From f3393148a52d2b98a41e403d7316e8686ce61594 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Sat, 5 Jul 2025 23:47:06 +0200
Subject: [PATCH] core/cgroup: introduce cgroup_context_has_device_policy()
 helper

---
 src/core/cgroup.c          | 3 +--
 src/core/cgroup.h          | 7 +++++++
 src/core/exec-credential.c | 3 +--
 src/core/unit.c            | 2 +-
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index ca397059722..641523e5b1a 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -1720,8 +1720,7 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) {
             unit_has_memory_config(u))
                 mask |= CGROUP_MASK_MEMORY;
 
-        if (c->device_allow ||
-            c->device_policy != CGROUP_DEVICE_POLICY_AUTO)
+        if (cgroup_context_has_device_policy(c))
                 mask |= CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES;
 
         if (c->tasks_accounting ||
diff --git a/src/core/cgroup.h b/src/core/cgroup.h
index 413b00f5f30..0934a8eb3e3 100644
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@@ -359,6 +359,13 @@ static inline bool cgroup_context_want_memory_pressure(const CGroupContext *c) {
                 (c->memory_pressure_watch == CGROUP_PRESSURE_WATCH_AUTO && c->memory_accounting);
 }
 
+static inline bool cgroup_context_has_device_policy(const CGroupContext *c) {
+        assert(c);
+
+        return c->device_policy != CGROUP_DEVICE_POLICY_AUTO ||
+                c->device_allow;
+}
+
 int cgroup_context_add_device_allow(CGroupContext *c, const char *dev, CGroupDevicePermissions p);
 int cgroup_context_add_or_update_device_allow(CGroupContext *c, const char *dev, CGroupDevicePermissions p);
 int cgroup_context_add_bpf_foreign_program(CGroupContext *c, uint32_t attach_type, const char *path);
diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c
index 8f91d7c0ce1..5e2bc8edd97 100644
--- a/src/core/exec-credential.c
+++ b/src/core/exec-credential.c
@@ -445,8 +445,7 @@ static bool device_nodes_restricted(
         if (c->private_devices)
                 return true;
 
-        if (cgroup_context->device_policy != CGROUP_DEVICE_POLICY_AUTO ||
-            cgroup_context->device_allow)
+        if (cgroup_context_has_device_policy(cgroup_context))
                 return true;
 
         return false;
diff --git a/src/core/unit.c b/src/core/unit.c
index 1bacb56801d..9ef8ca2ed0d 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4425,7 +4425,7 @@ int unit_patch_contexts(Unit *u) {
                         cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED;
 
                 /* Only add these if needed, as they imply that everything else is blocked. */
-                if (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow) {
+                if (cgroup_context_has_device_policy(cc)) {
                         if (ec->root_image || ec->mount_images) {
 
                                 /* When RootImage= or MountImages= is specified, the following devices are touched. */
-- 
2.47.3