From fcf673d5d5bdefc8262a3f8626811ca418602bbd Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 26 Jun 2023 17:09:55 +0200 Subject: [PATCH] specgen, rootless: raise error with --device-cgroup-rule we were silently ignoring --device-cgroup-rule in rootless mode. Make sure an error is returned if the user tries to use it. Closes: https://github.com/containers/podman/issues/18698 Signed-off-by: Giuseppe Scrivano --- pkg/specgen/generate/oci_linux.go | 3 +++ test/system/030-run.bats | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/specgen/generate/oci_linux.go b/pkg/specgen/generate/oci_linux.go index ddba5f7175..3d210bffdf 100644 --- a/pkg/specgen/generate/oci_linux.go +++ b/pkg/specgen/generate/oci_linux.go @@ -255,6 +255,9 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt s.HostDeviceList = userDevices // set the devices cgroup when not running in a user namespace + if isRootless && len(s.DeviceCgroupRule) > 0 { + return nil, fmt.Errorf("device cgroup rules are not supported in rootless mode or in a user namespace") + } if !inUserNS && !s.Privileged { for _, dev := range s.DeviceCgroupRule { g.AddLinuxResourcesDevice(true, dev.Type, dev.Major, dev.Minor, dev.Access) diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 85ff2b2b71..463d7fd255 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -785,7 +785,11 @@ EOF } @test "podman run --device-cgroup-rule tests" { - skip_if_rootless "cannot add devices in rootless mode" + if is_rootless; then + run_podman 125 run --device-cgroup-rule="b 7:* rmw" --rm $IMAGE + is "$output" "Error: device cgroup rules are not supported in rootless mode or in a user namespace" + return + fi run_podman run --device-cgroup-rule="b 7:* rmw" --rm $IMAGE run_podman run --device-cgroup-rule="c 7:* rmw" --rm $IMAGE