From 69885a7656802c2698183d5b1017c6b93c1f8e6a Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 18 Feb 2021 10:23:29 +0100
Subject: [PATCH] cgroups: make device cgroups semantics clearer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/cgroups/cgfsng.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 5382befe5..47fe69ed5 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2772,18 +2772,21 @@ static int device_cgroup_rule_parse(struct device_item *device, const char *key,
 	char temp[50];
 
 	if (strequal("devices.allow", key))
-		device->allow = 1;
+		device->allow = 1; /* allow the device */
 	else
-		device->allow = 0;
+		device->allow = 0; /* deny the device */
 
 	if (strequal(val, "a")) {
 		/* global rule */
 		device->type = 'a';
 		device->major = -1;
 		device->minor = -1;
-		device->global_rule = device->allow
-					  ? LXC_BPF_DEVICE_CGROUP_DENYLIST
-					  : LXC_BPF_DEVICE_CGROUP_ALLOWLIST;
+
+		if (device->allow) /* allow all devices */
+			device->global_rule = LXC_BPF_DEVICE_CGROUP_DENYLIST;
+		else /* deny all devices */
+			device->global_rule = LXC_BPF_DEVICE_CGROUP_ALLOWLIST;
+
 		device->allow = -1;
 		return 0;
 	}
-- 
2.47.2