Rootless containers having access to device files even without --device-cgroup-rule

[satyam1990]

Hi Team,

Below is my environment information:
[satx@sat ~]$ uname -a
Linux sat.com 5.15.0-4.70.5.2.el9uek.x86_64 #2 SMP Wed Nov 16 05:19:51 PST 2022 x86_64 x86_64 x86_64 GNU/Linux

[satx@sat ~]$ podman --version
podman version 4.2.0

Default ownership of any video file in my system looks as below:

[satx@sat ~]$ getfacl /dev/video0
# file: dev/video0
# owner: root
# group: video
user::rw-
user:satx:rw-
group::rw-
mask::rw-
other::---

Inside my containers I wanted to access video device files and wanted to run the container rootless as well. In order to achieve the same I set the policy for SELinux as below:
setsebool -P container_use_devices=true

And post that when I run my rootless container as below I am able to access all the device files:

[satx@sat ~]$ podman run --rm -it -v /dev:/dev v4l2_utils bash

[root@faef2633eb34 opt]# v4l2-ctl --list-devices
Integrated_Webcam_FHD: Integrat (usb-0000:00:14.0-6):
	/dev/video0
	/dev/video1
	/dev/video2
	/dev/video3
	/dev/media0
	/dev/media1

My Concern is that if I run the same container using same way as root user then the container is not able to access the device files as can be seen below:

[root@sat ~]# podman run --rm -it -v /dev:/dev v4l2_utils bash

[root@b17fd9935a3d opt]# v4l2-ctl --list-devices
Failed to open /dev/video0: Operation not permitted

It looks like for rooted containers there are 2 lines of defense in order to access the device files, one we need to set the SELinux Policy as mentioned above secondly we need to use the --device-cgroup-rule flag when running the container and then only rooted container is able to access the device files as can be seen below:

[root@sat ~]# podman run --rm -it --device-cgroup-rule="c 81:* rw" -v /dev:/dev v4l2_utils bash

[root@0eb961dc0736 opt]# v4l2-ctl --list-devices
Integrated_Webcam_FHD: Integrat (usb-0000:00:14.0-6):
	/dev/video0
	/dev/video1
	/dev/video2
	/dev/video3

My assumption was that the rootless container should also require the --device-cgroup-rule in order to access video devices. Rootless container should also have same amount of restrictions.

Why more restrictions for root user and less restrictions for rootless user. Is this some kind of security issue or I missed to understand something.

[rhatdan]

Rootless users are not allowed to create devices or to modify the protections on the devices. When you run a container with a volume from the host system, then it is bind mounted into the container. In rootful mode, the device is created inside of the container so permissions and other fields can be changed.

Note for rootless users, you might need to do --group-add keep-group in order to use a device mounted into the container. This option would leak the "video" group into your container.

[satyam1990]

I guess i still did not get it, when you say device is created inside rootful container and not bind mounted.

But when I am running rootful container i am bind mounting /dev with flag -v.

Is there some exception for /dev directory, that even when we do bind mount in a rootful container using -v /dev:/dev then the rootful container does not bind mounts instead it re create the device node which are present on host system. Is this specifically for /dev directory.

And by creating device you mean creating using mknode, if that is so then I have not given permission to use mknode if you see the way i am executing the container in rootful mode:
--device-cgroup-rule="c 81:* rw"
As you can see there is no 'm' permission added. How rootful container is able to create device.

[rhatdan]

You should not volume mount in the /dev directory. Instead add the devices with --device option.

[satyam1990]

If i use the --device option then i could not access the newly connected devices which got attached post my container was started. Since we can only pass path of already existing devices to --device option.

What if i create symlink to device files in another directory say /dev/video_devices using udev rules and mount that directory instead like -v /dev/video_devices:/dev

Will that be a ok thing to do.

And also if you could please help me understand on my original concern that be great.

[satyam1990]

Also if you could please help me understand why it is not adviced to bind mount /dev that would be great.

Because I was unable to find a reason which makes things break if we mount /dev.

Also I was going through the old issues related to podman which has nothing to do with my concern but i wanted to just check if people are doing bind mount of /dev.

I do see people have mentioned that they are running containers with -v /dev:/dev

And no one is complaining or suggesting them to not bind mount /dev. For example take a look at this ticket this user is also bind mounting /dev:
#14251

[rhatdan]

Tools like SELinux conflict with volume mounting in /dev. Also certain devices created on the host system could cause issues and conflict with those created inside of the container.

/dev/console and /dev/tty have caused issues in the past.