add oci.WithAllDevicesAllowed flag for privileged_without_host_devices

This commit adds a flag that enable all devices whitelisting when privileged_without_host_devices is already enabled. Fixes #5679 Signed-off-by: Dat Nguyen <dnguyen7@atlassian.com>
2021-07-05 13:21:12 +10:00
parent 493220b719
commit afe39bebfe
5 changed files with 65 additions and 9 deletions
--- a/pkg/cri/server/container_create_linux.go
+++ b/pkg/cri/server/container_create_linux.go
@@ -223,6 +223,9 @@ func (c *criService) containerSpec(
 		specOpts = append(specOpts, oci.WithPrivileged)
 		if !ociRuntime.PrivilegedWithoutHostDevices {
 			specOpts = append(specOpts, oci.WithHostDevices, oci.WithAllDevicesAllowed)
+		} else if ociRuntime.PrivilegedWithoutHostDevicesAllDevicesAllowed {
+			// allow rwm on all devices for the container
+			specOpts = append(specOpts, oci.WithAllDevicesAllowed)
 		}
 	}