Dear Snapd Community,
We’re pleased to share that snapd 2.70 snap is available for testing in the candidate channel.
Highlights
snap-confineno longer requires to besetuidroot, now uses file capabilities and executes in the security context of the user who invokes it.- snapd.apparmor is now enabled on Fedora, so that a Fedora container running on an apparmor-capable kernel works correctly.
Notable updates
- Reset SHELL to /bin/bash in non-classic snaps (LP: #2107443)
- Only cancel notices requests on stop/shutdown (LP: #2104066)
- Fix GLX on nvidia when xorg is confined by AppArmor (LP: #2088456)
- Fix snap-bootstrap busy loop (LP: #2106121)
- Update secboot and modify snap-bootstrap to remove usage of go templates to reduce size by 4MB (LP: #2102456)
More about no-setuid snap confine
In an effort to increase the security and have better control over the execution of privileged binaries, the snap application bootstrapping helper, snap-confine, no longer requires to be setuid root. Instead it relies on file capabilities and executes in the security context of the user who invoked it. The required capabilities are effectively a subset of all the capabilities which were previously obtained immediately when executing the privileged binary. The effective capabilities are dynamically switched at runtime, such that the helper executes with the least set of effective privileges at any given time.
For the release plan and complete list of changes, please refer to the full release notes. Please note that 2.70 includes all the changes in the superseded 2.69 and 2.69.1 releases.
The next planned release is 2.71 that is expected to be available in the beta channel by 25 July.
Feel free to provide your test feedback here or directly in Launchpad. To help fast track investigations please provide (1) details about the system, (2) snapd version(s) and (3) steps to reproduce the issue.
We greatly appreciate your contributions and support!