Add support for injecting additional GIDs

Signed-off-by: Evan Lezar <[email protected]>

Author: elezar

internal/edits/device.go

@@ -17,6 +17,9 @@
 package edits
 
 import (
+	"os"
+
+	"golang.org/x/sys/unix"
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 	"tags.cncf.io/container-device-interface/specs-go"
 
@@ -32,9 +35,15 @@ func (d device) toEdits() (*cdi.ContainerEdits, error) {
 		return nil, err
 	}
 
+	var additionalGIDs []uint32
+	if requiredGID, _ := d.getRequiredGID(); requiredGID != 0 {
+		additionalGIDs = append(additionalGIDs, requiredGID)
+	}
+
 	e := cdi.ContainerEdits{
 		ContainerEdits: &specs.ContainerEdits{
-			DeviceNodes: []*specs.DeviceNode{deviceNode},
+			DeviceNodes:    []*specs.DeviceNode{deviceNode},
+			AdditionalGIDs: additionalGIDs,
 		},
 	}
 	return &e, nil
@@ -52,10 +61,37 @@ func (d device) toSpec() (*specs.DeviceNode, error) {
 	if hostPath == d.Path {
 		hostPath = ""
 	}
+
 	s := specs.DeviceNode{
 		HostPath: hostPath,
 		Path:     d.Path,
 	}
 
 	return &s, nil
 }
+
+// getRequiredGID returns the group id of the device if the device is not world read/writable
+func (d device) getRequiredGID() (uint32, error) {
+	path := d.HostPath
+	if path == "" {
+		path = d.Path
+	}
+	if path == "" {
+		return 0, nil
+	}
+
+	var stat unix.Stat_t
+	if err := unix.Lstat(path, &stat); err != nil {
+		return 0, err
+	}
+	// This is only supported for char devices
+	if stat.Mode&unix.S_IFMT != unix.S_IFCHR {
+		return 0, nil
+	}
+
+	permissions := os.FileMode(stat.Mode).Perm()
+	if permissions&06 == 0 {
+		return stat.Gid, nil
+	}
+	return 0, nil
+}

pkg/nvcdi/transform/deduplicate.go

@@ -17,6 +17,8 @@
 package transform
 
 import (
+	"slices"
+
 	"tags.cncf.io/container-device-interface/specs-go"
 )
 
@@ -50,6 +52,12 @@ func (d dedupe) Transform(spec *specs.Spec) error {
 }
 
 func (d dedupe) transformEdits(edits *specs.ContainerEdits) error {
+	additionalGIDs, err := d.deduplicateAdditionalGIDs(edits.AdditionalGIDs)
+	if err != nil {
+		return err
+	}
+	edits.AdditionalGIDs = additionalGIDs
+
 	deviceNodes, err := d.deduplicateDeviceNodes(edits.DeviceNodes)
 	if err != nil {
 		return err
@@ -150,3 +158,19 @@ func (d dedupe) deduplicateMounts(entities []*specs.Mount) ([]*specs.Mount, erro
 	}
 	return mounts, nil
 }
+
+func (d dedupe) deduplicateAdditionalGIDs(entities []uint32) ([]uint32, error) {
+	seen := make(map[uint32]bool)
+	var additionalGIDs []uint32
+	for _, e := range entities {
+		if seen[e] {
+			continue
+		}
+		seen[e] = true
+		additionalGIDs = append(additionalGIDs, e)
+	}
+
+	slices.Sort(additionalGIDs)
+
+	return additionalGIDs, nil
+}