Selective supplemental groups

[netstickbat]

Is there any way of being more selective of what supplemental host groups can be shared with a container? Currently, it seems that all of them are shared with --group-add keep-groups and I reckon that does increase a container's attack surface in the case of an escape.

[rhatdan]

No, we can either leak all groups into the container or only the groups defined in /etc/subgid for the user.
This is controlled by the kernel.

[netstickbat]

Thanks for the reply, @rhatdan! However I am not sure if I follow after rereading both subgid(5) and newgidmap(1). Just to make sure I am getting my point across correctly; basically I have a user on the host that belongs to the following groups:

$ groups
alpine wheel audio video usb

What I am after is to use a USB device as controlled by the usb group on the host inside a container so I'd need, for instance, --device /dev/hidraw0. Still, that doesn't understandably allow one to use it there as I don't have group access, so I'd then need --group-add keep-groups as explained here.

As you mentioned, that leaks all groups into the container, so in case a container process manages to escape, it would then have the necessary permissions to access the resources granted by the remaining groups.

Having said that, I have tried to fiddle with /etc/subgid to no avail. Do you mind shedding some light on how it could be used to accomplish this, if it's actually possible at all?

[Luap99]

This issue might help you: #18333 (comment)