buildkitd: handle device insecure entitlement

crazy-max · crazy-max · commit bc0c8579738d · 2025-07-11T17:44:26.000+02:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/cmd/buildctl/build.go b/cmd/buildctl/build.go
@@ -89,7 +89,7 @@ var buildCommand = cli.Command{
 		},
 		cli.StringSliceFlag{
 			Name:  "allow",
-			Usage: "Allow extra privileged entitlement, e.g. network.host, security.insecure",
+			Usage: "Allow extra privileged entitlement, e.g. network.host, security.insecure, device",
 		},
 		cli.StringSliceFlag{
 			Name:  "ssh",
diff --git a/cmd/buildkitd/config/config.go b/cmd/buildkitd/config/config.go
@@ -12,7 +12,7 @@ type Config struct {
 	// Root is the path to a directory where buildkit will store persistent data
 	Root string `toml:"root"`
 
-	// Entitlements e.g. security.insecure, network.host
+	// Entitlements e.g. security.insecure, network.host, device
 	Entitlements []string `toml:"insecure-entitlements"`
 
 	// LogFormat is the format of the logs. It can be "json" or "text".
diff --git a/cmd/buildkitd/main.go b/cmd/buildkitd/main.go
@@ -212,7 +212,7 @@ func main() {
 		},
 		cli.StringSliceFlag{
 			Name:  "allow-insecure-entitlement",
-			Usage: "allows insecure entitlements e.g. network.host, security.insecure",
+			Usage: "allows insecure entitlements e.g. network.host, security.insecure, device",
 		},
 		cli.StringFlag{
 			Name:  "otel-socket-path",
@@ -378,6 +378,8 @@ func main() {
 					cfg.Entitlements = append(cfg.Entitlements, e)
 				case "network.host":
 					cfg.Entitlements = append(cfg.Entitlements, e)
+				case "device":
+					cfg.Entitlements = append(cfg.Entitlements, e)
 				default:
 					return errors.Errorf("invalid entitlement : %s", e)
 				}
diff --git a/docs/buildkitd.toml.md b/docs/buildkitd.toml.md
@@ -20,7 +20,7 @@ trace = true
 # root is where all buildkit state is stored.
 root = "/var/lib/buildkit"
 # insecure-entitlements allows insecure entitlements, disabled by default.
-insecure-entitlements = [ "network.host", "security.insecure" ]
+insecure-entitlements = [ "network.host", "security.insecure", "device" ]
 
 [log]
   # log formatter: json or text
diff --git a/docs/reference/buildctl.md b/docs/reference/buildctl.md
@@ -73,7 +73,7 @@ OPTIONS:
    --export-cache value              Export build cache, e.g. --export-cache type=registry,ref=example.com/foo/bar, or --export-cache type=local,dest=path/to/dir
    --import-cache value              Import build cache, e.g. --import-cache type=registry,ref=example.com/foo/bar, or --import-cache type=local,src=path/to/dir
    --secret value                    Secret value exposed to the build. Format id=secretname,src=filepath
-   --allow value                     Allow extra privileged entitlement, e.g. network.host, security.insecure
+   --allow value                     Allow extra privileged entitlement, e.g. network.host, security.insecure, device
    --ssh value                       Allow forwarding SSH agent or a raw Unix socket to the builder. Format default|<id>[=<socket>[,raw=false]|<key>[,<key>]]
    --metadata-file value             Output build metadata (e.g., image digest) to a file as JSON
    --source-policy-file value        Read source policy file from a JSON file
