mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
e63665aa2c
* cmd/libsnap-confine-private: helper for detecting if executing inside a container Add a helper which attempts to detect if the current process is executing inside a container environment. Specifically, look for /run/systemd/container and check whether it is non empty. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-confine: do not setup device cgroup if running inside a container Do not set up a device cgroup filter, if we're running inside the container. The rationale is that the container environment has already shut down device access sufficiently, and especially if running in unprivileged container, we may not be able to set it up correctly anyway. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-confine: allow reading of /run/systemd/container Allow snap-confine to read /run/system/container to implement container execution check. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> * cmd/snap-confine: use strnlen for sc_is_container Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> --------- Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com> Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> Co-authored-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>