libct/cg/sd: set the DeviceAllow property before DevicePolicy

[kolyshkin]

(this is a carry of #4569 which adds a better comment and a test case)

Every unit created by runc need daemon reload since systemd v230. This breaks support for NVIDIA GPUs, see
#3708 (comment)

A workaround is to set DeviceAllow before DevicePolicy.

Also:

• add a test case (which fails before the fix) by @kolyshkin
• better explain why we need empty DeviceAllow (by @cyphar)

Fixes #4568.

Reported-by: Jian Wen [email protected]
Co-authored-by: Jian Wen [email protected]
Co-authored-by: Aleksa Sarai [email protected]

1.2 backport: #4615

[kolyshkin]

Before the fix, the test case fails like this:

root@kir-tp1:/home/kir/git/runc# export RUNC_USE_SYSTEMD=yes
root@kir-tp1:/home/kir/git/runc# bats tests/integration/dev.bats 
dev.bats
 ✓ runc run [redundant default /dev/tty]
 ✓ runc run [redundant default /dev/ptmx]
 ✓ runc run/update [device cgroup deny]
 ✓ runc run [device cgroup allow rw char device]
 ✓ runc run [device cgroup allow rm block device]
 ✓ runc exec vs systemctl daemon-reload
 ✗ runc run [systemd daemon-reload not needed]
   (from function `check_systemd_value' in file tests/integration/helpers.bash, line 283,
    in test file tests/integration/dev.bats, line 154)
     `check_systemd_value "NeedDaemonReload" "no"' failed
   runc spec (status=0):
   
   runc run -d --console-socket /tmp/bats-run-rnDsXP/runc.NyH2cg/tty/sock test_need_reload (status=0):
   
   systemd NeedDaemonReload: got yes, want no
   --- teardown ---

7 tests, 1 failure

[kolyshkin]

As this is a small change, and fixes a real issue, I think we can backport it to release-1.2.

[rata]

LGTM, thanks! And I agree to 1.2 backporting too :)

[kolyshkin]

@giuseppe FYI I've checked (using the test case from this PR) that crun is not affected (probably because it doesn't add an empty DeviceAllow, although I'm not entirely sure).

[kolyshkin]

@cyphar @AkihiroSuda PTAL (I want 1.2.5 to have this)