opencontainers
diff --git a/‎features.go‎
Lines changed: 3 additions & 0 deletions b/‎features.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎libcontainer/configs/config.go‎
Lines changed: 3 additions & 0 deletions b/‎libcontainer/configs/config.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎libcontainer/configs/doc.go‎
Lines changed: 2 additions & 0 deletions b/‎libcontainer/configs/doc.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎libcontainer/configs/netdevices.go‎
Lines changed: 7 additions & 0 deletions b/‎libcontainer/configs/netdevices.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎libcontainer/configs/validate/validator.go‎
Lines changed: 38 additions & 0 deletions b/‎libcontainer/configs/validate/validator.go‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎libcontainer/configs/validate/validator_test.go‎
Lines changed: 166 additions & 0 deletions b/‎libcontainer/configs/validate/validator_test.go‎
Lines changed: 166 additions & 0 deletions
@@ -63,6 +63,9 @@ var featuresCommand = cli.Command{
 						Enabled: &t,
 					},
 				},
+				NetDevices: &features.NetDevices{
+					Enabled: &t,
+				},
 			},
 			PotentiallyUnsafeConfigAnnotations: []string{
 				"bundle",
 
@@ -15,12 +15,13 @@ require (
 	github.com/moby/sys/userns v0.1.0
 	github.com/mrunalp/fileutils v0.5.1
 	github.com/opencontainers/cgroups v0.0.2
-	github.com/opencontainers/runtime-spec v1.2.1
+	github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67
 	github.com/opencontainers/selinux v1.12.0
 	github.com/seccomp/libseccomp-golang v0.11.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/urfave/cli v1.22.17
 	github.com/vishvananda/netlink v1.3.1
+	github.com/vishvananda/netns v0.0.5
 	golang.org/x/net v0.41.0
 	golang.org/x/sys v0.33.0
 	google.golang.org/protobuf v1.36.6
@@ -30,5 +31,4 @@ require (
 	github.com/cilium/ebpf v0.17.3 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/vishvananda/netns v0.0.5 // indirect
 )
@@ -47,8 +47,8 @@ github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm
 github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/opencontainers/cgroups v0.0.2 h1:A+mAPPMfgKNCEZUUtibESFx06uvhAmvo8sSz3Abwk7o=
 github.com/opencontainers/cgroups v0.0.2/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs=
-github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
-github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67 h1:Q+KewUGTMamIe6Q39xCD/T1NC1POmaTlWnhjikCrZHA=
+github.com/opencontainers/runtime-spec v1.2.2-0.20250401095657-e935f995dd67/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
 github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 
@@ -119,6 +119,9 @@ type Config struct {
 	// The device nodes that should be automatically created within the container upon container start.  Note, make sure that the node is marked as allowed in the cgroup as well!
 	Devices []*devices.Device `json:"devices"`
 
+	// NetDevices are key-value pairs, keyed by network device name, moved to the container's network namespace.
+	NetDevices map[string]*LinuxNetDevice `json:"netDevices,omitempty"`
+
 	MountLabel string `json:"mount_label,omitempty"`
 
 	// Hostname optionally sets the container's hostname if provided.
 
@@ -0,0 +1,2 @@
+// Package configs defines the structures and constants used for configuring a container
+package configs
@@ -0,0 +1,7 @@
+package configs
+
+// LinuxNetDevice represents a single network device to be added to the container's network namespace.
+type LinuxNetDevice struct {
+	// Name of the device in the container namespace.
+	Name string `json:"name,omitempty"`
+}
@@ -24,6 +24,7 @@ func Validate(config *configs.Config) error {
 		cgroupsCheck,
 		rootfs,
 		network,
+		netdevices,
 		uts,
 		security,
 		namespaces,
@@ -70,6 +71,43 @@ func rootfs(config *configs.Config) error {
 	return nil
 }
 
+// https://elixir.bootlin.com/linux/v6.12/source/net/core/dev.c#L1066
+func devValidName(name string) bool {
+	if len(name) == 0 || len(name) > unix.IFNAMSIZ {
+		return false
+	}
+	if name == "." || name == ".." {
+		return false
+	}
+	if strings.ContainsAny(name, "/: ") {
+		return false
+	}
+	return true
+}
+
+func netdevices(config *configs.Config) error {
+	if len(config.NetDevices) == 0 {
+		return nil
+	}
+	if !config.Namespaces.Contains(configs.NEWNET) {
+		return errors.New("unable to move network devices without a NET namespace")
+	}
+
+	if config.RootlessEUID || config.RootlessCgroups {
+		return errors.New("network devices are not supported for rootless containers")
+	}
+
+	for name, netdev := range config.NetDevices {
+		if !devValidName(name) {
+			return fmt.Errorf("invalid network device name %q", name)
+		}
+		if netdev.Name != "" && !devValidName(netdev.Name) {
+			return fmt.Errorf("invalid network device name %q", netdev.Name)
+		}
+	}
+	return nil
+}
+
 func network(config *configs.Config) error {
 	if !config.Namespaces.Contains(configs.NEWNET) {
 		if len(config.Networks) > 0 || len(config.Routes) > 0 {
 
@@ -3,6 +3,7 @@ package validate
 import (
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/opencontainers/runc/libcontainer/configs"
@@ -877,3 +878,168 @@ func TestValidateIOPriority(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateNetDevices(t *testing.T) {
+	testCases := []struct {
+		name   string
+		isErr  bool
+		config *configs.Config
+	}{
+		{
+			name: "network device with configured network namespace",
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {},
+				},
+			},
+		},
+		{
+			name: "network device rename",
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {
+						Name: "c0",
+					},
+				},
+			},
+		},
+		{
+			name: "network device network namespace created by runc",
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+						},
+					},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {},
+				},
+			},
+		},
+		{
+			name:  "network device network namespace empty",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {},
+				},
+			},
+		},
+		{
+			name:  "network device rootless EUID",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				RootlessEUID: true,
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {},
+				},
+			},
+		},
+		{
+			name:  "network device rootless",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				RootlessCgroups: true,
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {},
+				},
+			},
+		},
+		{
+			name:  "network device bad name",
+			isErr: true,
+			config: &configs.Config{
+				Namespaces: configs.Namespaces(
+					[]configs.Namespace{
+						{
+							Type: configs.NEWNET,
+							Path: "/var/run/netns/blue",
+						},
+					},
+				),
+				NetDevices: map[string]*configs.LinuxNetDevice{
+					"eth0": {
+						Name: "eth0/",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			config := tc.config
+			config.Rootfs = "/var"
+
+			err := Validate(config)
+			if tc.isErr && err == nil {
+				t.Error("expected error, got nil")
+			}
+
+			if !tc.isErr && err != nil {
+				t.Error(err)
+			}
+		})
+	}
+}
+
+func TestDevValidName(t *testing.T) {
+	testCases := []struct {
+		name  string
+		valid bool
+	}{
+		{name: "", valid: false},
+		{name: "a", valid: true},
+		{name: strings.Repeat("a", unix.IFNAMSIZ), valid: true},
+		{name: strings.Repeat("a", unix.IFNAMSIZ+1), valid: false},
+		{name: ".", valid: false},
+		{name: "..", valid: false},
+		{name: "dev/null", valid: false},
+		{name: "valid:name", valid: false},
+		{name: "valid name", valid: false},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if devValidName(tc.name) != tc.valid {
+				t.Fatalf("name %q, expected valid: %v", tc.name, tc.valid)
+			}
+		})
+	}
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// Package configs defines the structures and constants used for configuring a container`
	`2`	`+package configs`