DevicePolicy violated on cgroup v2 during daemon-reload

[cdown]

During daemon-reload we detach and reattach all BPF programs attached to cgroups. This, however, poses a real practical problem for DevicePolicy (and perhaps some other settings using BPF): it presents a period of time where the old device filtering BPF program has been unloaded, but the new one has not been loaded yet. Since the filtering is at open() time, on Facebook servers, we've seen that there's a non-trivial period where applications inside that ostensibly filtered cgroup can grab any device, and often do so, and then retain access to that device even after the reload is over.

I need to double check exactly what process we have for this when doing the daemon-reload, but I suppose we free the BPF programs as part of cleaning out our units. We probably either need to not unload these programs, or load the new ones before tearing down the old ones, but it may be somewhat complicated.

[cdown]

Looks like we have the same window with the traffic filtering BPF programs, since they get freed during unit_free from manager reloading. I guess nobody noticed that because it doesn't typically persist in the same way this does.

[cdown]

I have a WIP patch to pin them during daemon reload, will test it today. Not sure if there are any edge cases where we have BPF programs requiring exclusive access where pinning may not be enough.

[cdown]

Fix waiting in #17495.

[anitazha]

fixed in #19851 and #20978