diff --git a/internal/edits/device.go b/internal/edits/device.go
index d04df153..f7b3eb08 100644
--- a/internal/edits/device.go
+++ b/internal/edits/device.go
@@ -17,9 +17,13 @@
 package edits
 
 import (
+	"os"
+
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 	"tags.cncf.io/container-device-interface/specs-go"
 
+	"github.com/opencontainers/runc/libcontainer/devices"
+
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/discover"
 )
 
@@ -49,13 +53,31 @@ func (d device) toSpec() (*specs.DeviceNode, error) {
 	// Since the behaviour for HostPath == "" and HostPath == Path are equivalent, we clear HostPath
 	// if it is equal to Path to ensure compatibility with the widest range of specs.
 	hostPath := d.HostPath
+
 	if hostPath == d.Path {
 		hostPath = ""
 	}
 	s := specs.DeviceNode{
 		HostPath: hostPath,
 		Path:     d.Path,
+		FileMode: d.getFileMode(),
 	}
 
 	return &s, nil
 }
+
+// getFileMode returns the filemode of the host device node associated with the discovered device.
+// If this fails, a nil filemode is returned.
+func (d device) getFileMode() *os.FileMode {
+	path := d.HostPath
+	if path == "" {
+		path = d.Path
+	}
+	dn, err := devices.DeviceFromPath(path, "rwm")
+	if err != nil {
+		// return nil, fmt.Errorf("failed to get device information for %q: %w", path, err)
+		return nil
+	}
+
+	return &dn.FileMode
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go
new file mode 100644
index 00000000..c2c2b3bb
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/device.go
@@ -0,0 +1,174 @@
+package devices
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+)
+
+const (
+	Wildcard = -1
+)
+
+type Device struct {
+	Rule
+
+	// Path to the device.
+	Path string `json:"path"`
+
+	// FileMode permission bits for the device.
+	FileMode os.FileMode `json:"file_mode"`
+
+	// Uid of the device.
+	Uid uint32 `json:"uid"`
+
+	// Gid of the device.
+	Gid uint32 `json:"gid"`
+}
+
+// Permissions is a cgroupv1-style string to represent device access. It
+// has to be a string for backward compatibility reasons, hence why it has
+// methods to do set operations.
+type Permissions string
+
+const (
+	deviceRead uint = (1 << iota)
+	deviceWrite
+	deviceMknod
+)
+
+func (p Permissions) toSet() uint {
+	var set uint
+	for _, perm := range p {
+		switch perm {
+		case 'r':
+			set |= deviceRead
+		case 'w':
+			set |= deviceWrite
+		case 'm':
+			set |= deviceMknod
+		}
+	}
+	return set
+}
+
+func fromSet(set uint) Permissions {
+	var perm string
+	if set&deviceRead == deviceRead {
+		perm += "r"
+	}
+	if set&deviceWrite == deviceWrite {
+		perm += "w"
+	}
+	if set&deviceMknod == deviceMknod {
+		perm += "m"
+	}
+	return Permissions(perm)
+}
+
+// Union returns the union of the two sets of Permissions.
+func (p Permissions) Union(o Permissions) Permissions {
+	lhs := p.toSet()
+	rhs := o.toSet()
+	return fromSet(lhs | rhs)
+}
+
+// Difference returns the set difference of the two sets of Permissions.
+// In set notation, A.Difference(B) gives you A\B.
+func (p Permissions) Difference(o Permissions) Permissions {
+	lhs := p.toSet()
+	rhs := o.toSet()
+	return fromSet(lhs &^ rhs)
+}
+
+// Intersection computes the intersection of the two sets of Permissions.
+func (p Permissions) Intersection(o Permissions) Permissions {
+	lhs := p.toSet()
+	rhs := o.toSet()
+	return fromSet(lhs & rhs)
+}
+
+// IsEmpty returns whether the set of permissions in a Permissions is
+// empty.
+func (p Permissions) IsEmpty() bool {
+	return p == Permissions("")
+}
+
+// IsValid returns whether the set of permissions is a subset of valid
+// permissions (namely, {r,w,m}).
+func (p Permissions) IsValid() bool {
+	return p == fromSet(p.toSet())
+}
+
+type Type rune
+
+const (
+	WildcardDevice Type = 'a'
+	BlockDevice    Type = 'b'
+	CharDevice     Type = 'c' // or 'u'
+	FifoDevice     Type = 'p'
+)
+
+func (t Type) IsValid() bool {
+	switch t {
+	case WildcardDevice, BlockDevice, CharDevice, FifoDevice:
+		return true
+	default:
+		return false
+	}
+}
+
+func (t Type) CanMknod() bool {
+	switch t {
+	case BlockDevice, CharDevice, FifoDevice:
+		return true
+	default:
+		return false
+	}
+}
+
+func (t Type) CanCgroup() bool {
+	switch t {
+	case WildcardDevice, BlockDevice, CharDevice:
+		return true
+	default:
+		return false
+	}
+}
+
+type Rule struct {
+	// Type of device ('c' for char, 'b' for block). If set to 'a', this rule
+	// acts as a wildcard and all fields other than Allow are ignored.
