core/cgroup: introduce cgroup_context_has_device_policy() helper

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index ca3970597221d88b55f392f5226067b4f1b59548..641523e5b1af7506c20bc5f1ee2f1f668e3cce35 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -1720,8 +1720,7 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) {
             unit_has_memory_config(u))
                 mask |= CGROUP_MASK_MEMORY;
 
-        if (c->device_allow ||
-            c->device_policy != CGROUP_DEVICE_POLICY_AUTO)
+        if (cgroup_context_has_device_policy(c))
                 mask |= CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES;
 
         if (c->tasks_accounting ||

diff --git a/src/core/cgroup.h b/src/core/cgroup.h
index 413b00f5f30ea27278fdb90193181ca5e90b1a56..0934a8eb3e35e7cd7df6441fbd57d60e67868735 100644 (file)
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@@ -359,6 +359,13 @@ static inline bool cgroup_context_want_memory_pressure(const CGroupContext *c) {
                 (c->memory_pressure_watch == CGROUP_PRESSURE_WATCH_AUTO && c->memory_accounting);
 }
 
+static inline bool cgroup_context_has_device_policy(const CGroupContext *c) {
+        assert(c);
+
+        return c->device_policy != CGROUP_DEVICE_POLICY_AUTO ||
+                c->device_allow;
+}
+
 int cgroup_context_add_device_allow(CGroupContext *c, const char *dev, CGroupDevicePermissions p);
 int cgroup_context_add_or_update_device_allow(CGroupContext *c, const char *dev, CGroupDevicePermissions p);
 int cgroup_context_add_bpf_foreign_program(CGroupContext *c, uint32_t attach_type, const char *path);

diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c
index 8f91d7c0ce14c364467b7f57fefc15abe8b0dc8e..5e2bc8edd975241d8db04631c4c1575cb1f106b1 100644 (file)
--- a/src/core/exec-credential.c
+++ b/src/core/exec-credential.c
@@ -445,8 +445,7 @@ static bool device_nodes_restricted(
         if (c->private_devices)
                 return true;
 
-        if (cgroup_context->device_policy != CGROUP_DEVICE_POLICY_AUTO ||
-            cgroup_context->device_allow)
+        if (cgroup_context_has_device_policy(cgroup_context))
                 return true;
 
         return false;

diff --git a/src/core/unit.c b/src/core/unit.c
index 1bacb56801d88fc64d568662b8e8653163b52c7b..9ef8ca2ed0df721160a0c0766ac01ecf57a640a0 100644 (file)
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4425,7 +4425,7 @@ int unit_patch_contexts(Unit *u) {
                         cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED;
 
                 /* Only add these if needed, as they imply that everything else is blocked. */
-                if (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow) {
+                if (cgroup_context_has_device_policy(cc)) {
                         if (ec->root_image || ec->mount_images) {
 
                                 /* When RootImage= or MountImages= is specified, the following devices are touched. */