commands: replace bpf program on update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 0a27207d01621f64580c60ff3f31d9c813d8d2f0..60315a5ac347f6f7d8baf292753ce72948a1f0be 100644 (file)
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -1260,8 +1260,19 @@ static int lxc_cmd_add_bpf_device_cgroup_callback(int fd, struct lxc_cmd_req *re
        if (ret)
                goto respond;
 
-       ret = bpf_program_cgroup_attach(devices, BPF_CGROUP_DEVICE,
-                                       unified->cgfd_mon, -EBADF, BPF_F_ALLOW_MULTI);
+       devices_old = cgroup_ops->cgroup2_devices;
+       if (devices_old && devices_old->kernel_fd >= 0)
+               ret = bpf_program_cgroup_attach(devices,
+                                               BPF_CGROUP_DEVICE,
+                                               unified->cgfd_limit,
+                                               devices_old->kernel_fd,
+                                               BPF_F_ALLOW_MULTI | BPF_F_REPLACE);
+       else
+               ret = bpf_program_cgroup_attach(devices,
+                                               BPF_CGROUP_DEVICE,
+                                               unified->cgfd_limit,
+                                               -EBADF,
+                                               BPF_F_ALLOW_MULTI);
        if (ret)
                goto respond;