diff --git a/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs b/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs
index 376b318cee..32027adfff 100644
--- a/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs
+++ b/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs
@@ -114,7 +114,7 @@ impl DragonballInner {
                     .context("add vhost-user-net device")?;
                 Ok(DeviceType::VhostUserNetwork(dev))
             }
-            DeviceType::Vsock(_) | DeviceType::Protection(_) | DeviceType::PortDevice(_) => todo!(),
+            _ => Err(anyhow!("unsupported device {:?}", device)),
         }
     }
 
diff --git a/src/runtime-rs/crates/resource/src/volume/direct_volumes/rawblock_volume.rs b/src/runtime-rs/crates/resource/src/volume/direct_volumes/rawblock_volume.rs
index e1902d8322..2efcac4077 100644
--- a/src/runtime-rs/crates/resource/src/volume/direct_volumes/rawblock_volume.rs
+++ b/src/runtime-rs/crates/resource/src/volume/direct_volumes/rawblock_volume.rs
@@ -11,7 +11,7 @@ use hypervisor::{
         device_manager::{do_handle_device, get_block_device_info, DeviceManager},
         DeviceConfig,
     },
-    BlockConfig, BlockDeviceAio,
+    BlockConfigModern, BlockDeviceAio,
 };
 use kata_types::mount::DirectVolumeMountInfo;
 use nix::sys::{stat, stat::SFlag};
@@ -58,7 +58,7 @@ impl RawblockVolume {
             ));
         }
 
-        let block_config = BlockConfig {
+        let block_config = BlockConfigModern {
             path_on_host: mount_info.device.clone(),
             driver_option: blkdev_info.block_device_driver,
             blkdev_aio: BlockDeviceAio::new(&blkdev_info.block_device_aio),
@@ -70,7 +70,7 @@ impl RawblockVolume {
         };
 
         // create and insert block device into Kata VM
-        let device_info = do_handle_device(d, &DeviceConfig::BlockCfg(block_config.clone()))
+        let device_info = do_handle_device(d, &DeviceConfig::BlockCfgModern(block_config.clone()))
             .await
             .context("do handle device failed.")?;
 
diff --git a/src/runtime-rs/crates/resource/src/volume/utils.rs b/src/runtime-rs/crates/resource/src/volume/utils.rs
index 9efc0abebd..363742be07 100644
--- a/src/runtime-rs/crates/resource/src/volume/utils.rs
+++ b/src/runtime-rs/crates/resource/src/volume/utils.rs
@@ -86,6 +86,32 @@ pub async fn handle_block_volume(
     // BlockVolume.
     // safe here, device_info is correct and only unwrap it.
     let mut device_id = String::new();
+
+    if let DeviceType::BlockModern(device_mod) = device_info.clone() {
+        let device = &device_mod.lock().await;
+        let blk_driver = device.config.driver_option.clone();
+        // blk, mmioblk
+        storage.driver = blk_driver.clone();
+        storage.source = match blk_driver.as_str() {
+            KATA_BLK_DEV_TYPE => {
+                if let Some(pci_path) = &device.config.pci_path {
+                    pci_path.to_string()
+                } else {
+                    return Err(anyhow!("block driver is blk but no pci path exists"));
+                }
+            }
+            KATA_SCSI_DEV_TYPE => {
+                if let Some(scsi_addr) = &device.config.scsi_addr {
+                    scsi_addr.to_string()
+                } else {
+                    return Err(anyhow!("block driver is scsi but no scsi address exists"));
+                }
+            }
+            _ => device.config.virt_path.clone(),
+        };
+        device_id = device.device_id.clone();
+    }
+
     if let DeviceType::Block(device) = device_info {
         let blk_driver = device.config.driver_option;
         // blk, mmioblk
diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
index e9d0f4bde7..fa5909fa2e 100644
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
@@ -208,11 +208,35 @@ impl Container {
         if let Some(linux) = &mut spec.linux_mut() {
             linux.set_resources(resources);
 
-            // In certain scenarios, particularly under CoCo/Agent Policy enforcement,
-            // the value of `Linux.Resources.Devices` should be empty.
+            // Only CPU and Memory constraints are supported in the guest.
+            // Clear unsupported resource fields to match the Go runtime
+            // and satisfy the agent policy checks.
             if let Some(resource) = linux.resources_mut() {
                 resource.set_devices(None);
+                resource.set_pids(None);
+                resource.set_block_io(None);
+                resource.set_network(None);
             }
+
+            // VFIO char devices are handled by the VM's device driver, not
+            // presented to the container directly. Remove them from the OCI
+            // spec to match the Go runtime (kata_agent.go:1093-1105) and
+            // satisfy the agent policy's allow_linux_devices check.
+            const VFIO_PATH: &str = "/dev/vfio/";
+            let filtered = linux.devices().as_ref().map(|devices| {
+                devices
+                    .iter()
+                    .filter(|d| {
+                        !(d.typ() == oci::LinuxDeviceType::C
+                            && d.path().to_str().is_some_and(|p| p.starts_with(VFIO_PATH)))
+                    })
+                    .cloned()
+                    .collect::<Vec<_>>()
+            });
+            linux.set_devices(match filtered {
+                Some(v) if v.is_empty() => None,
+                other => other,
+            });
         }
 
         let container_name = k8s::container_name(&spec);