Merge branch 'master' of https://github.com/snapcore/snapd into compo…

…nent-vsets-on-refresh-install

.github/dependabot.yaml

@@ -0,0 +1,24 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      non-breaking:
+        applies-to: version-updates
+        patterns:
+        - "*"
+        update-types:
+        - "minor"
+        - "patch"
+      breaking:
+        applies-to: version-updates
+        patterns:
+        - "*"
+        update-types:
+        - "major"

.github/workflows/test.yaml

@@ -292,7 +292,7 @@ jobs:
             tasks: 'tests/...'
             rules: 'main'
           - group: debian-not-req
-            backend: google-distro-1
+            backend: openstack
             systems: 'debian-12-64 debian-sid-64'
             tasks: 'tests/...'
             rules: 'main'

NEWS.md

@@ -1,3 +1,55 @@
+# New in snapd 2.67
+* AppArmor prompting (experimental): allow overlapping rules
+* Registry view (experimental): Changes to registry data (from both users and snaps) can be validated and saved by custodian snaps
+* Registry view (experimental): Support 'snapctl get --pristine' to read the registry data excluding staged transaction changes
+* Registry view (experimental): Put registry commands behind experimental feature flag
+* Components: Make modules shipped/created by kernel-modules components available right after reboot
+* Components: Add tab completion for local component files
+* Components: Allow installing snaps and components from local files jointly on the CLI
+* Components: Allow 'snapctl model' command for gadget and kernel snaps
+* Components: Add 'snap components' command
+* Components: Bug fixes
+* eMMC gadget updates (WIP): add syntax support in gadget.yaml for eMMC schema
+* Support for ephemeral recovery mode on hybrid systems
+* Support for dm-verity options in snap-bootstrap
+* Support for overlayfs options and allow empty what argument for tmpfs
+* Enable ubuntu-image to determine the size of the disk image to create
+* Expose 'snap debug' commands 'validate-seed' and 'seeding'
+* Add debug API option to use dedicated snap socket /run/snapd-snap.socket
+* Hide experimental features that are no longer required (accepted/rejected)
+* Mount ubuntu-save partition with no{exec,dev,suid} at install, run and factory-reset
+* Improve memory controller support with cgroup v2
+* Support ssh socket activation configurations (used by ubuntu 22.10+)
+* Fix generation of AppArmor profile with incorrect revision during multi snap refresh
+* Fix refresh app awareness related deadlock edge case
+* Fix not caching delta updated snap download
+* Fix passing non root uid, guid to initial tmpfs mount
+* Fix ignoring snaps in try mode when amending
+* Fix reloading of service activation units to avoid systemd errors
+* Fix snapd snap FIPS build on Launchpad to use Advantage Pro FIPS updates PPA
+* Make killing of snap apps best effort to avoid possibility of malicious failure loop
+* Alleviate impact of auto-refresh failure loop with progressive delay
+* Dropped timedatex in selinux-policy to avoid runtime issue
+* Fix missing syscalls in seccomp profile
+* Modify AppArmor template to allow using SNAP_REEXEC on arch systems
+* Modify AppArmor template to allow using vim.tiny (available in base snaps)
+* Modify AppArmor template to add read-access to debian_version
+* Modify AppArmor template to allow owner to read @{PROC}/@{pid}/sessionid
+* {common,personal,system}-files interface: prohibit trailing @ in filepaths
+* {desktop,shutdown,system-observe,upower-observe} interface: improve for Ubuntu Core Desktop
+* custom-device interface: allow @ in custom-device filepaths
+* desktop interface: improve launch entry and systray integration with session
+* desktop-legacy interface: allow DBus access to com.canonical.dbusmenu
+* fwupd interface: allow access to nvmem for thunderbolt plugin
+* mpris interface: add plasmashell as label
+* mount-control interface: add support for nfs mounts
+* network-{control,manager} interface: add missing dbus link rules
+* network-manager-observe interface: add getDevices methods
+* opengl interface: add Kernel Fusion Driver access to opengl
+* screen-inhibit-control interface: improve screen inhibit control for use on core
+* udisks2 interface: allow ping of the UDisks2 service
+* u2f-devices interface: add Nitrokey Passkey
+
 # New in snapd 2.66.1:
 * AppArmor prompting (experimental): Fix kernel prompting support check
 * Allow kernel snaps to have content slots

