cgroups: make device cgroups semantics clearer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
lxc · Feb 18, 2021 · 69885a7 · 69885a7
1 parent 0d450ef
commit 69885a7
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
@@ -2772,18 +2772,21 @@ static int device_cgroup_rule_parse(struct device_item *device, const char *key,
 	char temp[50];
 
 	if (strequal("devices.allow", key))
-		device->allow = 1;
+		device->allow = 1; /* allow the device */
 	else
-		device->allow = 0;
+		device->allow = 0; /* deny the device */
 
 	if (strequal(val, "a")) {
 		/* global rule */
 		device->type = 'a';
 		device->major = -1;
 		device->minor = -1;
-		device->global_rule = device->allow
-					  ? LXC_BPF_DEVICE_CGROUP_DENYLIST
-					  : LXC_BPF_DEVICE_CGROUP_ALLOWLIST;
+
+		if (device->allow) /* allow all devices */
+			device->global_rule = LXC_BPF_DEVICE_CGROUP_DENYLIST;
+		else /* deny all devices */
+			device->global_rule = LXC_BPF_DEVICE_CGROUP_ALLOWLIST;
+
 		device->allow = -1;
 		return 0;
 	}