From 212195041882127ad89de79e4bdf41a713de1716 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 5 Dec 2024 21:21:02 +0100
Subject: [PATCH] cgroup, systemd: do not override devices on update

if the resources configuration on update does not contain any
information on devices, do not change the current configuration.

Fixes: https://issues.redhat.com/browse/OCPBUGS-45394

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/libcrun/cgroup-systemd.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/libcrun/cgroup-systemd.c b/src/libcrun/cgroup-systemd.c
index 4e8b3879d2..1e38751306 100644
--- a/src/libcrun/cgroup-systemd.c
+++ b/src/libcrun/cgroup-systemd.c
@@ -1265,7 +1265,17 @@ append_devices (sd_bus_message *m,
   size_t i;
 
   if (has_allow_all (resources->devices, resources->devices_len))
-    return 0;
+    {
+      sd_err = sd_bus_message_append (m, "(sv)", "DevicePolicy", "s", "auto");
+      if (UNLIKELY (sd_err < 0))
+        return crun_make_error (err, -sd_err, "sd-bus message append DevicePolicy");
+
+      sd_err = sd_bus_message_append (m, "(sv)", "DeviceAllow", "a(ss)", 0);
+      if (UNLIKELY (sd_err < 0))
+        return crun_make_error (err, -sd_err, "sd-bus message append empty DeviceAllow");
+
+      return 0;
+    }
 
   sd_err = sd_bus_message_append (m, "(sv)", "DevicePolicy", "s", "strict");
   if (UNLIKELY (sd_err < 0))
@@ -1331,6 +1341,7 @@ append_devices (sd_bus_message *m,
 
 static int
 append_resources (sd_bus_message *m,
+                  bool is_update,
                   const char *state_dir,
                   runtime_spec_schema_config_linux_resources *resources,
                   int cgroup_mode,
@@ -1475,7 +1486,13 @@ append_resources (sd_bus_message *m,
 #  undef APPEND_UINT64
 #  undef APPEND_UINT64_VALUE
 
-  return append_devices (m, resources, err);
+  if (! is_update || resources->devices)
+    {
+      ret = append_devices (m, resources, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
+    }
+  return 0;
 }
 
 static int
@@ -1647,7 +1664,7 @@ enter_systemd_cgroup_scope (runtime_spec_schema_config_linux_resources *resource
         }
     }
 
-  ret = append_resources (m, state_dir, resources, cgroup_mode, err);
+  ret = append_resources (m, false, state_dir, resources, cgroup_mode, err);
   if (UNLIKELY (ret < 0))
     goto exit;
 
@@ -1957,7 +1974,7 @@ libcrun_update_resources_systemd (struct libcrun_cgroup_status *cgroup_status,
       goto exit;
     }
 
-  ret = append_resources (m, state_dir, resources, cgroup_mode, err);
+  ret = append_resources (m, true, state_dir, resources, cgroup_mode, err);
   if (UNLIKELY (ret < 0))
     goto exit;