core: also split out helper to handle static device nodes

keszybz · keszybz · commit a9aac7d8dd89 · 2019-11-10T23:22:15.000+01:00
diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c
@@ -7,6 +7,7 @@
 #include "bpf-program.h"
 #include "fd-util.h"
 #include "fileio.h"
+#include "nulstr-util.h"
 #include "parse-util.h"
 #include "stat-util.h"
 #include "stdio-util.h"
@@ -417,3 +418,32 @@ int bpf_devices_whitelist_major(BPFProgram *prog, const char *path, const char *
 
         return 0;
 }
+
+int bpf_devices_whitelist_static(BPFProgram *prog, const char *path) {
+        static const char auto_devices[] =
+                "/dev/null\0" "rwm\0"
+                "/dev/zero\0" "rwm\0"
+                "/dev/full\0" "rwm\0"
+                "/dev/random\0" "rwm\0"
+                "/dev/urandom\0" "rwm\0"
+                "/dev/tty\0" "rwm\0"
+                "/dev/ptmx\0" "rwm\0"
+                /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
+                "/run/systemd/inaccessible/chr\0" "rwm\0"
+                "/run/systemd/inaccessible/blk\0" "rwm\0";
+        int r = 0, k;
+
+        const char *node, *acc;
+        NULSTR_FOREACH_PAIR(node, acc, auto_devices) {
+                k = bpf_devices_whitelist_device(prog, path, node, acc);
+                if (r >= 0 && k < 0)
+                        r = k;
+        }
+
+        /* PTS (/dev/pts) devices may not be duplicated, but accessed */
+        k = bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw");
+        if (r >= 0 && k < 0)
+                r = k;
+
+        return r;
+}
diff --git a/src/core/bpf-devices.h b/src/core/bpf-devices.h
@@ -13,3 +13,4 @@ int bpf_devices_apply_policy(Unit *u, BPFProgram *prog, CGroupDevicePolicy polic
 int bpf_devices_supported(void);
 int bpf_devices_whitelist_device(BPFProgram *prog, const char *path, const char *node, const char *acc);
 int bpf_devices_whitelist_major(BPFProgram *prog, const char *path, const char *name, char type, const char *acc);
+int bpf_devices_whitelist_static(BPFProgram *prog, const char *path);
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
@@ -16,7 +16,6 @@
 #include "fd-util.h"
 #include "fileio.h"
 #include "fs-util.h"
-#include "nulstr-util.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "process-util.h"
@@ -1254,26 +1253,8 @@ static void cgroup_context_apply(
                 }
 
                 if (c->device_policy == CGROUP_DEVICE_POLICY_CLOSED ||
-                    (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) {
-                        static const char auto_devices[] =
-                                "/dev/null\0" "rwm\0"
-                                "/dev/zero\0" "rwm\0"
-                                "/dev/full\0" "rwm\0"
-                                "/dev/random\0" "rwm\0"
-                                "/dev/urandom\0" "rwm\0"
-                                "/dev/tty\0" "rwm\0"
-                                "/dev/ptmx\0" "rwm\0"
-                                /* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
-                                "/run/systemd/inaccessible/chr\0" "rwm\0"
-                                "/run/systemd/inaccessible/blk\0" "rwm\0";
-
-                        const char *node, *acc;
-                        NULSTR_FOREACH_PAIR(node, acc, auto_devices)
-                                (void) bpf_devices_whitelist_device(prog, path, node, acc);
-
-                        /* PTS (/dev/pts) devices may not be duplicated, but accessed */
-                        (void) bpf_devices_whitelist_major(prog, path, "pts", 'c', "rw");
-                }
+                    (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow))
+                        (void) bpf_devices_whitelist_static(prog, path);
 
                 LIST_FOREACH(device_allow, a, c->device_allow) {
                         char acc[4], *val;