asserts/asserts.go

@@ -143,7 +143,7 @@ var (
 	PreseedType              = &AssertionType{"preseed", []string{"series", "brand-id", "model", "system-label"}, nil, assemblePreseed, 0}
 	SnapResourceRevisionType = &AssertionType{"snap-resource-revision", []string{"snap-id", "resource-name", "resource-sha3-384", "provenance"}, map[string]string{"provenance": naming.DefaultProvenance}, assembleSnapResourceRevision, 0}
 	SnapResourcePairType     = &AssertionType{"snap-resource-pair", []string{"snap-id", "resource-name", "resource-revision", "snap-revision", "provenance"}, map[string]string{"provenance": naming.DefaultProvenance}, assembleSnapResourcePair, 0}
-	RegistryType             = &AssertionType{"registry", []string{"account-id", "name"}, nil, assembleRegistry, jsonBody}
+	ConfdbType               = &AssertionType{"confdb", []string{"account-id", "name"}, nil, assembleConfdb, jsonBody}
 
 	// ...
 )
@@ -173,7 +173,7 @@ var typeRegistry = map[string]*AssertionType{
 	PreseedType.Name:              PreseedType,
 	SnapResourceRevisionType.Name: SnapResourceRevisionType,
 	SnapResourcePairType.Name:     SnapResourcePairType,
-	RegistryType.Name:             RegistryType,
+	ConfdbType.Name:               ConfdbType,
 	// no authority
 	DeviceSessionRequestType.Name: DeviceSessionRequestType,
 	SerialRequestType.Name:        SerialRequestType,

asserts/asserts_test.go

@@ -52,10 +52,10 @@ func (as *assertsSuite) TestTypeNames(c *C) {
 		"account-key",
 		"account-key-request",
 		"base-declaration",
+		"confdb",
 		"device-session-request",
 		"model",
 		"preseed",
-		"registry",
 		"repair",
 		"serial",
 		"serial-request",
@@ -1200,7 +1200,7 @@ func (as *assertsSuite) TestWithAuthority(c *C) {
 		"snap-developer",
 		"model",
 		"preseed",
-		"registry",
+		"confdb",
 		"serial",
 		"system-user",
 		"validation",

asserts/registry.go → asserts/confdb.go

@@ -24,43 +24,43 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/snapcore/snapd/registry"
+	"github.com/snapcore/snapd/confdb"
 )
 
-// Registry holds a registry assertion, which is a definition by an account of
+// Confdb holds a confdb assertion, which is a definition by an account of
 // access views and a storage schema for a set of related configuration options
 // under the purview of the account.
-type Registry struct {
+type Confdb struct {
 	assertionBase
 
-	registry  *registry.Registry
+	confdb    *confdb.Confdb
 	timestamp time.Time
 }
 
 // AccountID returns the identifier of the account that signed this assertion.
-func (ar *Registry) AccountID() string {
+func (ar *Confdb) AccountID() string {
 	return ar.HeaderString("account-id")
 }
 
-// Name returns the name for the registry.
-func (ar *Registry) Name() string {
+// Name returns the name for the confdb.
+func (ar *Confdb) Name() string {
 	return ar.HeaderString("name")
 }
 
-// Registry returns a Registry assembled from the assertion that can be used
-// to access registry views.
-func (ar *Registry) Registry() *registry.Registry {
-	return ar.registry
+// Confdb returns a Confdb assembled from the assertion that can be used
+// to access confdb views.
+func (ar *Confdb) Confdb() *confdb.Confdb {
+	return ar.confdb
 }
 
