use O_PATH when getting cgroup fd

O_PATH mode is enough to attach a bpf program to a cgroup, use it
instead of O_RDONLY

diff --git a/src/core/bpf-restrict-ifaces.c b/src/core/bpf-restrict-ifaces.c
index 64d8d1a7e5b24ad15a1340351a66c3aa23da736a..a39f4895f2b6f59ee7c604bbdde18537496506de 100644 (file)
--- a/src/core/bpf-restrict-ifaces.c
+++ b/src/core/bpf-restrict-ifaces.c
@@ -128,7 +128,7 @@ static int restrict_ifaces_install_impl(Unit *u) {
         if (r < 0)
                 return r;
 
-        cgroup_fd = open(cgroup_path, O_RDONLY | O_CLOEXEC | O_DIRECTORY, 0);
+        cgroup_fd = open(cgroup_path, O_PATH | O_CLOEXEC | O_DIRECTORY, 0);
         if (cgroup_fd < 0)
                 return -errno;