From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 6 Apr 2025 19:43:36 +0000 (+0900)
Subject: core/bpf-devices: drop cgroup v1 support
X-Git-Tag: v258-rc1~812^2~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ff7f99db30d8860a5081a0eb299b7596fdc1239e;p=thirdparty%2Fsystemd.git

core/bpf-devices: drop cgroup v1 support
---

diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c
index 59d31b83d4a..4393e074e96 100644
--- a/src/core/bpf-devices.c
+++ b/src/core/bpf-devices.c
@@ -261,11 +261,10 @@ int bpf_devices_supported(void) {
         static int supported = -1;
         int r;
 
-        /* Checks whether BPF device controller is supported. For this, we check five things:
+        /* Checks whether BPF device controller is supported. For this, we check two things:
          *
          * a) whether we are privileged
-         * b) whether the unified hierarchy is being used
-         * c) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_DEVICE programs, which we require
+         * b) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_DEVICE programs, which we require
          */
 
         if (supported >= 0)
@@ -276,14 +275,6 @@ int bpf_devices_supported(void) {
                 return supported = 0;
         }
 
-        r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
-        if (r < 0)
-                return log_error_errno(r, "Can't determine whether the unified hierarchy is used: %m");
-        if (r == 0) {
-                log_debug("Not running with unified cgroups, BPF device control is not supported.");
-                return supported = 0;
-        }
-
         r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, "sd_devices", &program);
         if (r < 0) {
                 log_debug_errno(r, "Can't allocate CGROUP DEVICE BPF program, BPF device control is not supported: %m");
@@ -315,38 +306,15 @@ static int allow_list_device_pattern(
 
         assert(IN_SET(type, 'b', 'c'));
 
-        if (cg_all_unified() > 0) {
-                if (!prog)
-                        return 0;
-
-                if (major != UINT_MAX && minor != UINT_MAX)
-                        return bpf_prog_allow_list_device(prog, type, major, minor, p);
-                else if (major != UINT_MAX)
-                        return bpf_prog_allow_list_major(prog, type, major, p);
-                else
-                        return bpf_prog_allow_list_class(prog, type, p);
-
-        } else {
-                char buf[2+DECIMAL_STR_MAX(unsigned)*2+2+4];
-                int r;
-
-                if (major != UINT_MAX && minor != UINT_MAX)
-                        xsprintf(buf, "%c %u:%u %s", type, major, minor, cgroup_device_permissions_to_string(p));
-                else if (major != UINT_MAX)
-                        xsprintf(buf, "%c %u:* %s", type, major, cgroup_device_permissions_to_string(p));
-                else
-                        xsprintf(buf, "%c *:* %s", type, cgroup_device_permissions_to_string(p));
+        if (!prog)
+                return 0;
 
-                /* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore
-                 * EINVAL here. */
+        if (major != UINT_MAX && minor != UINT_MAX)
+                return bpf_prog_allow_list_device(prog, type, major, minor, p);
+        if (major != UINT_MAX)
+                return bpf_prog_allow_list_major(prog, type, major, p);
 
-                r = cg_set_attribute("devices", path, "devices.allow", buf);
-                if (r < 0)
-                        log_full_errno(IN_SET(r, -ENOENT, -EROFS, -EINVAL, -EACCES, -EPERM) ? LOG_DEBUG : LOG_WARNING,
-                                       r, "Failed to set devices.allow on %s: %m", path);
-
-                return r;
-        }
+        return bpf_prog_allow_list_class(prog, type, p);
 }
 
 int bpf_devices_allow_list_device(
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index da7c816338e..566054be837 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -1645,23 +1645,9 @@ static int cgroup_apply_devices(Unit *u) {
 
         policy = c->device_policy;
 
-        if (cg_all_unified() > 0) {
-                r = bpf_devices_cgroup_init(&prog, policy, c->device_allow);
-                if (r < 0)
-                        return log_unit_warning_errno(u, r, "Failed to initialize device control bpf program: %m");
-
-        } else {
-                /* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore
-                 * EINVAL here. */
-
-                if (c->device_allow || policy != CGROUP_DEVICE_POLICY_AUTO)
-                        r = cg_set_attribute("devices", crt->cgroup_path, "devices.deny", "a");
-                else
-                        r = cg_set_attribute("devices", crt->cgroup_path, "devices.allow", "a");
-                if (r < 0)
-                        log_unit_full_errno(u, IN_SET(r, -ENOENT, -EROFS, -EINVAL, -EACCES, -EPERM) ? LOG_DEBUG : LOG_WARNING, r,
-                                            "Failed to reset devices.allow/devices.deny: %m");
-        }
+        r = bpf_devices_cgroup_init(&prog, policy, c->device_allow);
+        if (r < 0)
+                return log_unit_warning_errno(u, r, "Failed to initialize device control bpf program: %m");
 
         bool allow_list_static = policy == CGROUP_DEVICE_POLICY_CLOSED ||
                 (policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow);