specgen, rootless: raise error with --device-cgroup-rule

we were silently ignoring --device-cgroup-rule in rootless mode.  Make
sure an error is returned if the user tries to use it.

Closes: https://github.com/containers/podman/issues/18698

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

pkg/specgen/generate/oci_linux.go

@@ -255,6 +255,9 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	s.HostDeviceList = userDevices
 
 	// set the devices cgroup when not running in a user namespace
+	if isRootless && len(s.DeviceCgroupRule) > 0 {
+		return nil, fmt.Errorf("device cgroup rules are not supported in rootless mode or in a user namespace")
+	}
 	if !inUserNS && !s.Privileged {
 		for _, dev := range s.DeviceCgroupRule {
 			g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)

test/system/030-run.bats

@@ -746,7 +746,11 @@ EOF
 }
 
 @test "podman run --device-cgroup-rule tests" {
-    skip_if_rootless "cannot add devices in rootless mode"
+    if is_rootless; then
+        run_podman 125 run --device-cgroup-rule="b 7:* rmw" --rm $IMAGE
+        is "$output" "Error: device cgroup rules are not supported in rootless mode or in a user namespace"
+        return
+    fi
 
     run_podman run --device-cgroup-rule="b 7:* rmw" --rm $IMAGE
     run_podman run --device-cgroup-rule="c 7:* rmw" --rm $IMAGE