From 79bc22bd2445cf41f522a7f978a22c1fb630840d Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 18 Feb 2021 10:43:10 +0100
Subject: [PATCH] commands: replace bpf program on update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/commands.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 0a27207d0..60315a5ac 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -1260,8 +1260,19 @@ static int lxc_cmd_add_bpf_device_cgroup_callback(int fd, struct lxc_cmd_req *re
 	if (ret)
 		goto respond;
 
-	ret = bpf_program_cgroup_attach(devices, BPF_CGROUP_DEVICE,
-					unified->cgfd_mon, -EBADF, BPF_F_ALLOW_MULTI);
+	devices_old = cgroup_ops->cgroup2_devices;
+	if (devices_old && devices_old->kernel_fd >= 0)
+		ret = bpf_program_cgroup_attach(devices,
+						BPF_CGROUP_DEVICE,
+					        unified->cgfd_limit,
+						devices_old->kernel_fd,
+						BPF_F_ALLOW_MULTI | BPF_F_REPLACE);
+	else
+		ret = bpf_program_cgroup_attach(devices,
+						BPF_CGROUP_DEVICE,
+					        unified->cgfd_limit,
+						-EBADF,
+						BPF_F_ALLOW_MULTI);
 	if (ret)
 		goto respond;
 
-- 
2.47.2