Skip to content

Commit 7611421

Browse files
kzyskzys
committed
Make /dev accessible even with runc 1.0-rc91
Probably because of GHSA-g54h-m393-cpwq, the way we used for making /dev accessible doesn't work anymore. Signed-off-by: Kazuyoshi Kato <[email protected]>
1 parent 5354f7b commit 7611421

File tree

1 file changed

+20
-11
lines changed

1 file changed

+20
-11
lines changed

runtime/service_integ_test.go

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ import (
3232
"github.com/containerd/containerd"
3333
"github.com/containerd/containerd/api/events"
3434
"github.com/containerd/containerd/cio"
35+
"github.com/containerd/containerd/containers"
3536
"github.com/containerd/containerd/namespaces"
3637
"github.com/containerd/containerd/oci"
3738
"github.com/containerd/containerd/pkg/ttrpcutil"
@@ -657,6 +658,24 @@ func TestLongUnixSocketPath_Isolated(t *testing.T) {
657658
}
658659
}
659660

661+
func allowDeviceAccess(_ context.Context, _ oci.Client, _ *containers.Container, s *oci.Spec) error {
662+
// By default, all devices accesses are forbidden.
663+
s.Linux.Resources.Devices = append(
664+
s.Linux.Resources.Devices,
665+
specs.LinuxDeviceCgroup{Allow: true, Access: "r"},
666+
)
667+
668+
// Exposes the host kernel's /dev as /dev.
669+
// By default, runc creates own /dev with a minimal set of pseudo devices such as /dev/null.
670+
s.Mounts = append(s.Mounts, specs.Mount{
671+
Type: "bind",
672+
Options: []string{"bind"},
673+
Destination: "/dev",
674+
Source: "/dev",
675+
})
676+
return nil
677+
}
678+
660679
func TestStubBlockDevices_Isolated(t *testing.T) {
661680
prepareIntegTest(t)
662681

@@ -706,15 +725,6 @@ func TestStubBlockDevices_Isolated(t *testing.T) {
706725
oci.WithProcessArgs("/bin/sh", "/var/firecracker-containerd-test/scripts/lsblk.sh"),
707726

708727
oci.WithMounts([]specs.Mount{
709-
// Exposes the host kernel's /dev as /dev.
710-
// By default, runc creates own /dev with a minimal set of pseudo devices such as /dev/null.
711-
{
712-
Type: "bind",
713-
Options: []string{"bind"},
714-
Destination: "/dev",
715-
Source: "/dev",
716-
},
717-
718728
// Exposes test scripts from the host kernel
719729
{
720730
Type: "bind",
@@ -723,8 +733,7 @@ func TestStubBlockDevices_Isolated(t *testing.T) {
723733
Source: "/var/firecracker-containerd-test/scripts",
724734
},
725735
}),
726-
// Make the host kernel's /dev readable
727-
oci.WithParentCgroupDevices,
736+
allowDeviceAccess,
728737
),
729738
)
730739
require.NoError(t, err, "failed to create container %s", containerName)

0 commit comments

Comments
 (0)