Don't mount /dev/ inside privileged containers running systemd

According to https://systemd.io/CONTAINER_INTERFACE/, systemd will try take
control over /dev/tty if exported, which can cause conflicts with the host's tty
in privileged containers. Thus we will not expose these to privileged containers
in systemd mode, as this is a bad idea according to systemd's maintainers.

This fixes containers#15878

Signed-off-by: Dan Čermák <dcermak@suse.com>

libpod/container_internal_common.go

@@ -109,7 +109,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 	// If the flag to mount all devices is set for a privileged container, add
 	// all the devices from the host's machine into the container
 	if c.config.MountAllDevices {
-		if err := util.AddPrivilegedDevices(&g); err != nil {
+		systemdMode := false
+		if c.config.Systemd != nil {
+			systemdMode = *c.config.Systemd
+		}
+		if err := util.AddPrivilegedDevices(&g, systemdMode); err != nil {
 			return nil, err
 		}
 	}

pkg/util/utils_freebsd.go

@@ -13,6 +13,6 @@ func GetContainerPidInformationDescriptors() ([]string, error) {
 	return []string{}, errors.New("this function is not supported on freebsd")
 }
 
-func AddPrivilegedDevices(g *generate.Generator) error {
+func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
 	return nil
 }

pkg/util/utils_linux.go

@@ -70,7 +70,7 @@ func FindDeviceNodes() (map[string]string, error) {
 	return nodes, nil
 }
 
-func AddPrivilegedDevices(g *generate.Generator) error {
+func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
 	hostDevices, err := getDevices("/dev")
 	if err != nil {
 		return err
@@ -104,6 +104,9 @@ func AddPrivilegedDevices(g *generate.Generator) error {
 		}
 	} else {
 		for _, d := range hostDevices {
+			if systemdMode && strings.HasPrefix(d.Path, "/dev/tty") {
+				continue
+			}
 			g.AddDevice(d)
 		}
 		// Add resources device - need to clear the existing one first.