+	Type Type `json:"type"`
+
+	// Major is the device's major number.
+	Major int64 `json:"major"`
+
+	// Minor is the device's minor number.
+	Minor int64 `json:"minor"`
+
+	// Permissions is the set of permissions that this rule applies to (in the
+	// cgroupv1 format -- any combination of "rwm").
+	Permissions Permissions `json:"permissions"`
+
+	// Allow specifies whether this rule is allowed.
+	Allow bool `json:"allow"`
+}
+
+func (d *Rule) CgroupString() string {
+	var (
+		major = strconv.FormatInt(d.Major, 10)
+		minor = strconv.FormatInt(d.Minor, 10)
+	)
+	if d.Major == Wildcard {
+		major = "*"
+	}
+	if d.Minor == Wildcard {
+		minor = "*"
+	}
+	return fmt.Sprintf("%c %s:%s %s", d.Type, major, minor, d.Permissions)
+}
+
+func (d *Rule) Mkdev() (uint64, error) {
+	return mkDev(d)
+}
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go
new file mode 100644
index 00000000..d00775f5
--- /dev/null
+++ b/vendor/github.com/opencontainers/runc/libcontainer/devices/device_unix.go
@@ -0,0 +1,119 @@
+//go:build !windows
+
+package devices
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+
+	"golang.org/x/sys/unix"
+)
+
+// ErrNotADevice denotes that a file is not a valid linux device.
+var ErrNotADevice = errors.New("not a device node")
+
+// Testing dependencies
+var (
+	unixLstat = unix.Lstat
+	osReadDir = os.ReadDir
+)
+
+func mkDev(d *Rule) (uint64, error) {
+	if d.Major == Wildcard || d.Minor == Wildcard {
+		return 0, errors.New("cannot mkdev() device with wildcards")
+	}
+	return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil
+}
+
+// DeviceFromPath takes the path to a device and its cgroup_permissions (which
+// cannot be easily queried) to look up the information about a linux device
+// and returns that information as a Device struct.
+func DeviceFromPath(path, permissions string) (*Device, error) {
+	var stat unix.Stat_t
+	err := unixLstat(path, &stat)
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		devType   Type
+		mode      = stat.Mode
+		devNumber = uint64(stat.Rdev) //nolint:unconvert // Rdev is uint32 on e.g. MIPS.
+		major     = unix.Major(devNumber)
+		minor     = unix.Minor(devNumber)
+	)
+	switch mode & unix.S_IFMT {
+	case unix.S_IFBLK:
+		devType = BlockDevice
+	case unix.S_IFCHR:
+		devType = CharDevice
+	case unix.S_IFIFO:
+		devType = FifoDevice
+	default:
+		return nil, ErrNotADevice
+	}
+	return &Device{
+		Rule: Rule{
+			Type:        devType,
+			Major:       int64(major),
+			Minor:       int64(minor),
+			Permissions: Permissions(permissions),
+		},
+		Path:     path,
+		FileMode: os.FileMode(mode &^ unix.S_IFMT),
+		Uid:      stat.Uid,
+		Gid:      stat.Gid,
+	}, nil
+}
+
+// HostDevices returns all devices that can be found under /dev directory.
+func HostDevices() ([]*Device, error) {
+	return GetDevices("/dev")
+}
+
+// GetDevices recursively traverses a directory specified by path
+// and returns all devices found there.
+func GetDevices(path string) ([]*Device, error) {
+	files, err := osReadDir(path)
+	if err != nil {
+		return nil, err
+	}
+	var out []*Device
+	for _, f := range files {
+		switch {
+		case f.IsDir():
+			switch f.Name() {
+			// ".lxc" & ".lxd-mounts" added to address https://github.com/lxc/lxd/issues/2825
+			// ".udev" added to address https://github.com/opencontainers/runc/issues/2093
+			case "pts", "shm", "fd", "mqueue", ".lxc", ".lxd-mounts", ".udev":
+				continue
+			default:
+				sub, err := GetDevices(filepath.Join(path, f.Name()))
+				if err != nil {
+					return nil, err
+				}
+
+				out = append(out, sub...)
+				continue
+			}
+		case f.Name() == "console":
+			continue
+		}
+		device, err := DeviceFromPath(filepath.Join(path, f.Name()), "rwm")
+		if err != nil {
+			if errors.Is(err, ErrNotADevice) {
+				continue
+			}
+			if os.IsNotExist(err) {
+				continue
+			}
+			return nil, err
+		}
+		if device.Type == FifoDevice {
+			continue
+		}
+		out = append(out, device)
+	}
+	return out, nil
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 598354cb..a420b8f7 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -36,6 +36,7 @@ github.com/google/uuid
 github.com/moby/sys/symlink
 # github.com/opencontainers/runc v1.2.5
 ## explicit; go 1.22
+github.com/opencontainers/runc/libcontainer/devices
 github.com/opencontainers/runc/libcontainer/dmz
 github.com/opencontainers/runc/libcontainer/system
 github.com/opencontainers/runc/libcontainer/utils