Snapd 2.76 Release Update

snapd
1

Dear Snapd Community,

We’re pleased to share that the snapd 2.76 snap is now available for testing in the beta channel and the snapd deb (2.76+ubuntu26.10.1) is available in stonking-proposed.

Overview

This release contains the remainder of the planned 26.04 content. It includes:

  • Snap delta infrastructure, laying the groundwork for smaller snap updates
  • Mount namespace and layout improvements for more robust and predictable snap confinement
  • Performance improvements reducing overhead during snap operations and Ubuntu Core boot
  • Improved snap component visibility and reliability
  • Security hardening across snap-confine
  • Continued progress on features in development, including snap deltas, confdb, AppArmor prompting, remote device management, dm-verity, security logging and openshell
  • FDE (Full Disk Encryption) maintenance updates and bug fixes
  • New interfaces and interface improvements
  • Packaging updates for cross-distro builds and Ubuntu 26.04 (Resolute)

Notable updates

Components

Snapd 2.76 contains many enhancements to the components subsystem, providing greater transparency and stability for end users. Users can discover installed components directly through ‘snap info’ and ‘snap list’, while several reliability fixes improve the experience around installation, refresh, and enable/disable workflows.

  • Show hint in snap list that a snap has components
  • List snap components in snap-debug-info via debug-tools
  • Display detailed component information in snap info
  • Fix download of private snap components by setting UserID (LP: #2110368)
  • Fix snap enable/disable cycle forgetting components (LP: #2147207)
  • Ensure existing snap confinement flags are not dropped when installing or removing components
  • Improve snapctl install consistency when components are already installed
  • Fix component installation for private snaps via snapctl (LP: #2110368)

Mount namespace and layout

The 2.76 release continues to see improvements to how the mount namespace, the world view, of a snap is constructed and updated. Starting with 2.75, we introduced a mechanism for opportunistically discarding the mount namespace whenever a snap itself or one of its dependencies is updated. This ensures that snaps always start with the most up-to-date world view. In 2.76, we continued this effort, ensuring that the mount namespace construction process itself is more robust and that snap features, such as content sharing and layouts, are applied in an orderly and predictable way, all while squashing a number of bugs in the area.

  • snap-update-ns: switch to a multi-pass process for constructing and updating mount namespaces
  • Fix mount namespace updates with synthetic bind mounts on same target paths (LP: #2144666)

Performance

Snapd 2.76 includes several targeted performance improvements that reduce overhead during common snap operations and speed up boot on Ubuntu Core devices.

  • Reduce the number of AppArmor profile regenerations during snap operations
  • Unroll CPU-heavy recursive function in snap state handlers
  • Dispatch systemctl commands asynchronously when calling Stop()
  • core-initrd: increase mount burst from 5 to 128 for faster boot
  • core-initrd: add nfnetlink module to fix nf netlink socket speed regression (LP: #2150773)

Security hardening

Snapd 2.76 hardens the snap-confine execution environment, addressing a memory safety issue and tightening security boundaries for BPF and mount operations.

  • snap-confine: fix out-of-bounds read in mountinfo parser for partial escape sequences
  • snap-confine: harden bpffs mount with nosuid, nodev, noexec flags
  • snap-confine: set FD_CLOEXEC on file descriptors returned by BPF helpers
  • snap-confine: remove experimental persistent per-user mount namespace feature

Features in development

The following features are under active development and included in this release as building blocks for upcoming functionality. They are not yet considered stable for general use.

  • snap deltas: introduces internal tooling for generating and applying binary deltas between snap revisions; supports the existing xdelta3 format and adds the new snap-1-1-xdelta3 format with improved compression of the squashfs artefact
  • confdb: block concurrent confdb accesses; allow only API admin read access to confdb secrets; support --wait-for timeouts
  • AppArmor prompting: re-enable the prompting notice backend; validate permissions while unmarshalling; escape paths in prompt constraints; respond with full user-allowed permission set
  • remote device management: support remote device management with dispatch-mgmt-messages task with sequencing support
  • dm-verity: add helper for validating integrity data; copy integrity data files during snap install
  • Security audit logging: add security audit logging subsystem
  • openshell: allow openshell snap to use experimental daemon-scope: user

Other

  • mounts: ensure /tmp/.X11-unix created inside mount namespace has correct permissions; allow configuring mount unit options based on filesystem type; RemoveMountUnitFile now unmounts even if mount unit file is missing
  • interfaces: new podman interface for podman socket access; docker plug now implicit on classic systems; bluez: drop explicit deny send_destination in D-Bus configuration; disallow auto-connect to parallel installs; restore auto-connections on failed refresh undo; conditionally deny /proc/self/mountinfo to suppress Go 1.25+ denials; support deep SoC sysfs paths for LED brightness in bool-file (LP: #2148544); Stricter validation for content interface plugs and layout entries now applies to snaps using bases core26 (or later) and bare. For snaps using a content interface plug, or a layout entry (bind, bind-file or tmpfs) where the target path resides under $SNAP, the target path’s presence is now mandatory and enforced during snap installation or refresh.
  • FDE: deprecate check-pin/passphrase API actions; move auto-repair logic to overlord/fdestate; update secboot for TPM/FDE bug fixes including Intel HAP and recovery key parsing; give inactive state on classic (LP: #2147606)
  • snap CLI: allow removing a snap and its base at the same time; avoid empty channel forwarding message (LP: #2125344); clarify snap install help text for --classic and --devmode (LP: #2150683); print complex attributes in snap interface --attrs output (LP: #2152908)
  • packaging: FIPS bootstrap and dispatch via snap-fips-dispatch; add cross-distro build script; update bundled AppArmor 4.1.7; drop transitional packages for Ubuntu 26.04; make Ubuntu 16.04 packaging dep17 compliant (LP: #2139213)
  • Update seccomp syscalls list for kernel 7.1.0
  • Improve handling of failed downloads and retain partial files for resume (LP: #2146337)
  • Skip redundant xdg-settings confirmation prompt when setting is already correct (LP: #1966067)

For the release plan and complete list of changes, please refer to the full release notes.

Test Feedback

Feel free to provide your test feedback here or directly in Launchpad. To help fast track investigations please provide (1) details about the system, (2) snapd version(s) and (3) steps to reproduce the issue.

The next release, Snapd 2.77, contains the 26.10 image content and is estimated to start on 13 July 2026 and be available by 7 September 2026. Content targeting this release should be ready by 10 July 2026.

We greatly appreciate your contributions and support!

4 Likes