Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

many: merge fixes from 2.57.6 #12380

Merged
merged 6 commits into from
Dec 1, 2022
Merged

many: merge fixes from 2.57.6 #12380

merged 6 commits into from
Dec 1, 2022

Conversation

mvo5
Copy link
Contributor

@mvo5 mvo5 commented Nov 30, 2022

This merges the CVE-2022-3328 fixes from the release/2.57 branch back into master.

alexmurray and others added 6 commits November 21, 2022 12:32
@alexmurray
data: Add systemd-tmpfiles configuration to create private tmp dir
6226cdc 
Use systemd-tmpfiles to create the private tmp mount namespace root
dir (/tmp/snap-private-tmp) on boot as owned by root with restrictive
permissions. We can use this as a known location to then create per-snap
private tmp mount namespace dirs (/tmp/snap-private-tmp/snap.$SNAP_INSTANCE)
etc.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
@alexmurray
many: Use /tmp/snap-private-tmp for per-snap private tmps
21ebc51 
To avoid unprivileged users being able to interfere with the creation of the
private snap mount namespace, instead of creating this as /tmp/snap.$SNAP_NAME/
we can now use the systemd-tmpfiles configuration to do this for us
at boot with a known fixed name (/tmp/snap-private-tmp/) and then use that as
the base dir for creating per-snap private tmp mount
namespaces (eg. /tmp/snap-private-tmp/snap.$SNAP_INSTANCE/tmp) etc.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
@alexmurray
tests/main/snap-confine-drops-sys-admin: use stat to check owner/perms
d9d8c2f 
The output format of ls could vary depending on the local systems locale etc whereas
the output of stat is fixed so use this instead to check file owner /
permissions.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
@alexmurray
overlord/snapmgr: Bump vulnerable snap version check
1816f8d 
This should ensure that any older versions of snapd that are vulnerable to this
new CVE-2022-3328 are uninstalled on upgrade to the fixed version.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
@mvo5
releasing package snapd version 2.57.6
2b1c574
@mvo5
Merge remote-tracking branch 'upstream/release/2.57' into cve-2022-3328
bd6f966
alexmurray
alexmurray approved these changes Dec 1, 2022
View reviewed changes
Copy link
Collaborator

@alexmurray alexmurray left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@mvo5 mvo5 merged commit 569398f into canonical:master Dec 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexmurray alexmurray alexmurray approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@mvo5 @alexmurray