oci: configure the devices cgroup with default devices

always set the default devices to the devices cgroup when not running in a user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
author: Giuseppe Scrivano <gscrivan@redhat.com> 2021-12-16 09:41:53 +0100
committer: Giuseppe Scrivano <gscrivan@redhat.com> 2021-12-16 13:25:43 +0100
commit: 4243ca93a42c3ed977662c570302be8a7dc5c5ca (patch)
tree: 23832c473ac1c9d7a4ebb7bd1a7700d92093cfd8 /pkg
parent: d984fec351c06a95f8a51c7e6ced819c6b17245f (diff)
download: podman-4243ca93a42c3ed977662c570302be8a7dc5c5ca.tar.gz
podman-4243ca93a42c3ed977662c570302be8a7dc5c5ca.tar.bz2
podman-4243ca93a42c3ed977662c570302be8a7dc5c5ca.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
index 9f8807915..efac53104 100644
--- a/pkg/specgen/generate/oci.go
+++ b/pkg/specgen/generate/oci.go
@@ -325,8 +325,12 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	}
 	s.HostDeviceList = s.Devices
 
-	for _, dev := range s.DeviceCGroupRule {
-		g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
+	// set the devices cgroup when not running in a user namespace
+	if !inUserNS && !s.Privileged {
+		g.AddLinuxResourcesDevice(false, "", nil, nil, "rwm")
+		for _, dev := range s.DeviceCGroupRule {
+			g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
+		}
 	}
 
 	for k, v := range s.WeightDevice {
author	Giuseppe Scrivano <gscrivan@redhat.com>	2021-12-16 09:41:53 +0100
committer	Giuseppe Scrivano <gscrivan@redhat.com>	2021-12-16 13:25:43 +0100
commit	4243ca93a42c3ed977662c570302be8a7dc5c5ca (patch)
tree	23832c473ac1c9d7a4ebb7bd1a7700d92093cfd8 /pkg
parent	d984fec351c06a95f8a51c7e6ced819c6b17245f (diff)
download	podman-4243ca93a42c3ed977662c570302be8a7dc5c5ca.tar.gz podman-4243ca93a42c3ed977662c570302be8a7dc5c5ca.tar.bz2 podman-4243ca93a42c3ed977662c570302be8a7dc5c5ca.zip