Kelvin crashes on cgroup directories it can't access #2332
Description
An end user I'm working with has seen the Kelvin Pod crash when trying to access a cgroup directory it doesn't have access to. This specific cgroup is a CrowdStrike falcon-sensor, which might have stricter protections/permissions in place since it is designed with anti tamper mechanisms.
We should ensure that our cgroup directory iteration does not try to recurse into directories that the given PEM/Kelvin doesn't have access to. Below is the stack trace from this specific report:
I20260311 21:15:10.392350 1 cgroup_path_resolver.cc:150] Auto-discovered CGroup base path: /sys/fs/cgroup/cpu,cpuacct
libc++abi: terminating due to uncaught exception of type std::__1::__fs::filesystem::filesystem_error: filesystem error: in recursive_directory_iterator::operator++(): attempting recursion into "/sys/fs/cgroup/cpu,cpuacct/system.slice/falcon-sensor.service/sandbox.falcon": Permission denied
E20260311 21:15:10.411677 1 signal_action.cc:63] Caught Aborted, suspect faulting address 0x277400000001. Trace:
**************************
PC: @ 0x7f60d7632472 (unknown) abort
@ 0x55a086d04326 (unknown) abort_message
@ 0x55a086cee1eb (unknown) demangling_terminate_handler()
@ 0x55a086d03fc3 (unknown) std::__terminate()
@ 0x55a086d05cf6 (unknown) __cxa_rethrow
@ 0x55a086cec446 (unknown) std::__1::__fs::filesystem::detail::(anonymous namespace)::ErrorHandler<>::report()
@ 0x55a086cecfbc (unknown) std::__1::__fs::filesystem::recursive_directory_iterator::__try_recursion()
@ 0x55a086cecbe0 (unknown) std::__1::__fs::filesystem::recursive_directory_iterator::__increment()
@ 0x55a086683b19 (unknown) px::md::FindSelfCGroupProcs()
@ 0x55a086684fa2 (unknown) px::md::AutoDiscoverCGroupTemplate()
@ 0x55a086685799 (unknown) px::md::CGroupPathResolver::Create()
@ 0x55a086681df4 (unknown) px::md::CGroupMetadataReader::CGroupMetadataReader()
@ 0x55a086681d59 (unknown) px::md::CGroupMetadataReader::CGroupMetadataReader()
@ 0x55a085cda1da (unknown) px::md::AgentMetadataStateManagerImpl::AgentMetadataStateManagerImpl()
@ 0x55a085cd048d (unknown) _ZNSt3__111make_uniqueB6v15006IN2px2md29AgentMetadataStateManagerImplEJRNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEERjSB_SA_RN4sole4uuidEbRKNS1_6system6ConfigEPNS2_19AgentMetadataFilterESD_SA_SA_PNS1_5eve @ 0x55a085cce25a (unknown) px::vizier::agent::Manager::PostRegisterHook()