summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2021-12-16 09:41:53 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2021-12-16 13:25:43 +0100
commit4243ca93a42c3ed977662c570302be8a7dc5c5ca (patch)
tree23832c473ac1c9d7a4ebb7bd1a7700d92093cfd8
parentd984fec351c06a95f8a51c7e6ced819c6b17245f (diff)
downloadpodman-4243ca93a42c3ed977662c570302be8a7dc5c5ca.tar.gz
podman-4243ca93a42c3ed977662c570302be8a7dc5c5ca.tar.bz2
podman-4243ca93a42c3ed977662c570302be8a7dc5c5ca.zip
oci: configure the devices cgroup with default devices
always set the default devices to the devices cgroup when not running in a user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--pkg/specgen/generate/oci.go8
-rw-r--r--test/e2e/run_device_test.go7
2 files changed, 13 insertions, 2 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 9f8807915..efac53104 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -325,8 +325,12 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
}
s.HostDeviceList = s.Devices
- for _, dev := range s.DeviceCGroupRule {
- g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
+ // set the devices cgroup when not running in a user namespace
+ if !inUserNS && !s.Privileged {
+ g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
+ for _, dev := range s.DeviceCGroupRule {
+ g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
+ }
}
for k, v := range s.WeightDevice {
diff --git a/test/e2e/run_device_test.go b/test/e2e/run_device_test.go
index 08905aed2..fbf1eb791 100644
--- a/test/e2e/run_device_test.go
+++ b/test/e2e/run_device_test.go
@@ -119,4 +119,11 @@ var _ = Describe("Podman run device", func() {
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
})
+
+ It("podman run cannot access non default devices", func() {
+ session := podmanTest.Podman([]string{"run", "-v /dev:/dev-host", ALPINE, "head", "-1", "/dev-host/kmsg"})
+ session.WaitWithDefaultTimeout()
+ Expect(session).Should(Not(Exit(0)))
+ })
+
})