Merge pull request #13421 from hshiina/device-rule

Set default rule at the head of device configuration

1 files changed, 5 insertions, 1 deletions

diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 8b3550e36..1cc3a463f 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -332,6 +332,11 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	}
 	// Devices
 
+	// set the default rule at the beginning of device configuration
+	if !inUserNS && !s.Privileged {
+		g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
+	}
+
 	var userDevices []spec.LinuxDevice
 	if s.Privileged {
 		// If privileged, we need to add all the host devices to the
@@ -363,7 +368,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 
 	// set the devices cgroup when not running in a user namespace
 	if !inUserNS && !s.Privileged {
-		g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
 		for _, dev := range s.DeviceCgroupRule {
 			g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
 		}