Allow rootless containers with privileged to mount devices that are accessible
(ignore permission errors in rootless mode).
This patch updates oci.getDevices() to ignore access denied errors on sub-
directories and files within the given path if the container is running with
userns enabled.
Note that these errors are _only_ ignored on paths _under_ the specified path,
and not the path itself, so if `HostDevices()` is used, and `/dev` itself is
not accessible, or `WithDevices()` is used to specify a device that is not
accessible, an error is still produced.
Tests were added, which includes a temporary workaround for compatibility
with Go 1.16 (we could decide to skip these tests on Go 1.16 instead).
To verify the patch in a container:
docker run --rm -v $(pwd):/go/src/github.com/containerd/containerd -w /go/src/github.com/containerd/containerd golang:1.17 sh -c 'go test -v -run TestHostDevices ./oci'
=== RUN TestHostDevicesOSReadDirFailure
--- PASS: TestHostDevicesOSReadDirFailure (0.00s)
=== RUN TestHostDevicesOSReadDirFailureInUserNS
--- PASS: TestHostDevicesOSReadDirFailureInUserNS (0.00s)
=== RUN TestHostDevicesDeviceFromPathFailure
--- PASS: TestHostDevicesDeviceFromPathFailure (0.00s)
=== RUN TestHostDevicesDeviceFromPathFailureInUserNS
--- PASS: TestHostDevicesDeviceFromPathFailureInUserNS (0.00s)
=== RUN TestHostDevicesAllValid
--- PASS: TestHostDevicesAllValid (0.00s)
PASS
ok github.com/containerd/containerd/oci 0.006s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This ports the changes of 95a59bf206
to this repository.
From that PR:
(mode&S_IFCHR == S_IFCHR) is the wrong way of checking the type of an
inode because the S_IF* bits are actually not a bitmask and instead must
be checked using S_IF*. This bug was neatly hidden behind a (major == 0)
sanity-check but that was removed by [1].
In addition, add a test that makes sure that HostDevices() doesn't give
rubbish results -- because we broke this and fixed this before[2].
[1]: 24388be71e ("configs: use different types for .Devices and .Resources.Devices")
[2]: 3ed492ad33 ("Handle non-devices correctly in DeviceFromPath")
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
