snap-confine: do not init device cgroup if we are in "devmode"
Interfaces that use the device cgroup are currently not usable
in devmode because we do initialize the device cgroup in
snap-confine regardless if the snap is in devmode or not.
This PR fixes it by checking if the snap is in devmode. As there
is no good way today this PR adds an indirect way to detect
devmode by looking at the seccomp profile. In the future we
probably want to revisit this.
867120e...
by
"John R. Lenton" <email address hidden>
Merge pull request #7150 from zyga/tweak/mount-ns-manual
interfaces/policy: minimal policy check for replacing sanitizeReservedFor helpers (1/2)
Add InstallCandidateMinimalCheck to policy checks. The check will be activated for snap installation when snap is installed with --dangerous flag and it's aim is to check slot snap type restrictions only. It doesn't check plugs or slot attributes and doesn't return the default policy decision from base declaration (i.e. deny-installation: true) which would effectively prevent --dangerous. This policy check is meant to replace existing sanitizeSlotReservedFor* helpers and therefore is semantically an equivalent of these helpers.
This new policy check is not yet active in this PR, it will get enabled in a followup together with the removal of sanitizeSlotReservedFor.. helpers.