#include "bpf-program.h"
#include "fd-util.h"
#include "fileio.h"
+#include "nulstr-util.h"
#include "parse-util.h"
#include "stat-util.h"
#include "stdio-util.h"
return 0;
}
+
+int bpf_devices_whitelist_static(BPFProgram *prog, const char *path) {
+ static const char auto_devices[] =
+ "/dev/null\0" "rwm\0"
+ "/dev/zero\0" "rwm\0"
+ "/dev/full\0" "rwm\0"
+ "/dev/random\0" "rwm\0"
+ "/dev/urandom\0" "rwm\0"
+ "/dev/tty\0" "rwm\0"
+ "/dev/ptmx\0" "rwm\0"
+ /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
+ "/run/systemd/inaccessible/chr\0" "rwm\0"
+ "/run/systemd/inaccessible/blk\0" "rwm\0";
+ int r = 0, k;
+
+ const char *node, *acc;
+ NULSTR_FOREACH_PAIR(node, acc, auto_devices) {
+ k = bpf_devices_whitelist_device(prog, path, node, acc);
+ if (r >= 0 && k < 0)
+ r = k;
+ }
+
+ /* PTS (/dev/pts) devices may not be duplicated, but accessed */
+ k = bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw");
+ if (r >= 0 && k < 0)
+ r = k;
+
+ return r;
+}
int bpf_devices_supported(void);
int bpf_devices_whitelist_device(BPFProgram *prog, const char *path, const char *node, const char *acc);
int bpf_devices_whitelist_major(BPFProgram *prog, const char *path, const char *name, char type, const char *acc);
+int bpf_devices_whitelist_static(BPFProgram *prog, const char *path);
#include "fd-util.h"
#include "fileio.h"
#include "fs-util.h"
-#include "nulstr-util.h"
#include "parse-util.h"
#include "path-util.h"
#include "process-util.h"
}
if (c->device_policy == CGROUP_DEVICE_POLICY_CLOSED ||
- (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) {
- static const char auto_devices[] =
- "/dev/null\0" "rwm\0"
- "/dev/zero\0" "rwm\0"
- "/dev/full\0" "rwm\0"
- "/dev/random\0" "rwm\0"
- "/dev/urandom\0" "rwm\0"
- "/dev/tty\0" "rwm\0"
- "/dev/ptmx\0" "rwm\0"
- /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
- "/run/systemd/inaccessible/chr\0" "rwm\0"
- "/run/systemd/inaccessible/blk\0" "rwm\0";
-
- const char *node, *acc;
- NULSTR_FOREACH_PAIR(node, acc, auto_devices)
- (void) bpf_devices_whitelist_device(prog, path, node, acc);
-
- /* PTS (/dev/pts) devices may not be duplicated, but accessed */
- (void) bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw");
- }
+ (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow))
+ (void) bpf_devices_whitelist_static(prog, path);
LIST_FOREACH(device_allow, a, c->device_allow) {
char acc[4], *val;