Add support for wildcard devices

This change allows the following device node CDI spec to be considered
valid:

path: "*"
type: "c"
major: 195
minor: -1
permissions: "rwm"

When this is included in the spec, no device nodes are added to the OCI
runtime spec, but the linux resources (cgroups) are updated to allow
access to all devices in the same way as the Docker `--device-cgroup-rule`
flag.

This is useful when starting a container that needs to be able to create
device nodes that do not exist when it is started.

Signed-off-by: Evan Lezar <elezar@nvidia.com>

Author: elezar

pkg/cdi/container-edits.go

@@ -354,6 +354,10 @@ func (d *DeviceNode) Validate() error {
 }
 
 func (d *DeviceNode) addToGenerator(specgen *ocigen.Generator, spec *oci.Spec) error {
+	if d.isWildcardDevice() {
+		return d.addAsWildcardDevice(specgen)
+	}
+
 	err := d.fillMissingInfo()
 	if err != nil {
 		return err
@@ -389,8 +393,33 @@ func (d *DeviceNode) getAccessString() string {
 		return d.Permissions
 	}
 }
+
+// isWildcardDevice returns whether the device node represents a "wildcard" device.
+// Such devices do not cause device nodes to be created in the container, but
+// do update the cgroups to allow device access. A wildcard device always has
+// the path specified as "*" and setting major or minor numbers to -1 will add
+// a cgroup rule that matches all major (or minor) numbers.
+func (d *DeviceNode) isWildcardDevice() bool {
+	return d.Path == "*"
+}
+
+func (d *DeviceNode) addAsWildcardDevice(specgen *ocigen.Generator) error {
+	if d.Type != "b" && d.Type != "c" {
+		return fmt.Errorf("wildcard device node not supported for device type %v", d.Type)
+	}
+	var major *int64
+	if d.Major != -1 {
+		major = &d.Major
+	}
+	var minor *int64
+	if d.Minor != -1 {
+		minor = &d.Minor
+	}
+	specgen.AddLinuxResourcesDevice(true, d.Type, major, minor, d.getAccessString())
+
 	return nil
 }
+
 // Hook is a CDI Spec Hook wrapper, used for validating hooks.
 type Hook struct {
 	*cdi.Hook