cgroups: make device cgroups semantics clearer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 5382befe583a2d0bfd2906875d2226053c29101d..47fe69ed525840628350e2c779da7051e6724114 100644 (file)
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2772,18 +2772,21 @@ static int device_cgroup_rule_parse(struct device_item *device, const char *key,
        char temp[50];
 
        if (strequal("devices.allow", key))
-               device->allow = 1;
+               device->allow = 1; /* allow the device */
        else
-               device->allow = 0;
+               device->allow = 0; /* deny the device */
 
        if (strequal(val, "a")) {
                /* global rule */
                device->type = 'a';
                device->major = -1;
                device->minor = -1;
-               device->global_rule = device->allow
-                                         ? LXC_BPF_DEVICE_CGROUP_DENYLIST
-                                         : LXC_BPF_DEVICE_CGROUP_ALLOWLIST;
+
+               if (device->allow) /* allow all devices */
+                       device->global_rule = LXC_BPF_DEVICE_CGROUP_DENYLIST;
+               else /* deny all devices */
+                       device->global_rule = LXC_BPF_DEVICE_CGROUP_ALLOWLIST;
+
                device->allow = -1;
                return 0;
        }