From 239afa597167de0f049f87dfa2e144a1610b33a2 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Mon, 21 Apr 2025 16:55:34 +0200
Subject: [PATCH] core/cgroup: actually apply BPF everywhere

Follow-up for f1c5534eb61a1abcac62d67d57ef2f0715073819

The previous logic was an OR, i.e. as long as we're running
in unified mode BPF is applied. The offending commit
spuriously excluded local root.

While at it, remove check for cgv1 CGROUP_MASK_DEVICES controller.
---
 src/core/cgroup.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 30929ef5ebc..5383d9d4000 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -1817,11 +1817,6 @@ static void cgroup_context_apply(
                 (void) set_attribute_and_warn(u, "memory", "memory.zswap.writeback", one_zero(c->memory_zswap_writeback));
         }
 
-        /* On cgroup v2 we can apply BPF everywhere. */
-        if ((apply_mask & (CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES)) &&
-            (is_host_root || !is_local_root))
-                (void) cgroup_apply_devices(u);
-
         if (apply_mask & CGROUP_MASK_PIDS) {
 
                 if (is_host_root) {
@@ -1863,6 +1858,10 @@ static void cgroup_context_apply(
                 }
         }
 
+        /* On cgroup v2 we can apply BPF everywhere. */
+        if (apply_mask & CGROUP_MASK_BPF_DEVICES)
+                (void) cgroup_apply_devices(u);
+
         if (apply_mask & CGROUP_MASK_BPF_FIREWALL)
                 cgroup_apply_firewall(u);
 
-- 
2.47.3