Under cgroups v2, device access control is done with BPF programs only.
When docker creates a container, it already attaches a BPF program to
that container cgroup. lava-dispather-host replaces that BPF program
with one of its own, that allows the regular list of devices containers
can usually access (/dev/null, /dev/zero etc), plus all the devices
shared with the container. Subsequent device sharing with the same
container overrides that BPF program with a new one.

cgroups v2 is the default on Debian 11 (bullseye), so in there we need
python3-bpfcc >= 0.21. In Debian 10 (buster, base-files << 1), we don't
need python3-bpfcc, bpftool and the kernel headers, since the
corresponding code path will not be used anyway.

Fixes: https://git.lavasoftware.org/lava/lava/-/issues/467