1 files changed, 38 insertions, 26 deletions

diff --git a/pkg/spec/config_linux.go b/pkg/spec/config_linux.go
index eb2acf984..60d31d78e 100644
--- a/pkg/spec/config_linux.go
+++ b/pkg/spec/config_linux.go
@@ -4,12 +4,11 @@ package createconfig
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
 
-	"github.com/docker/docker/profiles/seccomp"
+	"github.com/containers/libpod/pkg/rootless"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/devices"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
@@ -120,37 +119,50 @@ func (c *CreateConfig) addPrivilegedDevices(g *generate.Generator) error {
 		return err
 	}
 	g.ClearLinuxDevices()
-	for _, d := range hostDevices {
-		g.AddDevice(Device(d))
-	}
-
-	// Add resources device - need to clear the existing one first.
-	g.Spec().Linux.Resources.Devices = nil
-	g.AddLinuxResourcesDevice(true, "", nil, nil, "rwm")
-	return nil
-}
-
-func getSeccompConfig(config *CreateConfig, configSpec *spec.Spec) (*spec.LinuxSeccomp, error) {
-	var seccompConfig *spec.LinuxSeccomp
-	var err error
 
-	if config.SeccompProfilePath != "" {
-		seccompProfile, err := ioutil.ReadFile(config.SeccompProfilePath)
-		if err != nil {
-			return nil, errors.Wrapf(err, "opening seccomp profile (%s) failed", config.SeccompProfilePath)
+	if rootless.IsRootless() {
+		mounts := make(map[string]interface{})
+		for _, m := range g.Mounts() {
+			mounts[m.Destination] = true
 		}
-		seccompConfig, err = seccomp.LoadProfile(string(seccompProfile), configSpec)
-		if err != nil {
-			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
+		newMounts := []spec.Mount{}
+		for _, d := range hostDevices {
+			devMnt := spec.Mount{
+				Destination: d.Path,
+				Type:        TypeBind,
+				Source:      d.Path,
+				Options:     []string{"slave", "nosuid", "noexec", "rw", "rbind"},
+			}
+			if d.Path == "/dev/ptmx" || strings.HasPrefix(d.Path, "/dev/tty") {
+				continue
+			}
+			if _, found := mounts[d.Path]; found {
+				continue
+			}
+			st, err := os.Stat(d.Path)
+			if err != nil {
+				if err == unix.EPERM {
+					continue
+				}
+				return errors.Wrapf(err, "stat %s", d.Path)
+			}
+			// Skip devices that the user has not access to.
+			if st.Mode()&0007 == 0 {
+				continue
+			}
+			newMounts = append(newMounts, devMnt)
 		}
+		g.Config.Mounts = append(newMounts, g.Config.Mounts...)
 	} else {
-		seccompConfig, err = seccomp.GetDefaultProfile(configSpec)
-		if err != nil {
-			return nil, errors.Wrapf(err, "loading seccomp profile (%s) failed", config.SeccompProfilePath)
+		for _, d := range hostDevices {
+			g.AddDevice(Device(d))
 		}
 	}
 
-	return seccompConfig, nil
+	// Add resources device - need to clear the existing one first.
+	g.Config.Linux.Resources.Devices = nil
+	g.AddLinuxResourcesDevice(true, "", nil, nil, "rwm")
+	return nil
 }
 
 func (c *CreateConfig) createBlockIO() (*spec.LinuxBlockIO, error) {