mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
a37f10c9a1
* cmd/libsnap-confine-private: do not deny all devices when reusing the device cgroup With device cgroup v1, when reusing the cgroup (i.e. opening with SC_DEVICE_CGROUP_FROM_EXISTING flag), we should not deny all devices, as this will negatively affect the processes that are in the group. This code path was executed by snap-device-helper, so it is possible that when processing of real events from device changes the group could have become broken. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> * cmd/libsnap-confine-private/device-cgroup-support.c: add comment Co-authored-by: Ian Johnson <person.uwsome@gmail.com> * tests/main/security-device-cgroups-strict-enforced: verify that udev changes do not break device group settings Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> * tests/main/security-device-cgroups-strict-enforced: skip triggering events on 14.04 Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> Co-authored-by: Alberto Mardegan <mardy@users.sourceforge.net> Co-authored-by: Ian Johnson <person.uwsome@gmail.com>