core: rename CGROUP_AUTO/STRICT/CLOSED to CGROUP_DEVICE_POLICY_…

The old names were very generic, and when used without context it wasn't at all clear that they are about the devices policy.
2025-01-06 13:17:44 +03:00 · 2019-11-08 15:12:23 +01:00 · 2019-11-08 15:12:23 +01:00 · 084870f9c0
commit 084870f9c0
parent 77abd02985
4 changed files with 18 additions and 19 deletions
--- a/src/core/bpf-devices.c
+++ b/src/core/bpf-devices.c
@ -132,14 +132,14 @@ int cgroup_init_device_bpf(BPFProgram **ret, CGroupDevicePolicy policy, bool whi

        assert(ret);

-        if (policy == CGROUP_AUTO && !whitelist)
+        if (policy == CGROUP_DEVICE_POLICY_AUTO && !whitelist)
                return 0;

        r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &prog);
        if (r < 0)
                return log_error_errno(r, "Loading device control BPF program failed: %m");

-        if (policy == CGROUP_CLOSED || whitelist) {
+        if (policy == CGROUP_DEVICE_POLICY_CLOSED || whitelist) {
                r = bpf_program_add_instructions(prog, pre_insn, ELEMENTSOF(pre_insn));
                if (r < 0)
                        return log_error_errno(r, "Extending device control BPF program failed: %m");
@ -160,7 +160,7 @@ int cgroup_apply_device_bpf(Unit *u, BPFProgram *prog, CGroupDevicePolicy policy
                return 0;
        }

-        const bool deny_everything = policy == CGROUP_STRICT && !whitelist;
+        const bool deny_everything = policy == CGROUP_DEVICE_POLICY_STRICT && !whitelist;

        const struct bpf_insn post_insn[] = {
                /* return DENY */
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@ -1392,7 +1392,7 @@ static void cgroup_context_apply(
                        /* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore EINVAL
                         * here. */

-                        if (c->device_allow || c->device_policy != CGROUP_AUTO)
+                        if (c->device_allow || c->device_policy != CGROUP_DEVICE_POLICY_AUTO)
                                r = cg_set_attribute("devices", path, "devices.deny", "a");
                        else
                                r = cg_set_attribute("devices", path, "devices.allow", "a");
@ -1401,8 +1401,8 @@ static void cgroup_context_apply(
                                              "Failed to reset devices.allow/devices.deny: %m");
                }

-                if (c->device_policy == CGROUP_CLOSED ||
-                    (c->device_policy == CGROUP_AUTO && c->device_allow)) {
+                if (c->device_policy == CGROUP_DEVICE_POLICY_CLOSED ||
+                    (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) {
                        static const char auto_devices[] =
                                "/dev/null\0" "rwm\0"
                                "/dev/zero\0" "rwm\0"
@ -1570,7 +1570,7 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) {
                mask |= CGROUP_MASK_MEMORY;

        if (c->device_allow ||
-            c->device_policy != CGROUP_AUTO)
+            c->device_policy != CGROUP_DEVICE_POLICY_AUTO)
                mask |= CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES;

        if (c->tasks_accounting ||
@ -3708,9 +3708,9 @@ int compare_job_priority(const void *a, const void *b) {
 }

 static const char* const cgroup_device_policy_table[_CGROUP_DEVICE_POLICY_MAX] = {
-        [CGROUP_AUTO] = "auto",
-        [CGROUP_CLOSED] = "closed",
-        [CGROUP_STRICT] = "strict",
+        [CGROUP_DEVICE_POLICY_AUTO]   = "auto",
+        [CGROUP_DEVICE_POLICY_CLOSED] = "closed",
+        [CGROUP_DEVICE_POLICY_STRICT] = "strict",
 };

 int unit_get_cpuset(Unit *u, CPUSet *cpus, const char *name) {
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@ -18,16 +18,15 @@ typedef struct CGroupBlockIODeviceWeight CGroupBlockIODeviceWeight;
 typedef struct CGroupBlockIODeviceBandwidth CGroupBlockIODeviceBandwidth;

 typedef enum CGroupDevicePolicy {
-
-        /* When devices listed, will allow those, plus built-in ones,
-        if none are listed will allow everything. */
-        CGROUP_AUTO,
+        /* When devices listed, will allow those, plus built-in ones, if none are listed will allow
+         * everything. */
+        CGROUP_DEVICE_POLICY_AUTO,

        /* Everything forbidden, except built-in ones and listed ones. */
-        CGROUP_CLOSED,
+        CGROUP_DEVICE_POLICY_CLOSED,

        /* Everything forbidden, except for the listed devices */
-        CGROUP_STRICT,
+        CGROUP_DEVICE_POLICY_STRICT,

        _CGROUP_DEVICE_POLICY_MAX,
        _CGROUP_DEVICE_POLICY_INVALID = -1
--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -4303,11 +4303,11 @@ int unit_patch_contexts(Unit *u) {
        if (cc && ec) {

                if (ec->private_devices &&
-                    cc->device_policy == CGROUP_AUTO)
-                        cc->device_policy = CGROUP_CLOSED;
+                    cc->device_policy == CGROUP_DEVICE_POLICY_AUTO)
+                        cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED;

                if (ec->root_image &&
-                    (cc->device_policy != CGROUP_AUTO || cc->device_allow)) {
+                    (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) {

                        /* When RootImage= is specified, the following devices are touched. */
                        r = cgroup_add_device_allow(cc, "/dev/loop-control", "rw");