github.com/david-imola/snapd@v0.0.0-20210611180407-2de8ddeece6d/sandbox/forcedevmode.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2020 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 // Package sandbox offers streamlined interfaces for the sandboxing 21 // primitives from the system for snapd use. 22 package sandbox 23 24 import ( 25 "github.com/snapcore/snapd/sandbox/apparmor" 26 "github.com/snapcore/snapd/sandbox/cgroup" 27 ) 28 29 // For testing only 30 var mockedForceDevMode *bool 31 32 // ForceDevMode returns true if the distribution doesn't implement required 33 // security features for confinement and devmode is forced. 34 func ForceDevMode() bool { 35 if mockedForceDevMode != nil { 36 return *mockedForceDevMode 37 } 38 39 apparmorFull := apparmor.ProbedLevel() == apparmor.Full 40 // TODO: update once security backends affected by cgroupv2 are fully 41 // supported 42 cgroupv2 := cgroup.IsUnified() 43 return !apparmorFull || cgroupv2 44 } 45 46 // MockForceDevMode fake the system to believe its in a distro 47 // that is in forced devmode as returned by ForceDevMode. 48 func MockForceDevMode(forcedDevMode bool) (restore func()) { 49 old := mockedForceDevMode 50 mockedForceDevMode = &forcedDevMode 51 return func() { 52 mockedForceDevMode = old 53 } 54 }