virtcontainers: apply constraints to the sandbox cgroup

Kata relies on the cgroup parent created and configured by the container engine, but sometimes the sandbox cgroup is not configured and the container may have access to all the resources, hence the runtime must constrain the sandbox and update the list of devices with the devices hotplugged in the hypervisor. Fixes: kata-containers/runtime#2605 Signed-off-by: Julio Montes <julio.montes@intel.com> Signed-off-by: Peng Tao <bergwolf@hyper.sh>
2025-09-16 14:28:35 +00:00 · 2020-05-26 00:30:47 -07:00
parent 9cdc899c76
commit 8f5a69373b
1 changed files with 16 additions and 5 deletions
--- a/src/runtime/virtcontainers/sandbox.go
+++ b/src/runtime/virtcontainers/sandbox.go
@@ -641,11 +641,22 @@ func (s *Sandbox) createCgroupManager() error {
 	if spec != nil {
 		cgroupPath = spec.Linux.CgroupsPath

-		// kata should rely on the cgroup created and configured by
-		// container engine *only* if actual container was
-		// marked *explicitly* as sandbox through annotations.
-		if !s.config.HasCRIContainerType {
-			resources = *spec.Linux.Resources
+		// Kata relies on the cgroup parent created and configured by the container
+		// engine, but sometimes the sandbox cgroup is not configured and the container
+		// may have access to all the resources, hence the runtime must constrain the
+		// sandbox and update the list of devices with the devices hotplugged in the
+		// hypervisor.
+		resources = *spec.Linux.Resources
+	}
+
+	if s.devManager != nil {
+		for _, d := range s.devManager.GetAllDevices() {
+			dev, err := vccgroups.DeviceToLinuxDevice(d.GetHostPath())
+			if err != nil {
+				s.Logger().WithError(err).WithField("device", d.GetHostPath()).Warn("Could not add device to sandbox resources")
+				continue
+			}
+			resources.Devices = append(resources.Devices, dev)
 		}
 	}