core/cgroup: actually apply BPF everywhere

Follow-up for f1c5534eb61a1abcac62d67d57ef2f0715073819

The previous logic was an OR, i.e. as long as we're running
in unified mode BPF is applied. The offending commit
spuriously excluded local root.

While at it, remove check for cgv1 CGROUP_MASK_DEVICES controller.

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 30929ef5ebc554e02439dba7b4ec575e4a622702..5383d9d40001bdcbcd45a9da0d48e28b580d2b31 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -1817,11 +1817,6 @@ static void cgroup_context_apply(
                 (void) set_attribute_and_warn(u, "memory", "memory.zswap.writeback", one_zero(c->memory_zswap_writeback));
         }
 
-        /* On cgroup v2 we can apply BPF everywhere. */
-        if ((apply_mask & (CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES)) &&
-            (is_host_root || !is_local_root))
-                (void) cgroup_apply_devices(u);
-
         if (apply_mask & CGROUP_MASK_PIDS) {
 
                 if (is_host_root) {
@@ -1863,6 +1858,10 @@ static void cgroup_context_apply(
                 }
         }
 
+        /* On cgroup v2 we can apply BPF everywhere. */
+        if (apply_mask & CGROUP_MASK_BPF_DEVICES)
+                (void) cgroup_apply_devices(u);
+
         if (apply_mask & CGROUP_MASK_BPF_FIREWALL)
                 cgroup_apply_firewall(u);