Allow loop devices access for privileged containers

rkoster · rkoster · commit 5a01702e6255 · 2026-01-23T09:30:16.000Z
Add device cgroup rules to allow privileged containers access to:
- All loop block devices (/dev/loop*) with rwm permissions
- Loop control device (/dev/loop-control) with rwm permissions

These rules enable loop device operations in privileged containers
while maintaining security isolation for unprivileged containers.
diff --git a/guardiancmd/server.go b/guardiancmd/server.go
@@ -119,6 +119,10 @@ var (
 
 		// We allow these
 		{Access: "rwm", Type: fuseDevice.Type, Major: intRef(fuseDevice.Major), Minor: intRef(fuseDevice.Minor), Allow: true},
+
+		// Loop devices (privileged containers only)
+		{Access: "rwm", Type: "b", Major: intRef(7), Minor: deviceWildcard(), Allow: true},        // /dev/loop*
+		{Access: "rwm", Type: "c", Major: intRef(10), Minor: intRef(237), Allow: true},           // /dev/loop-control
 	}
 )
 

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,10 @@ var (`
`119`	`119`
`120`	`120`	`// We allow these`
`121`	`121`	`{Access: "rwm", Type: fuseDevice.Type, Major: intRef(fuseDevice.Major), Minor: intRef(fuseDevice.Minor), Allow: true},`
	`122`	`+`
	`123`	`+ // Loop devices (privileged containers only)`
	`124`	`+ {Access: "rwm", Type: "b", Major: intRef(7), Minor: deviceWildcard(), Allow: true}, // /dev/loop*`
	`125`	`+ {Access: "rwm", Type: "c", Major: intRef(10), Minor: intRef(237), Allow: true}, // /dev/loop-control`
`122`	`126`	`}`
`123`	`127`	`)`
`124`	`128`