From 572a2b57189ae3ea9de56da8e6e78338ed048c0d Mon Sep 17 00:00:00 2001
From: Tonis Tiigi <tonistiigi@gmail.com>
Date: Thu, 30 Jan 2020 13:47:44 -0800
Subject: [PATCH] entitlements: mount loop devices relative to next free device

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
---
 util/entitlements/security/security_linux.go | 26 +++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/util/entitlements/security/security_linux.go b/util/entitlements/security/security_linux.go
index 23e742ef..05b3ff31 100644
--- a/util/entitlements/security/security_linux.go
+++ b/util/entitlements/security/security_linux.go
@@ -3,10 +3,14 @@ package security
 import (
 	"context"
 	"fmt"
+	"os"
 
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/oci"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 )
 
 // WithInsecureSpec sets spec with All capability.
@@ -122,7 +126,12 @@ func WithInsecureSpec() oci.SpecOpts {
 			},
 		}...)
 
-		for i := 0; i <= 7; i++ {
+		loopID, err := getFreeLoopID()
+		if err != nil {
+			logrus.Debugf("failed to get next free loop device: %v", err)
+		}
+
+		for i := 0; i <= loopID+7; i++ {
 			s.Linux.Devices = append(s.Linux.Devices, specs.LinuxDevice{
 				Path:  fmt.Sprintf("/dev/loop%d", i),
 				Type:  "b",
@@ -134,3 +143,18 @@ func WithInsecureSpec() oci.SpecOpts {
 		return nil
 	}
 }
+
+func getFreeLoopID() (int, error) {
+	fd, err := os.OpenFile("/dev/loop-control", os.O_RDWR, 0644)
+	if err != nil {
+		return 0, err
+	}
+	defer fd.Close()
+
+	const _LOOP_CTL_GET_FREE = 0x4C82
+	r1, _, uerr := unix.Syscall(unix.SYS_IOCTL, fd.Fd(), _LOOP_CTL_GET_FREE, 0)
+	if uerr == 0 {
+		return int(r1), nil
+	}
+	return 0, errors.Errorf("error getting free loop device: %v", uerr)
+}