From e235fc1efbd6ea391d5925f4d990b1af04f35328 Mon Sep 17 00:00:00 2001
From: Alex Lyn <alex.lyn@antgroup.com>
Date: Wed, 3 Sep 2025 18:00:04 +0800
Subject: [PATCH] runtime-rs: Remove default value of Linux.Resources.Devices
 in OCI Spec

In certain scenarios, particularly under CoCo/Agent Policy enforcement,
the default initial value of `Linux.Resources.Devices` is considered
non-compliant, leading to container creation failures. To address this
issue and ensure consistency with the behavior in `runtime-go`, this
commit removes the default value of `Linux.Resources.Devices` from the
OCI Spec.

This cleanup ensures that the OCI Spec aligns with runtime expectations
and prevents policy violations during container creation.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
---
 .../src/container_manager/container.rs        | 28 ++++++++++++++++---
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
index 089239de9b..dadc0e978a 100644
--- a/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/container_manager/container.rs
@@ -18,7 +18,7 @@ use common::{
 };
 use kata_sys_util::k8s::update_ephemeral_storage_type;
 use kata_types::k8s;
-use oci_spec::runtime as oci;
+use oci_spec::runtime::{self as oci, LinuxDeviceCgroup};
 
 use oci::{LinuxResources, Process as OCIProcess};
 use resource::{
@@ -602,13 +602,33 @@ fn amend_spec(
     // special process K8s ephemeral volumes.
     update_ephemeral_storage_type(spec);
 
-    if let Some(linux) = spec.linux_mut() {
+    if let Some(linux) = &mut spec.linux_mut() {
         if disable_guest_seccomp {
             linux.set_seccomp(None);
         }
 
-        if let Some(_resource) = linux.resources_mut() {
-            LinuxResources::default();
+        // In certain scenarios, particularly under CoCo/Agent Policy enforcement, the default initial value of `Linux.Resources.Devices`
+        // is considered non-compliant, leading to container creation failures. To address this issue and ensure consistency with the behavior
+        // in `runtime-go`, the default value of `Linux.Resources.Devices` from the OCI Spec should be removed.
+        if let Some(resources) = linux.resources_mut() {
+            if let Some(devices) = resources.devices_mut().take() {
+                let cleaned_devices: Vec<LinuxDeviceCgroup> = devices
+                    .into_iter()
+                    .filter(|device| {
+                        !(!device.allow()
+                            && device.typ().is_none()
+                            && device.major().is_none()
+                            && device.minor().is_none()
+                            && device.access().as_deref() == Some("rwm"))
+                    })
+                    .collect();
+
+                resources.set_devices(if cleaned_devices.is_empty() {
+                    None
+                } else {
+                    Some(cleaned_devices)
+                });
+            }
         }
 
         // Host pidns path does not make sense in kata. Let's just align it with