crun currently uses the systemd d-bus API to set up device cgroups.  Update the runtime to use BPFProgram=device: on cgroup v2 instead to avoid multiple conversions of rules and to express all the rules without the limitations imposed by systemd.  The same generator used for the cgroupfs driver can be used to generate the ebpf.

On cgroup v1 crun will still use the current implementation, but it should not matter because cgroup v1 support is going to be dropped this year.