From 71f915c63fac67190ab4940230ddb049640faec2 Mon Sep 17 00:00:00 2001
From: Binbin Zhang <binbin36520@gmail.com>
Date: Thu, 9 Sep 2021 15:12:16 +0800
Subject: [PATCH] sandbox: Add device permissions such as /dev/null to cgroup

adds the default devices for unix such as /dev/null, /dev/urandom to
the container's resource cgroup spec

Fixes: #2539

Signed-off-by: Binbin Zhang <binbin36520@gmail.com>
---
 src/runtime/virtcontainers/sandbox.go | 29 +++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go
index a2f69f0084..c4f279da03 100644
--- a/src/runtime/virtcontainers/sandbox.go
+++ b/src/runtime/virtcontainers/sandbox.go
@@ -65,6 +65,7 @@ const (
 	DirMode = os.FileMode(0750) | os.ModeDir
 
 	mkswapPath = "/sbin/mkswap"
+	rwm        = "rwm"
 )
 
 var (
@@ -580,6 +581,34 @@ func (s *Sandbox) createCgroupManager() error {
 		if spec.Linux.Resources != nil {
 			resources.Devices = spec.Linux.Resources.Devices
 
+			// spec.Linux.Resources.Devices default only contain {"devices":[{"allow":false,"access":"rwm"}]}
+			if len(resources.Devices) == 1 {
+				intptr := func(i int64) *int64 {
+					return &i
+				}
+
+				// adds the default devices for unix such as /dev/null, /dev/urandom to
+				// the container's resource cgroup spec
+				resources.Devices = append(resources.Devices, []specs.LinuxDeviceCgroup{
+					{
+						// "/dev/null",
+						Type:   "c",
+						Major:  intptr(1),
+						Minor:  intptr(3),
+						Access: rwm,
+						Allow:  true,
+					},
+					{
+						// "/dev/urandom",
+						Type:   "c",
+						Major:  intptr(1),
+						Minor:  intptr(9),
+						Access: rwm,
+						Allow:  true,
+					},
+				}...)
+			}
+
 			if spec.Linux.Resources.CPU != nil {
 				resources.CPU = &specs.LinuxCPU{
 					Cpus: spec.Linux.Resources.CPU.Cpus,