diff options
| author | tomsweeneyredhat <tsweeney@redhat.com> | 2022-03-10 18:18:01 -0500 |
|---|---|---|
| committer | tomsweeneyredhat <tsweeney@redhat.com> | 2022-03-10 18:18:11 -0500 |
| commit | 61f6e1300a770af58c43dd226ad6ebe68c5d1921 (patch) | |
| tree | f56b0f55a5d651ba42fe2f129b0f43788b7a4a73 | |
| parent | 717edd7b844dcd66468f5d991991d87e9fc14c12 (diff) | |
| download | podman-61f6e1300a770af58c43dd226ad6ebe68c5d1921.tar.gz podman-61f6e1300a770af58c43dd226ad6ebe68c5d1921.tar.bz2 podman-61f6e1300a770af58c43dd226ad6ebe68c5d1921.zip | |
[v4.0] Backport Set default rule at the head of dev config
Backports: #13421 Set default rule at the head of device configuration
by @hshiina
The default rule should be set at the head of device configuration.
Otherwise, rules for user devices are overridden by the default rule so
that any access to the user devices are denied.
This has been requested to backport and to include in RHEL 8.6 and 9.0.
The exception process is underway.
Addresses these BZs for the backport:
https://bugzilla.redhat.com/show_bug.cgi?id=2059296
https://bugzilla.redhat.com/show_bug.cgi?id=2062835
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
| -rw-r--r-- | pkg/specgen/generate/oci.go | 6 | ||||
| -rw-r--r-- | test/e2e/run_device_test.go | 5 |
2 files changed, 10 insertions, 1 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 945c994ea..5c8b6fc36 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -325,6 +325,11 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } // Devices + // set the default rule at the beginning of device configuration + if !inUserNS && !s.Privileged { + g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm") + } + var userDevices []spec.LinuxDevice if s.Privileged { // If privileged, we need to add all the host devices to the @@ -356,7 +361,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt // set the devices cgroup when not running in a user namespace if !inUserNS && !s.Privileged { - g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm") for _, dev := range s.DeviceCgroupRule { g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access) } diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go index b8bdc84f8..479837dda 100644 --- a/test/e2e/run_device_test.go +++ b/test/e2e/run_device_test.go @@ -44,6 +44,11 @@ var _ = Describe("Podman run device", func() { session := podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg", ALPINE, "test", "-c", "/dev/kmsg"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) + if !isRootless() { + session = podmanTest.Podman([]string{"run", "-q", "--security-opt", "label=disable", "--device", "/dev/kmsg", "--cap-add", "SYS_ADMIN", ALPINE, "head", "-n", "1", "/dev/kmsg"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) + } }) It("podman run device rename test", func() { |