specgen: parse devices even with privileged set

Luap99 · Luap99 · commit 83863a6863e5 · 2024-07-01T11:46:34.000+02:00
When a users asks for specific devices we should still add them and not ignore them just because privileged adds all of them. Most notably if you set --device /dev/null:/dev/test you expect /dev/test in the container, however as we ignored them this was not the case. Another side effect is that the input was not validated at at all. This leads to confusion as descriped in the issue. Fixes #23132 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
diff --git a/pkg/specgen/generate/oci_linux.go b/pkg/specgen/generate/oci_linux.go
@@ -254,24 +254,21 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	}
 
 	var userDevices []spec.LinuxDevice
-
-	if !s.IsPrivileged() {
-		// add default devices from containers.conf
-		for _, device := range rtc.Containers.Devices.Get() {
-			if err = DevicesFromPath(&g, device); err != nil {
-				return nil, err
-			}
-		}
-		if len(compatibleOptions.HostDeviceList) > 0 && len(s.Devices) == 0 {
-			userDevices = compatibleOptions.HostDeviceList
-		} else {
-			userDevices = s.Devices
+	// add default devices from containers.conf
+	for _, device := range rtc.Containers.Devices.Get() {
+		if err = DevicesFromPath(&g, device); err != nil {
+			return nil, err
 		}
-		// add default devices specified by caller
-		for _, device := range userDevices {
-			if err = DevicesFromPath(&g, device.Path); err != nil {
-				return nil, err
-			}
+	}
+	if len(compatibleOptions.HostDeviceList) > 0 && len(s.Devices) == 0 {
+		userDevices = compatibleOptions.HostDeviceList
+	} else {
+		userDevices = s.Devices
+	}
+	// add default devices specified by caller
+	for _, device := range userDevices {
+		if err = DevicesFromPath(&g, device.Path); err != nil {
+			return nil, err
 		}
 	}
 	s.HostDeviceList = userDevices
diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go
@@ -106,7 +106,6 @@ func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
 	if err != nil {
 		return err
 	}
-	g.ClearLinuxDevices()
 
 	if rootless.IsRootless() {
 		mounts := make(map[string]interface{})
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
@@ -1687,6 +1687,19 @@ VOLUME %s`, ALPINE, volPath, volPath)
 		Expect(session).Should(ExitCleanly())
 	})
 
+	It("podman run --device and --privileged", func() {
+		session := podmanTest.Podman([]string{"run", "--device", "/dev/null:/dev/testdevice", "--privileged", ALPINE, "ls", "/dev"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+		Expect(session.OutputToString()).To(ContainSubstring(" testdevice "), "our custom device")
+		// assumes that /dev/mem always exists
+		Expect(session.OutputToString()).To(ContainSubstring(" mem "), "privileged device")
+
+		session = podmanTest.Podman([]string{"run", "--device", "invalid-device", "--privileged", ALPINE, "ls", "/dev"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitWithError(125, "stat invalid-device: no such file or directory"))
+	})
+
 	It("podman run --replace", func() {
 		// Make sure we error out with --name.
 		session := podmanTest.Podman([]string{"create", "--replace", ALPINE, "/bin/sh"})

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,6 @@ func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {`
`106`	`106`	`if err != nil {`
`107`	`107`	`return err`
`108`	`108`	`}`
`109`		`- g.ClearLinuxDevices()`
`110`	`109`
`111`	`110`	`if rootless.IsRootless() {`
`112`	`111`	`mounts := make(map[string]interface{})`