libct/cg/sd: use systemd v240+ new MAJOR:* syntax

Since systemd v240 (commit 8e8b5d2e6d91180a), one can use
/dev/{char,block}-MAJOR syntax to specify that all MAJOR:*
devices are allowed.

Use it, if available, since it's more straightforward, plus
we can skip somewhat expensive parsing of /proc/devices.

Signed-off-by: Kir Kolyshkin <[email protected]>

libcontainer/cgroups/devices/systemd.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 
 	systemdDbus "github.com/coreos/go-systemd/v22/dbus"
@@ -110,17 +111,26 @@ func systemdProperties(r *configs.Resources, sdVer int) ([]systemdDbus.Property,
 			}
 			entry.Path = prefix + "*"
 		} else if rule.Minor == devices.Wildcard {
-			// "_ n:* _" rules require a device group from /proc/devices.
-			group, err := findDeviceGroup(rule.Type, rule.Major)
-			if err != nil {
-				return nil, fmt.Errorf("unable to find device '%v/%d': %w", rule.Type, rule.Major, err)
-			}
-			if group == "" {
-				// Couldn't find a group.
-				logrus.Warnf("could not find device group for '%v/%d' in /proc/devices -- temporarily ignoring rule: %v", rule.Type, rule.Major, *rule)
-				continue
+			if sdVer >= 240 {
+				// systemd v240+ allows for {block,char}-MAJOR syntax.
+				prefix, err := groupPrefix(rule.Type)
+				if err != nil {
+					return nil, err
+				}
+				entry.Path = prefix + strconv.FormatInt(rule.Major, 10)
+			} else {
+				// For older systemd, "_ n:* _" rules require a device group from /proc/devices.
+				group, err := findDeviceGroup(rule.Type, rule.Major)
+				if err != nil {
+					return nil, fmt.Errorf("unable to find device '%v/%d': %w", rule.Type, rule.Major, err)
+				}
+				if group == "" {
+					// Couldn't find a group.
+					logrus.Warnf("could not find device group for '%v/%d' in /proc/devices -- temporarily ignoring rule: %v", rule.Type, rule.Major, *rule)
+					continue
+				}
+				entry.Path = group
 			}
-			entry.Path = group
 		} else {
 			// "_ n:m _" rules are just a path in /dev/{block,char}/.
 			switch rule.Type {