Merge pull request #40291 from akhilerm/privileged-device

35991- make `--device` works at privileged mode

daemon/container.go

@@ -275,6 +275,7 @@ func validateHostConfig(hostConfig *containertypes.HostConfig, platform string)
 	if hostConfig == nil {
 		return nil
 	}
+
 	if hostConfig.AutoRemove && !hostConfig.RestartPolicy.IsNone() {
 		return errors.Errorf("can't create 'AutoRemove' container with restart policy")
 	}

daemon/oci_linux.go

@@ -805,6 +805,7 @@ func WithDevices(daemon *Daemon, c *container.Container) coci.SpecOpts {
 		// Build lists of devices allowed and created within the container.
 		var devs []specs.LinuxDevice
 		devPermissions := s.Linux.Resources.Devices
+
 		if c.HostConfig.Privileged && !rsystem.RunningInUserNS() {
 			hostDevices, err := devices.HostDevices()
 			if err != nil {
@@ -813,6 +814,25 @@ func WithDevices(daemon *Daemon, c *container.Container) coci.SpecOpts {
 			for _, d := range hostDevices {
 				devs = append(devs, oci.Device(d))
 			}
+
+			// adding device mappings in privileged containers
+			for _, deviceMapping := range c.HostConfig.Devices {
+				// issue a warning that custom cgroup permissions are ignored in privileged mode
+				if deviceMapping.CgroupPermissions != "rwm" {
+					logrus.WithField("container", c.ID).Warnf("custom %s permissions for device %s are ignored in privileged mode", deviceMapping.CgroupPermissions, deviceMapping.PathOnHost)
+				}
+				// issue a warning that the device path already exists via /dev mounting in privileged mode
+				if deviceMapping.PathOnHost == deviceMapping.PathInContainer {
+					logrus.WithField("container", c.ID).Warnf("path in container %s already exists in privileged mode", deviceMapping.PathInContainer)
+					continue
+				}
+				d, _, err := oci.DevicesFromPath(deviceMapping.PathOnHost, deviceMapping.PathInContainer, "rwm")
+				if err != nil {
+					return err
+				}
+				devs = append(devs, d...)
+			}
+
 			devPermissions = []specs.LinuxDeviceCgroup{
 				{
 					Allow:  true,