oci: fix the file mode of the device

[Iceber]

The file mode of the device in the OCI runtime specification does not contain file type bits

unix.Stat_t.Mode contains the file type and mode，details are in "The file type and mode" section of inode

This issue causes some config.json to fail the runtime spec schema validation

For example, the config.json for the kube-proxy container

devices:
    [
            {
                "path":"/dev/sda",
                "type":"b",
                "major":8,
                "minor":0,
                "fileMode":25008,
                "uid":0,
                "gid":6
            },
           {
                "path":"/dev/null",
                "type":"c",
                "major":1,
                "minor":3,
                "fileMode":8630,
                "uid":0,
                "gid":0
            },
            {
                "path":"/dev/tty0",
                "type":"c",
                "major":4,
                "minor":0,
                "fileMode":8592,
                "uid":0,
                "gid":5
            },
            ...
    ]

Discussions about FileMode: opencontainers/runtime-spec#1082

[k8s-ci-robot]

Hi @Iceber. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 48s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 5m 44s (non-voting)

[thaJeztah]

@AkihiroSuda does libcontainer/devices.DeviceFromPath need a similar change?

[Iceber]

@thaJeztah @AkihiroSuda

# libcontainer/devices/device.go
type Device struct {
        Rule

        // Path to the device.
        Path string `json:"path"`

        // FileMode permission bits for the device.
        FileMode os.FileMode `json:"file_mode"`

        // Uid of the device.
        Uid uint32 `json:"uid"`

        // Gid of the device.
        Gid uint32 `json:"gid"`
}

mode &^ unix.S_IFMT should be added when setting device.FileMode.

[Iceber]

I'm going to try to fix this issue in runc

[thaJeztah]

I'm going to try to fix this issue in runc

Thank you!

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : NODE_FAILURE in 0s (non-voting)

[Iceber]

@thaJeztah opencontainers/runc#2804 is approved, pls review.

[thaJeztah]

LGTM

[Iceber]

@AkihiroSuda PTAL, Thanks

[Iceber]

@AkihiroSuda Is it necessary to fix the previous version?

[AkihiroSuda]

I'd prefer not to backport this unless there is a strong reason

[Iceber]

This issue was found in the use of 1.2.10, the essence of the issue is that it does not comply with the OCI runtime specification, fixing the previous version may make sense
Of course, this issue does not cause program anomalies, but may cause confusion in the use of

[estesp]

LGTM