UID/GID fields of devices are ignored when using user namespaces

[sipsma]

When user-namespaces are enabled for a container, runc appears to ignore any UID/GID settings provided for a device in that container's configuration.

The device instead just ends up with the uid/gid as found under the host's /dev for the reasons explained here. Obviously you can't chown or chmod the device when it's bind-mounted from the host, so instead the uid/gid/fileMode fields are just ignored.

In theory, I suspect it's possible for runc to actually support configuring these fields when a userns is enabled. The basic idea being:

1. Detect that device uids/gids are being specified along with a userns
2. Before any namespaces are entered, mknod the devices somewhere under the container's runtime state directory. As long as runc itself has the ability to call mknod (i.e. this isn't a rootless runc invocation or setting up a nested userns), then it can set the uid/gid/fileMode as needed
3. Once inside the container, instead of bind-mounting from the host's /dev, bind-mount the devices created in the above step into the container

If the above fix would indeed work, I think it's worth doing. While there are certainly ways for callers of runc to workaround this issue themselves, they all involve significant compromises (i.e. change permissions under the host's /dev or map uids/gids into the userns that otherwise shouldn't be needed) and/or significant complexity that it seems runc itself is meant to handle.

@cyphar @crosbymichael @mrunalp and others, please let me know what your thoughts are on the feasibility of the suggested fix. It's purely hypothetical at the moment so I certainly could be missing something.