap.*; do # Filter out cgroups that are expected to be owned by the test user. # Since we are a looking at sysfs, which is modified asynchronously, # ignore errors of the kind where readdir and stat race with a @@ -38,7 +38,7 @@ # - symbolic links, those are always 777 # - the file cgroup.event_control which is ugo+w for some reason # - the per-snap tmp directory as it is meant to be world-writable - find "$dname" -ignore_readdir_race ! -type s ! -type l ! -name cgroup.event_control ! -path '/tmp/snap.*/tmp' -perm /o+w >> world-writable.txt + find "$dname" -ignore_readdir_race ! -type s ! -type l ! -name cgroup.event_control ! -path '/tmp/snap-private-tmp/snap.*/tmp' -perm /o+w >> world-writable.txt done # The test fails if any such file is detected