Merge pull request #7487 from bboozzoo/bbboozzoo/cgroup-udev-features

interfaces/udev: account for cgroup version when reporting supported features Take into account the host's cgroup version when reporting udev backend features.
snapcore · Sep 20, 2019 · 15b3130 · 15b3130
2 parents 313c00a + 3528a61
commit 15b3130
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/interfaces/udev/backend.go b/interfaces/udev/backend.go
@@ -34,6 +34,7 @@ import (
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/sandbox/cgroup"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/timings"
 )
@@ -165,8 +166,19 @@ func (b *Backend) NewSpecification() interfaces.Specification {
 
 // SandboxFeatures returns the list of features supported by snapd for mediating access to kernel devices.
 func (b *Backend) SandboxFeatures() []string {
-	return []string{
+	commonFeatures := []string{
+		"tagging", /* Tagging dynamically associates new devices with specific snaps */
+	}
+	cgroupv1Features := []string{
+		"device-filtering", /* Snapd can limit device access for each snap */
 		"device-cgroup-v1", /* Snapd creates a device group (v1) for each snap */
-		"tagging",          /* Tagging dynamically associates new devices with specific snaps */
 	}
+
+	if cgroup.IsUnified() {
+		// TODO: update v2 device cgroup is supported
+		return commonFeatures
+	}
+
+	features := append(cgroupv1Features, commonFeatures...)
+	return features
 }
diff --git a/interfaces/udev/backend_test.go b/interfaces/udev/backend_test.go
@@ -30,6 +30,7 @@ import (
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/ifacetest"
 	"github.com/snapcore/snapd/interfaces/udev"
+	"github.com/snapcore/snapd/sandbox/cgroup"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/testutil"
 	"github.com/snapcore/snapd/timings"
@@ -517,8 +518,18 @@ func (s *backendSuite) TestInstallingSnapWritesAndLoadsRulesWithInputJoystickSub
 }
 
 func (s *backendSuite) TestSandboxFeatures(c *C) {
+	restore := cgroup.MockVersion(cgroup.V1, nil)
+	defer restore()
+
 	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{
+		"device-filtering",
 		"device-cgroup-v1",
 		"tagging",
 	})
+
+	restore = cgroup.MockVersion(cgroup.V2, nil)
+	defer restore()
+	c.Assert(s.Backend.SandboxFeatures(), DeepEquals, []string{
+		"tagging",
+	})
 }