assert(ret);
- if (policy == CGROUP_AUTO && !whitelist)
+ if (policy == CGROUP_DEVICE_POLICY_AUTO && !whitelist)
return 0;
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &prog);
if (r < 0)
return log_error_errno(r, "Loading device control BPF program failed: %m");
- if (policy == CGROUP_CLOSED || whitelist) {
+ if (policy == CGROUP_DEVICE_POLICY_CLOSED || whitelist) {
r = bpf_program_add_instructions(prog, pre_insn, ELEMENTSOF(pre_insn));
if (r < 0)
return log_error_errno(r, "Extending device control BPF program failed: %m");
return 0;
}
- const bool deny_everything = policy == CGROUP_STRICT && !whitelist;
+ const bool deny_everything = policy == CGROUP_DEVICE_POLICY_STRICT && !whitelist;
const struct bpf_insn post_insn[] = {
/* return DENY */
/* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore EINVAL
* here. */
- if (c->device_allow || c->device_policy != CGROUP_AUTO)
+ if (c->device_allow || c->device_policy != CGROUP_DEVICE_POLICY_AUTO)
r = cg_set_attribute("devices", path, "devices.deny", "a");
else
r = cg_set_attribute("devices", path, "devices.allow", "a");
"Failed to reset devices.allow/devices.deny: %m");
}
- if (c->device_policy == CGROUP_CLOSED ||
- (c->device_policy == CGROUP_AUTO && c->device_allow)) {
+ if (c->device_policy == CGROUP_DEVICE_POLICY_CLOSED ||
+ (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) {
static const char auto_devices[] =
"/dev/null\0" "rwm\0"
"/dev/zero\0" "rwm\0"
mask |= CGROUP_MASK_MEMORY;
if (c->device_allow ||
- c->device_policy != CGROUP_AUTO)
+ c->device_policy != CGROUP_DEVICE_POLICY_AUTO)
mask |= CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES;
if (c->tasks_accounting ||
}
static const char* const cgroup_device_policy_table[_CGROUP_DEVICE_POLICY_MAX] = {
- [CGROUP_AUTO] = "auto",
- [CGROUP_CLOSED] = "closed",
- [CGROUP_STRICT] = "strict",
+ [CGROUP_DEVICE_POLICY_AUTO] = "auto",
+ [CGROUP_DEVICE_POLICY_CLOSED] = "closed",
+ [CGROUP_DEVICE_POLICY_STRICT] = "strict",
};
int unit_get_cpuset(Unit *u, CPUSet *cpus, const char *name) {
typedef struct CGroupBlockIODeviceBandwidth CGroupBlockIODeviceBandwidth;
typedef enum CGroupDevicePolicy {
-
- /* When devices listed, will allow those, plus built-in ones,
- if none are listed will allow everything. */
- CGROUP_AUTO,
+ /* When devices listed, will allow those, plus built-in ones, if none are listed will allow
+ * everything. */
+ CGROUP_DEVICE_POLICY_AUTO,
/* Everything forbidden, except built-in ones and listed ones. */
- CGROUP_CLOSED,
+ CGROUP_DEVICE_POLICY_CLOSED,
/* Everything forbidden, except for the listed devices */
- CGROUP_STRICT,
+ CGROUP_DEVICE_POLICY_STRICT,
_CGROUP_DEVICE_POLICY_MAX,
_CGROUP_DEVICE_POLICY_INVALID = -1
if (cc && ec) {
if (ec->private_devices &&
- cc->device_policy == CGROUP_AUTO)
- cc->device_policy = CGROUP_CLOSED;
+ cc->device_policy == CGROUP_DEVICE_POLICY_AUTO)
+ cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED;
if (ec->root_image &&
- (cc->device_policy != CGROUP_AUTO || cc->device_allow)) {
+ (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) {
/* When RootImage= is specified, the following devices are touched. */
r = cgroup_add_device_allow(cc, "/dev/loop-control", "rw");
projects / thirdparty / systemd.git / commitdiff
