From: Mike Yuan <me@yhndnzj.com>
Date: Mon, 21 Apr 2025 14:55:34 +0000 (+0200)
Subject: core/cgroup: actually apply BPF everywhere
X-Git-Tag: v258-rc1~769
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=239afa597167de0f049f87dfa2e144a1610b33a2;p=thirdparty%2Fsystemd.git

core/cgroup: actually apply BPF everywhere

Follow-up for f1c5534eb61a1abcac62d67d57ef2f0715073819

The previous logic was an OR, i.e. as long as we're running
in unified mode BPF is applied. The offending commit
spuriously excluded local root.

While at it, remove check for cgv1 CGROUP_MASK_DEVICES controller.
---

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 30929ef5ebc..5383d9d4000 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -1817,11 +1817,6 @@ static void cgroup_context_apply(
                 (void) set_attribute_and_warn(u, "memory", "memory.zswap.writeback", one_zero(c->memory_zswap_writeback));
         }
 
-        /* On cgroup v2 we can apply BPF everywhere. */
-        if ((apply_mask & (CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES)) &&
-            (is_host_root || !is_local_root))
-                (void) cgroup_apply_devices(u);
-
         if (apply_mask & CGROUP_MASK_PIDS) {
 
                 if (is_host_root) {
@@ -1863,6 +1858,10 @@ static void cgroup_context_apply(
                 }
         }
 
+        /* On cgroup v2 we can apply BPF everywhere. */
+        if (apply_mask & CGROUP_MASK_BPF_DEVICES)
+                (void) cgroup_apply_devices(u);
+
         if (apply_mask & CGROUP_MASK_BPF_FIREWALL)
                 cgroup_apply_firewall(u);