[gentoo-commits] repo/gentoo:master commit in: app-emulation/snapd/files/, app-emulation/snapd/
commit: 9199f894abc83596ae63ebc48a73e0af354d5f40 Author: Zac Medico gentoo org> AuthorDate: Tue Nov 10 11:29:48 2020 + Commit: Zac Medico gentoo org> CommitDate: Tue Nov 10 11:35:43 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9199f894 app-emulation/snapd: 2.47.1-r1 revbump for bug 753695 Add USE=forced-devmode which can be disabled if you would like snapd to panic if its confinement feature detection fails. Bug: https://bugs.gentoo.org/753695 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Zac Medico gentoo.org> app-emulation/snapd/files/README.gentoo | 9 + app-emulation/snapd/metadata.xml | 6 ++ .../snapd/{snapd-2.47.1.ebuild => snapd-2.47.1-r1.ebuild}| 12 +--- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/app-emulation/snapd/files/README.gentoo b/app-emulation/snapd/files/README.gentoo index 331729cb165..f2e34601802 100644 --- a/app-emulation/snapd/files/README.gentoo +++ b/app-emulation/snapd/files/README.gentoo @@ -1,3 +1,12 @@ +*Security Alert* + +Application confinement may be automatically disabled if snapd +fails to detect the required features. If you would like to disable +this automatic behavior, causing snapd to panic if its confinement +feature detection fails, then use this setting in package.use: + +app-emulation/snapd -forced-devmode + Use this command to enable the snapd service: systemctl enable snapd.socket diff --git a/app-emulation/snapd/metadata.xml b/app-emulation/snapd/metadata.xml index 8a398ce38f9..2d641fece55 100644 --- a/app-emulation/snapd/metadata.xml +++ b/app-emulation/snapd/metadata.xml @@ -12,5 +12,11 @@ Enable AppArmor support. + + Default to hybrid (legacy) cgroup hierarchy instead of unified (modern). + + + Automatically disable application confinement if feature detection fails. + diff --git a/app-emulation/snapd/snapd-2.47.1.ebuild b/app-emulation/snapd/snapd-2.47.1-r1.ebuild similarity index 90% rename from app-emulation/snapd/snapd-2.47.1.ebuild rename to app-emulation/snapd/snapd-2.47.1-r1.ebuild index 1f8706beb54..9abf9d0b4bf 100644 --- a/app-emulation/snapd/snapd-2.47.1.ebuild +++ b/app-emulation/snapd/snapd-2.47.1-r1.ebuild @@ -17,8 +17,8 @@ KEYWORDS="~amd64" LICENSE="GPL-3 Apache-2.0 BSD BSD-2 LGPL-3-with-linking-exception MIT" SLOT="0" -IUSE="apparmor gtk kde systemd" -REQUIRED_USE="systemd" +IUSE="apparmor +cgroup-hybrid +forced-devmode gtk kde systemd" +REQUIRED_USE="!forced-devmode? ( cgroup-hybrid ) systemd" CONFIG_CHECK="~CGROUPS ~CGROUP_DEVICE @@ -40,7 +40,7 @@ RDEPEND=" ) dev-libs/glib virtual/libudev - systemd? ( sys-apps/systemd ) + systemd? ( sys-apps/systemd[cgroup-hybrid(+)?] ) sys-libs/libcap:= sys-fs/squashfs-tools" @@ -74,6 +74,12 @@ src_prepare() { + "gentoo", \x20 "manjaro",' | patch "${MY_S}/dirs/dirs.go" || die + if ! use forced-devmode; then + sed -e 's#return \(!apparmorFull || cgroupv2\)#//\1\n\tif !apparmorFull || cgroupv2 {\n\t\tpanic("USE=forced-devmode is disabled")\n\t}\n\treturn false#' \ + -i "${MY_S}/sandbox/forcedevmode.go" || die + grep -q 'panic("USE=forced-devmode is disabled")' "${MY_S}/sandbox/forcedevmode.go" || die "failed to disable forced-devmode" + fi + sed -i 's:command -v git >/dev/null:false:' -i "${MY_S}/mkversion.sh" || die pushd "${MY_S}" >/dev/null || die
[gentoo-commits] repo/gentoo:master commit in: app-emulation/snapd/files/, app-emulation/snapd/
