core/bpf-firewall: replace unnecessary unit_setup_cgroup_runtime() with unit_get_cgroup_runtime()

Except for the test, bpf_firewall_compile() is only called by the following:
  cgroup_context_apply() -> cgroup_apply_firewall() -> bpf_firewall_compile()
and in the early stage of cgroup_context_apply(), it checks if the cgroup
runtime exists. Hence, it is not necessary to try to allocate the
runtime in bpf_firewall_compile().

src/core/bpf-firewall.c

@@ -547,9 +547,9 @@ int bpf_firewall_compile(Unit *u) {
         if (!cc)
                 return -EINVAL;
 
-        crt = unit_setup_cgroup_runtime(u);
+        crt = unit_get_cgroup_runtime(u);
         if (!crt)
-                return -ENOMEM;
+                return -ESTALE;
 
         if (bpf_program_supported() <= 0)
                 return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),

src/test/test-bpf-firewall.c

@@ -49,7 +49,8 @@ int main(int argc, char *argv[]) {
         if (!can_memlock())
                 return log_tests_skipped("Can't use mlock()");
 
-        r = enter_cgroup_subroot(NULL);
+        _cleanup_free_ char *cgroup_path = NULL;
+        r = enter_cgroup_subroot(&cgroup_path);
         if (r == -ENOMEDIUM)
                 return log_tests_skipped("cgroupfs not available");
 
@@ -128,6 +129,8 @@ int main(int argc, char *argv[]) {
         SERVICE(u)->type = SERVICE_ONESHOT;
         u->load_state = UNIT_LOADED;
 
+        CGroupRuntime *crt = ASSERT_PTR(unit_setup_cgroup_runtime(u));
+
         unit_dump(u, stdout, NULL);
 
         r = bpf_firewall_compile(u);
@@ -135,7 +138,6 @@ int main(int argc, char *argv[]) {
                 return log_tests_skipped("Kernel doesn't support the necessary bpf bits (masked out via seccomp?)");
         ASSERT_OK(r);
 
-        CGroupRuntime *crt = ASSERT_PTR(unit_get_cgroup_runtime(u));
         ASSERT_NOT_NULL(crt->ip_bpf_ingress);
         ASSERT_NOT_NULL(crt->ip_bpf_egress);