Arch Linux User Repository

Package update notes

2.36

2.36 is the first release with AppArmor enabled by default on Arch.

If you do not have AppArmor enabled at boot there should be no functional changes visible.

If you wish to use snaps with Apparmor, first make sure that Apparmor is enabled during boot, see https://wiki.archlinux.org/index.php/AppArmor for details. After upgrading the package, you need to do the following steps:

• Reload the profiles: systemctl restart apparmor.service
• Restart snapd: systemctl restart snapd.service
• Load profiles for snaps: systemctl enable --now snapd.apparmor.service

2.62

Since 2.62 snapd generated additional files describing the sandbox. The snapd service needs to be restarted after the update for snaps to continue working (unless the system is rebooted after the update, in which case no additional steps are needed). To restart, run systemctl restart snapd.service

The current snapd release (v2.59.5) suffers from openSUSE bug 1211989, which leads to errors like the following when trying to use (some?) snaps:

$ some-snap-app
cannot perform operation: mount -t tmpfs /tmp/snap.rootfs_A5z0uT: Permission denied

This has been fixed on the current snapd master branch, in commit 385d206 (GitHub PR).

Here's a patch for this AUR package that cherry-picks this commit (can be applied with git am):

From 560ae8b2a14d6761866c492b2a4d7c040f4825fb Mon Sep 17 00:00:00 2001
From: Tilman Blumenbach <tilman+git@ax86.net>
Date: Thu, 8 Jun 2023 21:26:00 +0200
Subject: [PATCH] Cherry-pick fix for incompatible AppArmor change.

Source:
https://github.com/snapcore/snapd/commit/385d206348e4dad96ab4fe0fd08f3818515e3906

See:
    - https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
    - https://github.com/snapcore/snapd/pull/12845
---
 PKGBUILD                 |  4 +++-
 snapcore-bug-12845.patch | 29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 snapcore-bug-12845.patch

diff --git a/PKGBUILD b/PKGBUILD
index 31bfcdf..3231fb8 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -19,8 +19,10 @@ options=('!strip' 'emptydirs' '!lto')
 install=snapd.install
 source=(
     "$pkgname-$pkgver.tar.xz::https://github.com/snapcore/${pkgname}/releases/download/${pkgver}/${pkgname}_${pkgver}.vendor.tar.xz"
+    snapcore-bug-12845.patch
 )
-sha256sums=('d2d9efbc2db7fa79edf0c73286320ab5ba039ae30874e88725ef326c618ae5df')
+sha256sums=('d2d9efbc2db7fa79edf0c73286320ab5ba039ae30874e88725ef326c618ae5df'
+            '251449de88f91778980269eda86b995b8cae6af15c90db2734707a47c18d9fb2')


 _gourl=github.com/snapcore/snapd
diff --git a/snapcore-bug-12845.patch b/snapcore-bug-12845.patch
new file mode 100644
index 0000000..7bed7da
--- /dev/null
+++ b/snapcore-bug-12845.patch
@@ -0,0 +1,29 @@
+Patch downloaded from:
+https://github.com/snapcore/snapd/commit/385d206348e4dad96ab4fe0fd08f3818515e3906.patch
+
+See: https://github.com/snapcore/snapd/pull/12845
+
+
+From 385d206348e4dad96ab4fe0fd08f3818515e3906 Mon Sep 17 00:00:00 2001
+From: Michael Vogt <mvo@ubuntu.com>
+Date: Mon, 5 Jun 2023 16:18:47 +0200
+Subject: [PATCH] snap-confine: add `tmpfs` mount rule to apparmor profile
+ (#12845)
+
+There is a bugfix to make the mount rules more strict/explicit in apparmor 3.0.10, see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.10 - this affects snapd as it's current profile relies on the implicit behavior. With this commit the missing mount rule is added explicitly.
+---
+ cmd/snap-confine/snap-confine.apparmor.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cmd/snap-confine/snap-confine.apparmor.in b/cmd/snap-confine/snap-confine.apparmor.in
+index fb999368bc4..73d14c8c781 100644
+--- a/cmd/snap-confine/snap-confine.apparmor.in
++++ b/cmd/snap-confine/snap-confine.apparmor.in
+@@ -172,6 +172,7 @@
+ 
+     # boostrapping the mount namespace
+     /tmp/snap.rootfs_*/ rw,
++    mount fstype=tmpfs none -> /tmp/snap.rootfs_*/,
+     mount options=(rw rshared) -> /,
+     mount options=(rw bind) /tmp/snap.rootfs_*/ -> /tmp/snap.rootfs_*/,
+     mount options=(rw unbindable) -> /tmp/snap.rootfs_*/,
-- 
2.41.0

On a completely new installation, I have found out these packages to be required by the build of snapd: pkgconf, autoconf and automake. Otherwise, it will not build.

Just a heads up for anyone experiencing problems building, I was not able to build this package with gcc-go, but building with go works just fine.

It should probably be noted somewhere that this package needs go and not gcc-go. Or there is otherwise some issue or additional dependency when using gcc-go (i'm not sure which is true/caused it to not build with gcc-go)

Create snapd-bin

@Repp no, not really https://wiki.archlinux.org/title/Arch_User_Repository#Getting_started https://wiki.archlinux.org/title/PKGBUILD#makedepends

Because it's so hard for folks to follow, quoting here from the PKGBUILD archwiki page:

Note: The group base-devel is assumed to be already installed when building with makepkg. Members of this group should not be included in makedepends array.

automake and autoconf should be added to makedepends

Getting this issue as well

make[1]: Leaving directory '/home/deck/snapd/src/snapd-2.58.2/cmd' ==> Starting check()... snap-exec is not a static binary

Edit: Disregard - fixed by removing gcc-go

Does not build here with a go-problem:
panic: runtime error: index out of range [2147418107] with length 10

This looks to be a known go issue since months but it is still not fixed. Maybe this can be fixed by changing something in build routines?

Getting this error

Can't exec "aclocal": No such file or directory at /usr/share/autoconf/Autom4te/FileUtils.pm line 274. autoreconf: error: aclocal failed with exit status: 2 ==> ERROR: A failure occurred in build(). Aborting... -> error making: snapd

Have the same problem as @a.kudelin.

==> Starting check()...
snap-exec is not a static binary
 -> error making: snapd

but first I've got this warnings...

go build: when using gccgo toolchain, please pass linker flags using -gccgoflags, not -ldflags