sandbox: Allow the device to be accessed,such as /dev/null and /dev/urandom

If the device has no permission, such as /dev/null, /dev/urandom,
it needs to be added into cgroup.

Fixes: #2615

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>

src/runtime/virtcontainers/sandbox.go

@@ -581,31 +581,30 @@ func (s *Sandbox) createCgroupManager() error {
 		if spec.Linux.Resources != nil {
 			resources.Devices = spec.Linux.Resources.Devices
 
-			// spec.Linux.Resources.Devices default only contain {"devices":[{"allow":false,"access":"rwm"}]}
+			intptr := func(i int64) *int64 { return &i }
-			if len(resources.Devices) == 1 {
+			// Determine if device /dev/null and /dev/urandom exist, and add if they don't
-				intptr := func(i int64) *int64 {
+			nullDeviceExist := false
-					return &i
+			urandomDeviceExist := false
+			for _, device := range resources.Devices {
+				if device.Type == "c" && device.Major == intptr(1) && device.Minor == intptr(3) {
+					nullDeviceExist = true
 				}
 
-				// adds the default devices for unix such as /dev/null, /dev/urandom to
+				if device.Type == "c" && device.Major == intptr(1) && device.Minor == intptr(9) {
-				// the container's resource cgroup spec
+					urandomDeviceExist = true
+				}
+			}
+
+			if !nullDeviceExist {
+				// "/dev/null"
 				resources.Devices = append(resources.Devices, []specs.LinuxDeviceCgroup{
-					{
+					{Type: "c", Major: intptr(1), Minor: intptr(3), Access: rwm, Allow: true},
-						// "/dev/null",
+				}...)
-						Type:   "c",
+			}
-						Major:  intptr(1),
+			if !urandomDeviceExist {
-						Minor:  intptr(3),
+				// "/dev/urandom"
-						Access: rwm,
+				resources.Devices = append(resources.Devices, []specs.LinuxDeviceCgroup{
-						Allow:  true,
+					{Type: "c", Major: intptr(1), Minor: intptr(9), Access: rwm, Allow: true},
-					},
-					{
-						// "/dev/urandom",
-						Type:   "c",
-						Major:  intptr(1),
-						Minor:  intptr(9),
-						Access: rwm,
-						Allow:  true,
-					},
 				}...)
 			}