commit: 484480e8c287176e53897b6665db202108037ed5 Author: Zac Medico gentoo org> AuthorDate: Mon Nov 9 07:35:08 2020 + Commit: Zac Medico gentoo org> CommitDate: Mon Nov 9 08:36:52 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=484480e8 app-emulation/snapd: Initial import Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Zac Medico gentoo.org> app-emulation/snapd/Manifest| 1 + app-emulation/snapd/files/README.gentoo | 47 + app-emulation/snapd/metadata.xml| 16 +++ app-emulation/snapd/snapd-2.47.1.ebuild | 180 4 files changed, 244 insertions(+) diff --git a/app-emulation/snapd/Manifest b/app-emulation/snapd/Manifest new file mode 100644 index 000..2622b18e103 --- /dev/null +++ b/app-emulation/snapd/Manifest @@ -0,0 +1 @@ +DIST snapd-2.47.1.tar.xz 3664756 BLAKE2B 90cb117ea385890c38c6efdecd3652c115158ad769858ebe1a5035d37c9543da5b2a8768ce4f56cfcee053701d308f826bf7993d9b5f9d5313f2840ca829ab23 SHA512 e08dd7057b85b970a1177996c483d3f663b1424cdbf6643a69923a7012d38fc13109b449ce3a2c5c8d65e5836f93a36567f2f641a62caea6e9989a458f7f2892 diff --git a/app-emulation/snapd/files/README.gentoo b/app-emulation/snapd/files/README.gentoo new file mode 100644 index 000..331729cb165 --- /dev/null +++ b/app-emulation/snapd/files/README.gentoo @@ -0,0 +1,47 @@ +Use this command to enable the snapd service: + + systemctl enable snapd.socket + +You can source /etc/profile.d/snapd.sh in your shell in order to +update PATH and XDG_DATA_DIRS environment variables to include +installed snaps. + +Once you have snapd running (first refer to the *AppArmor Section* +below if you have that enabled), see the snap-store installation +instructions here: + + https://snapcraft.io/docs/installing-snap-store-app + +If snap-store does not work correctly then it may be due to a temporary +service outage which will hopefully be reported on this page: + + https://status.snapcraft.io/ + +When snap-store is not working due to a service outage, it may still +be possible to install apps via the snap cli. See snap --help for +details. Many apps can be installed without a snap store (Ubuntu One) +account. The snap login, logout, and whoami subcommands are available +to manage snap store account details. + +Note that you will need a polkit authentication agent running in +order to authenticate as root when installing snaps as a non-root user. +The agent is typically started by a desktop entry found in +/etc/xdg/autostart such as one of these: + + polkit-gnome-authentication-agent-1.desktop + polkit-kde-authentication-agent-1.desktop + +*AppArmor Section* + +When apparmor is enabled you should enable these services: + + systemctl enable apparmor.service snapd.apparmor.service + +You also need it enabled in your kernel and you may need to add these +kernel parameters to your boot loader configuration: + + apparmor=1 security=apparmor + +Refer here for more information about apparmor: + + https://wiki.gentoo.org/wiki/AppArmor diff --git a/app-emulation/snapd/metadata.xml b/app-emulation/snapd/metadata.xml new file mode 100644 index 000..8a398ce38f9 --- /dev/null +++ b/app-emulation/snapd/metadata.xml @@ -0,0 +1,16 @@ + +http://www.gentoo.org/dtd/metadata.dtd;> + + + zmed...@gentoo.org + Zac Medico + + + snapcore/snapd + + + + Enable AppArmor support. + + + diff --git a/app-emulation/snapd/snapd-2.47.1.ebuild b/app-emulation/snapd/snapd-2.47.1.ebuild new file mode 100644 index 000..1f8706beb54 --- /dev/null +++ b/app-emulation/snapd/snapd-2.47.1.ebuild @@ -0,0 +1,180 @@ +# Copyright 2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +EGO_PN="github.com/snapcore/${PN}" +inherit autotools bash-completion-r1 golang-vcs-snapshot linux-info readme.gentoo-r1 systemd xdg-utils + +DESCRIPTION="Service and tools for management of snap packages" +HOMEPAGE="http://snapcraft.io/; + +MY_S="${S}/src/github.com/snapcore/${PN}" + +SRC_URI="https://github.com/snapcore/${PN}/releases/download/${PV}/${PN}_${PV}.vendor.tar.xz -> ${P}.tar.xz" +MY_PV=${PV} +KEYWORDS="~amd64" + +LICENSE="GPL-3 Apache-2.0 BSD BSD-2 LGPL-3-with-linking-exception MIT" +SLOT="0" +IUSE="apparmor gtk kde systemd" +REQUIRED_USE="systemd" + +CONFIG_CHECK="~CGROUPS + ~CGROUP_DEVICE + ~CGROUP_FREEZER + ~NAMESPACES + ~SQUASHFS + ~SQUASHFS_ZLIB + ~SQUASHFS_LZO + ~SQUASHFS_XZ + ~BLK_DEV_LOOP + ~SECCOMP + ~SECCOMP_FILTER" + +RDEPEND=" + sys-libs/libseccomp:= + apparmor? ( + sec-policy/apparmor-profiles + sys-apps/apparmor:= + ) +