-func assembleRegistry(assert assertionBase) (Assertion, error) {
+func assembleConfdb(assert assertionBase) (Assertion, error) {
 	authorityID := assert.AuthorityID()
 	accountID := assert.HeaderString("account-id")
 	if accountID != authorityID {
-		return nil, fmt.Errorf("authority-id and account-id must match, registry assertions are expected to be signed by the issuer account: %q != %q", authorityID, accountID)
+		return nil, fmt.Errorf("authority-id and account-id must match, confdb assertions are expected to be signed by the issuer account: %q != %q", authorityID, accountID)
 	}
 
-	name, err := checkStringMatches(assert.headers, "name", registry.ValidRegistryName)
+	name, err := checkStringMatches(assert.headers, "name", confdb.ValidConfdbName)
 	if err != nil {
 		return nil, err
 	}
@@ -87,12 +87,12 @@ func assembleRegistry(assert assertionBase) (Assertion, error) {
 		return nil, fmt.Errorf(`body must contain a "storage" stanza`)
 	}
 
-	schema, err := registry.ParseSchema(schemaRaw)
+	schema, err := confdb.ParseSchema(schemaRaw)
 	if err != nil {
 		return nil, fmt.Errorf(`invalid schema: %w`, err)
 	}
 
-	registry, err := registry.New(accountID, name, viewsMap, schema)
+	confdb, err := confdb.New(accountID, name, viewsMap, schema)
 	if err != nil {
 		return nil, err
 	}
@@ -102,9 +102,9 @@ func assembleRegistry(assert assertionBase) (Assertion, error) {
 		return nil, err
 	}
 
-	return &Registry{
+	return &Confdb{
 		assertionBase: assert,
-		registry:      registry,
+		confdb:        confdb,
 		timestamp:     timestamp,
 	}, nil
 }

asserts/registry_test.go → asserts/confdb_test.go

@@ -28,24 +28,24 @@ import (
 	"github.com/snapcore/snapd/asserts"
 )
 
-type registrySuite struct {
+type confdbSuite struct {
 	ts     time.Time
 	tsLine string
 }
 
-var _ = Suite(&registrySuite{})
+var _ = Suite(&confdbSuite{})
 
-func (s *registrySuite) SetUpSuite(c *C) {
+func (s *confdbSuite) SetUpSuite(c *C) {
 	s.ts = time.Now().Truncate(time.Second).UTC()
 	s.tsLine = "timestamp: " + s.ts.Format(time.RFC3339) + "\n"
 }
 
 const (
-	registryExample = `type: registry
+	confdbExample = `type: confdb
 authority-id: brand-id1
 account-id: brand-id1
 name: my-network
-summary: registry description
+summary: confdb description
 views:
   wifi-setup:
     rules:
@@ -87,34 +87,34 @@ const schema = `{
   }
 }`
 
-func (s *registrySuite) TestDecodeOK(c *C) {
-	encoded := strings.Replace(registryExample, "TSLINE", s.tsLine, 1)
+func (s *confdbSuite) TestDecodeOK(c *C) {
+	encoded := strings.Replace(confdbExample, "TSLINE", s.tsLine, 1)
 
 	a, err := asserts.Decode([]byte(encoded))
 	c.Assert(err, IsNil)
 	c.Check(a, NotNil)
-	c.Check(a.Type(), Equals, asserts.RegistryType)
-	ar := a.(*asserts.Registry)
+	c.Check(a.Type(), Equals, asserts.ConfdbType)
+	ar := a.(*asserts.Confdb)
 	c.Check(ar.AuthorityID(), Equals, "brand-id1")
 	c.Check(ar.AccountID(), Equals, "brand-id1")
 	c.Check(ar.Name(), Equals, "my-network")
-	registry := ar.Registry()
-	c.Assert(registry, NotNil)
-	c.Check(registry.View("wifi-setup"), NotNil)
+	confdb := ar.Confdb()
+	c.Assert(confdb, NotNil)
+	c.Check(confdb.View("wifi-setup"), NotNil)
 }
 
-func (s *registrySuite) TestDecodeInvalid(c *C) {
-	const validationSetErrPrefix = "assertion registry: "
+func (s *confdbSuite) TestDecodeInvalid(c *C) {
+	const validationSetErrPrefix = "assertion confdb: "
 
