From 5421bc3c9fc85e1319fd5f588ea7779a9d1294d3 Mon Sep 17 00:00:00 2001
From: Seungjae Yoo <seungjaeyoo@google.com>
Date: Mon, 12 Jan 2026 16:28:00 +0900
Subject: [PATCH] Replace privileged into other options for creating hosts via
 DockerIM

---
 pkg/app/instances/docker.go | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/pkg/app/instances/docker.go b/pkg/app/instances/docker.go
index 849b8737..73b9de7e 100644
--- a/pkg/app/instances/docker.go
+++ b/pkg/app/instances/docker.go
@@ -372,6 +372,7 @@ func (m *DockerInstanceManager) createDockerContainer(ctx context.Context, user
 		Labels:      dockerLabelsDict(user),
 	}
 	hostConfig := &container.HostConfig{
+		CapAdd: []string{"NET_ADMIN"},
 		Mounts: []mount.Mount{
 			{
 				Type:   mount.TypeVolume,
@@ -379,7 +380,31 @@ func (m *DockerInstanceManager) createDockerContainer(ctx context.Context, user
 				Target: uaMountTarget,
 			},
 		},
-		Privileged: true,
+		Resources: container.Resources{
+			Devices: []container.DeviceMapping{
+				{
+					PathOnHost:        "/dev/kvm",
+					PathInContainer:   "/dev/kvm",
+					CgroupPermissions: "rwm",
+				},
+				{
+					PathOnHost:        "/dev/net/tun",
+					PathInContainer:   "/dev/net/tun",
+					CgroupPermissions: "rwm",
+				},
+				{
+					PathOnHost:        "/dev/vhost-net",
+					PathInContainer:   "/dev/vhost-net",
+					CgroupPermissions: "rwm",
+				},
+				{
+					PathOnHost:        "/dev/vhost-vsock",
+					PathInContainer:   "/dev/vhost-vsock",
+					CgroupPermissions: "rwm",
+				},
+			},
+		},
+		SecurityOpt: []string{"seccomp=unconfined"},
 	}
 	createRes, err := m.Client.ContainerCreate(ctx, config, hostConfig, nil, nil, "")
 	if err != nil {