snap-confine: fallback gracefully on a cgroup v2 only system

On a cgroup v2 only system we cannot use certain features like freezer or pid cgroups yet. In order to not die() when we run on such systems this PR implements detection and skipping of those. This will have to be done "properly" but for now it ensures that snaps continue to run on cgroup v2 only systems. 

2 files changed, 13 insertions, 6 deletions

diff --git a/cmd/snap-confine/ns-support.c b/cmd/snap-confine/ns-support.c
index 672f18b6a0..c3d958b113 100644
--- a/cmd/snap-confine/ns-support.c
+++ b/cmd/snap-confine/ns-support.c
@@ -39,6 +39,7 @@
 #include <unistd.h>
 
 #include "../libsnap-confine-private/cgroup-freezer-support.h"
+#include "../libsnap-confine-private/cgroup-support.h"
 #include "../libsnap-confine-private/classic.h"
 #include "../libsnap-confine-private/cleanup-funcs.h"
 #include "../libsnap-confine-private/infofile.h"
@@ -486,7 +487,7 @@ static int sc_inspect_and_maybe_discard_stale_ns(int mnt_fd,
	debug("preserved mount is not stale, reusing");
	return 0;
	case SC_DISCARD_SHOULD:
-	if (sc_cgroup_freezer_occupied(inv->snap_instance)) {
+ if (!sc_cgroup_is_v2() && sc_cgroup_freezer_occupied(inv->snap_instance)) {
	// Some processes are still using the namespace so we cannot discard it
	// as that would fracture the view that the set of processes inside
	// have on what is mounted.
diff --git a/cmd/snap-confine/snap-confine.c b/cmd/snap-confine/snap-confine.c
index ac2f0375df..a4f4988326 100644
--- a/cmd/snap-confine/snap-confine.c
+++ b/cmd/snap-confine/snap-confine.c
@@ -35,6 +35,7 @@
 #include "../libsnap-confine-private/apparmor-support.h"
 #include "../libsnap-confine-private/cgroup-freezer-support.h"
 #include "../libsnap-confine-private/cgroup-pids-support.h"
+#include "../libsnap-confine-private/cgroup-support.h"
 #include "../libsnap-confine-private/classic.h"
 #include "../libsnap-confine-private/cleanup-funcs.h"
 #include "../libsnap-confine-private/feature.h"
@@ -574,8 +575,11 @@ static void enter_non_classic_execution_environment(sc_invocation * inv,
 
	/** Populate and join the device control group. */
	struct snappy_udev udev_s;
-	if (snappy_udev_init(inv->security_tag, &udev_s) == 0)
-	setup_devices_cgroup(inv->security_tag, &udev_s);
+	if (snappy_udev_init(inv->security_tag, &udev_s) == 0) {
+	if (sc_cgroup_is_v2()) {
+	setup_devices_cgroup(inv->security_tag, &udev_s);
+	}
+	}
	snappy_udev_cleanup(&udev_s);
 
	/**
@@ -675,9 +679,11 @@ static void enter_non_classic_execution_environment(sc_invocation * inv,
	die("cannot set effective group id to root");
	}
	}
-	sc_cgroup_freezer_join(inv->snap_instance, getpid());
-	if (sc_feature_enabled(SC_FEATURE_REFRESH_APP_AWARENESS)) {
-	sc_cgroup_pids_join(inv->security_tag, getpid());
+	if (!sc_cgroup_is_v2()) {
+	sc_cgroup_freezer_join(inv->snap_instance, getpid());
+	if (sc_feature_enabled(SC_FEATURE_REFRESH_APP_AWARENESS)) {
+	sc_cgroup_pids_join(inv->security_tag, getpid());
+	}
	}
	if (geteuid() == 0 && real_gid != 0) {
	if (setegid(real_gid) != 0) {