cgroups: make device cgroups semantics clearer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: make device cgroups semantics clearer
7708e2d2 · Christian Brauner · 9b7d34a2 · 7708e2d2
Unverified Commit 7708e2d2 authored Feb 18, 2021 by Christian Brauner
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 5 deletions

cgfsng.c src/lxc/cgroups/cgfsng.c +8 -5

No files found.
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2770,18 +2770,21 @@ static int device_cgroup_rule_parse(struct device_item *device, const char *key,
 	char temp[50];
 	if (strequal("devices.allow", key))
-		device->allow = 1;
+		device->allow = 1; /* allow the device */
 	else
-		device->allow = 0;
+		device->allow = 0; /* deny the device */
 	if (strequal(val, "a")) {
 		/* global rule */
 		device->type = 'a';
 		device->major = -1;
 		device->minor = -1;
-		device->global_rule = device->allow
-					  ? LXC_BPF_DEVICE_CGROUP_DENYLIST
+		if (device->allow) /* allow all devices */
-					  : LXC_BPF_DEVICE_CGROUP_ALLOWLIST;
+			device->global_rule = LXC_BPF_DEVICE_CGROUP_DENYLIST;
+		else /* deny all devices */
+			device->global_rule = LXC_BPF_DEVICE_CGROUP_ALLOWLIST;
 		device->allow = -1;
 		return 0;
 	}