core: also split out helper to handle static device nodes

diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c
index 41b751b83a45a00c8a162475fa4ffea6a6061f2d..dd38a61981929e68b7b0f590914326d233ed7692 100644 (file)
--- a/src/core/bpf-devices.c
+++ b/src/core/bpf-devices.c
@@ -7,6 +7,7 @@
 #include "bpf-program.h"
 #include "fd-util.h"
 #include "fileio.h"
+#include "nulstr-util.h"
 #include "parse-util.h"
 #include "stat-util.h"
 #include "stdio-util.h"
@@ -417,3 +418,32 @@ int bpf_devices_whitelist_major(BPFProgram *prog, const char *path, const char *
 
         return 0;
 }
+
+int bpf_devices_whitelist_static(BPFProgram *prog, const char *path) {
+        static const char auto_devices[] =
+                "/dev/null\0" "rwm\0"
+                "/dev/zero\0" "rwm\0"
+                "/dev/full\0" "rwm\0"
+                "/dev/random\0" "rwm\0"
+                "/dev/urandom\0" "rwm\0"
+                "/dev/tty\0" "rwm\0"
+                "/dev/ptmx\0" "rwm\0"
+                /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
+                "/run/systemd/inaccessible/chr\0" "rwm\0"
+                "/run/systemd/inaccessible/blk\0" "rwm\0";
+        int r = 0, k;
+
+        const char *node, *acc;
+        NULSTR_FOREACH_PAIR(node, acc, auto_devices) {
+                k = bpf_devices_whitelist_device(prog, path, node, acc);
+                if (r >= 0 && k < 0)
+                        r = k;
+        }
+
+        /* PTS (/dev/pts) devices may not be duplicated, but accessed */
+        k = bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw");
+        if (r >= 0 && k < 0)
+                r = k;
+
+        return r;
+}

diff --git a/src/core/bpf-devices.h b/src/core/bpf-devices.h
index 744d5f8fa008febbc2b8444c46094e574c4a4b4a..cd5f074bba28b8c5f34fc36cebd8bf993b9ca4b4 100644 (file)
--- a/src/core/bpf-devices.h
+++ b/src/core/bpf-devices.h
@@ -13,3 +13,4 @@ int bpf_devices_apply_policy(Unit *u, BPFProgram *prog, CGroupDevicePolicy polic
 int bpf_devices_supported(void);
 int bpf_devices_whitelist_device(BPFProgram *prog, const char *path, const char *node, const char *acc);
 int bpf_devices_whitelist_major(BPFProgram *prog, const char *path, const char *name, char type, const char *acc);
+int bpf_devices_whitelist_static(BPFProgram *prog, const char *path);

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 9857a6877005778d0b7bb6e4657ee75114e345ca..475e7df23f0cf92c70d5a36923e92584200a2d73 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -16,7 +16,6 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "fs-util.h"
-#include "nulstr-util.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "process-util.h"
@@ -1254,26 +1253,8 @@ static void cgroup_context_apply(
                 }
 
                 if (c->device_policy == CGROUP_DEVICE_POLICY_CLOSED ||
-                    (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) {
-                        static const char auto_devices[] =
-                                "/dev/null\0" "rwm\0"
-                                "/dev/zero\0" "rwm\0"
-                                "/dev/full\0" "rwm\0"
-                                "/dev/random\0" "rwm\0"
-                                "/dev/urandom\0" "rwm\0"
-                                "/dev/tty\0" "rwm\0"
-                                "/dev/ptmx\0" "rwm\0"
-                                /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
-                                "/run/systemd/inaccessible/chr\0" "rwm\0"
-                                "/run/systemd/inaccessible/blk\0" "rwm\0";
-
-                        const char *node, *acc;
-                        NULSTR_FOREACH_PAIR(node, acc, auto_devices)
-                                (void) bpf_devices_whitelist_device(prog, path, node, acc);
-
-                        /* PTS (/dev/pts) devices may not be duplicated, but accessed */
-                        (void) bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw");
-                }
+                    (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow))
+                        (void) bpf_devices_whitelist_static(prog, path);
 
                 LIST_FOREACH(device_allow, a, c->device_allow) {
                         char acc[4], *val;