-	encoded := strings.Replace(registryExample, "TSLINE", s.tsLine, 1)
+	encoded := strings.Replace(confdbExample, "TSLINE", s.tsLine, 1)
 
 	viewsStanza := encoded[strings.Index(encoded, "views:") : strings.Index(encoded, "timestamp:")+1]
 	body := encoded[strings.Index(encoded, "body-length:"):strings.Index(encoded, "\n\nAXN")]
 
 	invalidTests := []struct{ original, invalid, expectedErr string }{
 		{"account-id: brand-id1\n", "", `"account-id" header is mandatory`},
 		{"account-id: brand-id1\n", "account-id: \n", `"account-id" header should not be empty`},
-		{"account-id: brand-id1\n", "account-id: random\n", `authority-id and account-id must match, registry assertions are expected to be signed by the issuer account: "brand-id1" != "random"`},
+		{"account-id: brand-id1\n", "account-id: random\n", `authority-id and account-id must match, confdb assertions are expected to be signed by the issuer account: "brand-id1" != "random"`},
 		{"name: my-network\n", "", `"name" header is mandatory`},
 		{"name: my-network\n", "name: \n", `"name" header should not be empty`},
 		{"name: my-network\n", "name: my/network\n", `"name" primary key header cannot contain '/'`},
@@ -148,7 +148,7 @@ func (s *registrySuite) TestDecodeInvalid(c *C) {
 	}
 }
 
-func (s *registrySuite) TestAssembleAndSignChecksSchemaFormatOK(c *C) {
+func (s *confdbSuite) TestAssembleAndSignChecksSchemaFormatOK(c *C) {
 	headers := map[string]interface{}{
 		"authority-id": "brand-id1",
 		"account-id":   "brand-id1",
@@ -174,12 +174,12 @@ func (s *registrySuite) TestAssembleAndSignChecksSchemaFormatOK(c *C) {
     }
   }
 }`
-	acct1, err := asserts.AssembleAndSignInTest(asserts.RegistryType, headers, []byte(schema), testPrivKey0)
+	acct1, err := asserts.AssembleAndSignInTest(asserts.ConfdbType, headers, []byte(schema), testPrivKey0)
 	c.Assert(err, IsNil)
 	c.Assert(string(acct1.Body()), Equals, schema)
 }
 
-func (s *registrySuite) TestAssembleAndSignChecksSchemaFormatFail(c *C) {
+func (s *confdbSuite) TestAssembleAndSignChecksSchemaFormatFail(c *C) {
 	headers := map[string]interface{}{
 		"authority-id": "brand-id1",
 		"account-id":   "brand-id1",
@@ -196,6 +196,6 @@ func (s *registrySuite) TestAssembleAndSignChecksSchemaFormatFail(c *C) {
 	}
 
 	schema := `{ "storage": { "schema": { "foo": "any" } } }`
-	_, err := asserts.AssembleAndSignInTest(asserts.RegistryType, headers, []byte(schema), testPrivKey0)
-	c.Assert(err, ErrorMatches, `assertion registry: JSON in body must be indented with 2 spaces and sort object entries by key`)
+	_, err := asserts.AssembleAndSignInTest(asserts.ConfdbType, headers, []byte(schema), testPrivKey0)
+	c.Assert(err, ErrorMatches, `assertion confdb: JSON in body must be indented with 2 spaces and sort object entries by key`)
 }

asserts/snapasserts/snapasserts.go

@@ -509,12 +509,12 @@ func FetchStore(f asserts.Fetcher, storeID string) error {
 	return f.Fetch(ref)
 }
 
-// FetchRegistry fetches a registry assertion described by account and registry
+// FetchConfdb fetches a confdb assertion described by account and confdb
 // name using the given fetcher.
-func FetchRegistry(f asserts.Fetcher, account, registryName string) error {
+func FetchConfdb(f asserts.Fetcher, account, confdbName string) error {
 	ref := &asserts.Ref{
-		Type:       asserts.RegistryType,
-		PrimaryKey: []string{account, registryName},
+		Type:       asserts.ConfdbType,
+		PrimaryKey: []string{account, confdbName},
 	}
 
 	return f.Fetch(ref)