From 36853c74efb3effffa67d3548a04405461f851f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Dalleau?= <frederic.dalleau@docker.com>
Date: Mon, 13 Dec 2021 16:21:09 +0100
Subject: [PATCH] Revert "runc: don't mount /dev with ro"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 380f36cc1a20f76a164ba1d6e3218e9c1c7c6aec.

Now that runc includes a fix for this, this patch can be reverted

Signed-off-by: Frédéric Dalleau <frederic.dalleau@docker.com>
---
 src/cmd/linuxkit/moby/config.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/cmd/linuxkit/moby/config.go b/src/cmd/linuxkit/moby/config.go
index ead81f91e..d54243825 100644
--- a/src/cmd/linuxkit/moby/config.go
+++ b/src/cmd/linuxkit/moby/config.go
@@ -747,6 +747,9 @@ func ConfigToOCI(yaml *Image, config imagespec.ImageConfig, idMap map[string]uin
 	// default options match what Docker does
 	procOptions := []string{"nosuid", "nodev", "noexec", "relatime"}
 	devOptions := []string{"nosuid", "strictatime", "mode=755", "size=65536k"}
+	if readonly {
+		devOptions = append(devOptions, "ro")
+	}
 	ptsOptions := []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}
 	sysOptions := []string{"nosuid", "noexec", "nodev"}
 	if readonly {