From 2ce40b6ad72b4bd4391380cafc5ef1bad1fa0b31 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 4 May 2022 14:56:16 -0700
Subject: [PATCH] Remove tun/tap from the default device rules

Looking through git blame, this was added by commit 9fac18329
aka "Initial commit of runc binary", most probably by mistake.

Obviously, a container should not have access to tun/tap device, unless
it is explicitly specified in configuration.

Now, removing this might create a compatibility issue, but I see no
other choice.

Aside from the obvious misconfiguration, this should also fix the
annoying

> Apr 26 03:46:56 foo.bar systemd[1]: Couldn't stat device /dev/char/10:200: No such file or directory

messages from systemd on every container start, when runc uses systemd
cgroup driver, and the system runs an old (< v240) version of systemd
(the message was presumably eliminated by [1]).

[1] https://github.com/systemd/systemd/pull/10996/commits/d5aecba6e0b7c73657c4cf544ce57289115098e7

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 .../ebpf/devicefilter/devicefilter_test.go    | 19 ++++++-------------
 libcontainer/specconv/spec_linux.go           | 10 ----------
 2 files changed, 6 insertions(+), 23 deletions(-)

diff --git a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
index d279335821..25703be5ad 100644
--- a/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
+++ b/libcontainer/cgroups/ebpf/devicefilter/devicefilter_test.go
@@ -120,21 +120,14 @@ block-8:
         51: Mov32Imm dst: r0 imm: 1
         52: Exit
 block-9:
-// tuntap (c, 10, 200, rwm, allow)
+// /dev/pts (c, 136, wildcard, rwm, true)
         53: JNEImm dst: r2 off: -1 imm: 2 <block-10>
-        54: JNEImm dst: r4 off: -1 imm: 10 <block-10>
-        55: JNEImm dst: r5 off: -1 imm: 200 <block-10>
-        56: Mov32Imm dst: r0 imm: 1
-        57: Exit
+        54: JNEImm dst: r4 off: -1 imm: 136 <block-10>
+        55: Mov32Imm dst: r0 imm: 1
+        56: Exit
 block-10:
-// /dev/pts (c, 136, wildcard, rwm, true)
-        58: JNEImm dst: r2 off: -1 imm: 2 <block-11>
-        59: JNEImm dst: r4 off: -1 imm: 136 <block-11>
-        60: Mov32Imm dst: r0 imm: 1
-        61: Exit
-block-11:
-        62: Mov32Imm dst: r0 imm: 0
-        63: Exit
+        57: Mov32Imm dst: r0 imm: 0
+        58: Exit
 `
 	var devices []*devices.Rule
 	for _, device := range specconv.AllowedDevices {
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 5ae95c6c18..83c7a2c348 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -302,16 +302,6 @@ var AllowedDevices = []*devices.Device{
 			Allow:       true,
 		},
 	},
-	// tuntap
-	{
-		Rule: devices.Rule{
-			Type:        devices.CharDevice,
-			Major:       10,
-			Minor:       200,
-			Permissions: "rwm",
-			Allow:       true,
-		},
-	},
 }
 
 type CreateOpts struct {