From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 18 Feb 2021 09:39:39 +0000 (+0100)
Subject: cgroups: improve bpf device program management
X-Git-Tag: lxc-5.0.0~278^2~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=413e074bbe425037f1cd7ec4072cb6ac9831ddc0;p=thirdparty%2Flxc.git

cgroups: improve bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 456f15cc0..3c33c964e 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -3206,48 +3206,18 @@ __cgfsng_ops static bool cgfsng_devices_activate(struct cgroup_ops *ops, struct
 	if (ret)
 		return log_error_errno(false, ENOMEM, "Failed to initialize bpf program");
 
-	/* First pass, determine whether this is an allow- or denylist. */
-	lxc_list_for_each (it, &conf->devices) {
-		struct device_item *cur = it->elem;
-
-		if (cur->global_rule > LXC_BPF_DEVICE_CGROUP_LOCAL_RULE)
-			prog->device_list_type = cur->global_rule;
-	}
+	bpf_device_set_type(prog, &conf->devices);
+	TRACE("Device bpf %s all devices by default",
+	      bpf_device_block_all(prog) ? "blocks" : "allows");
 
 	lxc_list_for_each(it, &conf->devices) {
 		struct device_item *cur = it->elem;
 
-		/* Nothing to be done. */
-		if (cur->global_rule > LXC_BPF_DEVICE_CGROUP_LOCAL_RULE)
+		if (!bpf_device_add(prog, cur)) {
+			TRACE("Skipping type %c, major %d, minor %d, access %s, allow %d",
+			      cur->type, cur->major, cur->minor, cur->access,
+			      cur->allow);
 			continue;
-
-		switch (prog->device_list_type) {
-		case LXC_BPF_DEVICE_CGROUP_ALLOWLIST:
-			/* We're denying all devices so skip individual deny rules. */
-			if (!cur->allow) {
-				TRACE("Skipping deny rule in denylist bpf device program: type %c, major %d, minor %d, access %s, allow %d",
-				      cur->type,
-				      cur->major,
-				      cur->minor,
-				      cur->access,
-				      cur->allow);
-				continue;
-			}
-
-			break;
-		case LXC_BPF_DEVICE_CGROUP_DENYLIST:
-			/* We're allowing all devices so skip individual allow rules. */
-			if (cur->allow) {
-				TRACE("Skipping allow rule in allow bpf device program: type %c, major %d, minor %d, access %s, allow %d",
-				      cur->type,
-				      cur->major,
-				      cur->minor,
-				      cur->access,
-				      cur->allow);
-				continue;
-			}
-
-			break;
 		}
 
 		ret = bpf_program_append_device(prog, cur);