cgroups: improve bpf device program management

src/lxc/cgroups/cgfsng.c

@@ -3204,48 +3204,18 @@ __cgfsng_ops static bool cgfsng_devices_activate(struct cgroup_ops *ops, struct
 	if (ret)
 		return log_error_errno(false, ENOMEM, "Failed to initialize bpf program");
 
-	/* First pass, determine whether this is an allow- or denylist. */
-	lxc_list_for_each (it, &conf->devices) {
-		struct device_item *cur = it->elem;
-
-		if (cur->global_rule > LXC_BPF_DEVICE_CGROUP_LOCAL_RULE)
-			prog->device_list_type = cur->global_rule;
-	}
+	bpf_device_set_type(prog, &conf->devices);
+	TRACE("Device bpf %s all devices by default",
+	      bpf_device_block_all(prog) ? "blocks" : "allows");
 
 	lxc_list_for_each(it, &conf->devices) {
 		struct device_item *cur = it->elem;
 
-		/* Nothing to be done. */
-		if (cur->global_rule > LXC_BPF_DEVICE_CGROUP_LOCAL_RULE)
+		if (!bpf_device_add(prog, cur)) {
+			TRACE("Skipping type %c, major %d, minor %d, access %s, allow %d",
+			      cur->type, cur->major, cur->minor, cur->access,
+			      cur->allow);
 			continue;
-
-		switch (prog->device_list_type) {
-		case LXC_BPF_DEVICE_CGROUP_ALLOWLIST:
-			/* We're denying all devices so skip individual deny rules. */
-			if (!cur->allow) {
-				TRACE("Skipping deny rule in denylist bpf device program: type %c, major %d, minor %d, access %s, allow %d",
-				      cur->type,
-				      cur->major,
-				      cur->minor,
-				      cur->access,
-				      cur->allow);
-				continue;
-			}
-
-			break;
-		case LXC_BPF_DEVICE_CGROUP_DENYLIST:
-			/* We're allowing all devices so skip individual allow rules. */
-			if (cur->allow) {
-				TRACE("Skipping allow rule in allow bpf device program: type %c, major %d, minor %d, access %s, allow %d",
-				      cur->type,
-				      cur->major,
-				      cur->minor,
-				      cur->access,
-				      cur->allow);
-				continue;
-			}
-
-			break;
 		}
 
 		ret = bpf_program_append_device(prog, cur);