virtcontainers: apply constraints to the sandbox cgroup

Kata relies on the cgroup parent created and configured by the container
engine, but sometimes the sandbox cgroup is not configured and the container
may have access to all the resources, hence the runtime must constrain the
sandbox and update the list of devices with the devices hotplugged in the
hypervisor.

Fixes: kata-containers/runtime#2605
Signed-off-by: Julio Montes <julio.montes@intel.com>
Signed-off-by: Peng Tao <bergwolf@hyper.sh>

src/runtime/virtcontainers/sandbox.go

@@ -641,11 +641,22 @@ func (s *Sandbox) createCgroupManager() error {
 	if spec != nil {
 		cgroupPath = spec.Linux.CgroupsPath
 
-		// kata should rely on the cgroup created and configured by
+		// Kata relies on the cgroup parent created and configured by the container
-		// container engine *only* if actual container was
+		// engine, but sometimes the sandbox cgroup is not configured and the container
-		// marked *explicitly* as sandbox through annotations.
+		// may have access to all the resources, hence the runtime must constrain the
-		if !s.config.HasCRIContainerType {
+		// sandbox and update the list of devices with the devices hotplugged in the
-			resources = *spec.Linux.Resources
+		// hypervisor.
+		resources = *spec.Linux.Resources
+	}
+
+	if s.devManager != nil {
+		for _, d := range s.devManager.GetAllDevices() {
+			dev, err := vccgroups.DeviceToLinuxDevice(d.GetHostPath())
+			if err != nil {
+				s.Logger().WithError(err).WithField("device", d.GetHostPath()).Warn("Could not add device to sandbox resources")
+				continue
+			}
+			resources.Devices = append(resources.Devices, dev)
 		}
 	}