From 756f4a3147d6fde2f69077ae1805dacde886bf89 Mon Sep 17 00:00:00 2001
From: scuzhanglei <greatzhanglei@gmail.com>
Date: Fri, 3 Sep 2021 17:00:22 +0800
Subject: [PATCH] cri: add devices for privileged container

Signed-off-by: scuzhanglei <greatzhanglei@gmail.com>
---
 pkg/cri/server/container_create_linux.go | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
index d1168d8f5..f94e1509d 100644
--- a/pkg/cri/server/container_create_linux.go
+++ b/pkg/cri/server/container_create_linux.go
@@ -213,6 +213,9 @@ func (c *criService) containerSpec(
 		}
 	}
 
+	specOpts = append(specOpts, customopts.WithDevices(c.os, config, c.config.DeviceOwnershipFromSecurityContext),
+		customopts.WithCapabilities(securityContext, c.allCaps))
+
 	if securityContext.GetPrivileged() {
 		if !sandboxConfig.GetLinux().GetSecurityContext().GetPrivileged() {
 			return nil, errors.New("no privileged container allowed in sandbox")
@@ -220,14 +223,7 @@ func (c *criService) containerSpec(
 		specOpts = append(specOpts, oci.WithPrivileged)
 		if !ociRuntime.PrivilegedWithoutHostDevices {
 			specOpts = append(specOpts, oci.WithHostDevices, oci.WithAllDevicesAllowed)
-		} else {
-			// add requested devices by the config as host devices are not automatically added
-			specOpts = append(specOpts, customopts.WithDevices(c.os, config, c.config.DeviceOwnershipFromSecurityContext),
-				customopts.WithCapabilities(securityContext, c.allCaps))
 		}
-	} else { // not privileged
-		specOpts = append(specOpts, customopts.WithDevices(c.os, config, c.config.DeviceOwnershipFromSecurityContext),
-			customopts.WithCapabilities(securityContext, c.allCaps))
 	}
 
 	// Clear all ambient capabilities. The implication of non-root + caps