I suspect explicitly want to omit the device cgroup because if we used it then the snap would only be able to see the devices that were assigned to it, which is a form of confinement and not what the snap would expect.
As for the snap-provided udev rules, for the same reason @niemeyer gave on the dbus backend and it continuing to provide its rules, it seems we would want to continue to provide the udev rules.
Thus far I think we’ve said with strict confinement, the backends wrt interface connections should:
- skip: apparmor rules, seccomp rules, udev tagging for device cgroup
- continue: dbus rules, non-snappy-tag udev rules, kmod, systemd