tests/int: demo default device access rule removal

kolyshkin · kolyshkin · commit 2f334585bc69 · 2026-04-17T18:46:00.000-07:00
Since commit 0709202 ("Remove runc default devices that overlap with spec devices.") runc removes the default cgroup device access rule from the default set in case a device with the same path is also listed in container spec. Judging by the commit description, this was not the intention, and yet this is what we have. As the behavior is now part of runc (since v1.0-rc93), it makes sense to at least test it, to ensure it won't be broken in the future. In addition, the test case serves as a demo how to limit the container device access to a subset of default AllowedDevices. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
diff --git a/tests/integration/dev.bats b/tests/integration/dev.bats
@@ -10,6 +10,34 @@ function teardown() {
 	teardown_bundle
 }
 
+@test "runc run [redundant default /dev/full]" {
+	# 1. This is how a device from the default AllowedDevices should work as is.
+	# It's /dev/full so it should return "no space left on device" error.
+	update_config '	.process.args |= ["sh", "-c", "stat /dev/full; echo foo >/dev/full"]'
+	runc run test_dev
+	[ "$status" -eq 1 ]
+	[[ "$output" == *"Device type: 1,7"* ]]
+	[[ "$output" == *": No space left on device"* ]]
+
+	# 2. Add the device to linux.devices only (but not to linux.resources.devices).
+	# This way it will be excluded from the cgroup allow rules.
+	update_config ' .linux.devices += [{"path": "/dev/full", "type": "c", "major": 1, "minor": 7}]'
+	runc run test_dev
+	[ "$status" -eq 1 ]
+	[[ "$output" == *"Device type: 1,7"* ]]
+	[[ "$output" == *": Operation not permitted"* ]]
+
+	# 3. Also add it to cgroups list. Now it should work like the default one (see 1 above).
+	update_config ' .linux.resources.devices = [
+		{"allow": false, "access": "rwm"},
+		{"allow": true, "type": "c", "major": 1, "minor": 7, "access": "rw"}
+	]'
+	runc run test_dev
+	[ "$status" -eq 1 ]
+	[[ "$output" == *"Device type: 1,7"* ]]
+	[[ "$output" == *": No space left on device"* ]]
+}
+
 @test "runc run [redundant default /dev/tty]" {
 	update_config ' .linux.devices += [{"path": "/dev/tty", "type": "c", "major": 5, "minor": 0}]
 		      | .process.args |= ["ls", "-lLn", "/dev/tty"]'
