Merge pull request #19002 from giuseppe/skip-devices-userns

specgen: raise error with --device-cgroup-rule in a userns
2025-06-19 16:33:24 +08:00 · 2023-06-26 22:34:54 +02:00
parent 6a742cb2f5 227c07aebc
commit 68f71f49d6
2 changed files with 9 additions and 2 deletions
--- a/pkg/specgen/generate/oci_linux.go
+++ b/pkg/specgen/generate/oci_linux.go
@ -255,7 +255,10 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	s.HostDeviceList = userDevices
 	// set the devices cgroup when not running in a user namespace
-	if !inUserNS && !s.Privileged {
+	if isRootless && len(s.DeviceCgroupRule) > 0 {
 		return nil, fmt.Errorf("device cgroup rules are not supported in rootless mode or in a user namespace")
 	}
 	if !isRootless && !s.Privileged {
 		for _, dev := range s.DeviceCgroupRule {
 			g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access)
 		}
--- a/test/system/030-run.bats
+++ b/test/system/030-run.bats
@ -785,7 +785,11 @@ EOF
 }
@test "podman run --device-cgroup-rule tests" {
-    skip_if_rootless "cannot add devices in rootless mode"
+    if is_rootless; then
        run_podman 125 run --device-cgroup-rule="b 7:* rmw" --rm $IMAGE
        is "$output" "Error: device cgroup rules are not supported in rootless mode or in a user namespace"
        return
    fi
    run_podman run --device-cgroup-rule="b 7:* rmw" --rm $IMAGE
    run_podman run --device-cgroup-rule="c 7:* rmw" --rm $IMAGE