jail: failed to clone/fork: Operation not permitted,--security-opt seccomp=unconfined seems to be of little use.

[daiaji]

Issue Description

I tried running openwrt using --security-opt seccomp=unconfined, but it seems to have failed.

Steps to reproduce the issue

Steps to reproduce the issue

1. sudo podman import https://mirror-03.infra.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-rootfs.tar.gz openwrt
2. sudo podman run -d --name openwrt --security-opt seccomp=unconfined --cap-add NET_ADMIN --cap-add NET_RAW --cap-add NET_BROADCAST --cap-add MKNOD --sysctl net.ipv6.conf.all.forwarding=1 openwrt /sbin/init
3. sudo podman exec -it openwrt logread

Describe the results you received

Fri Feb 2 16:43:18 2024 user.err : jail: failed to clone/fork: Operation not permitted
Jail was unable to run properly, and it seems that procd also broke down as a result.
However, it seems that --cap-add SYS_ADMIN is effective, allowing the jail to operate normally.

Describe the results you expected

I am able to run openwrt normally in podman.

podman info output

sudo podman version
Client:       Podman Engine
Version:      4.8.2
API Version:  4.8.2
Go Version:   go1.21.5
Git Commit:   aa546902fa1a927b3d770528565627d1395b19f3-dirty
Built:        Thu Dec 14 06:07:26 2023
OS/Arch:      linux/amd64

sudo podman info
host:
  arch: amd64
  buildahVersion: 1.33.2
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon 由 conmon 1:2.1.10-1 所拥有
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: 2dcd736e46ded79a53339462bc251694b150f870'
  cpuUtilization:
    idlePercent: 98.98
    systemPercent: 0.67
    userPercent: 0.35
  cpus: 12
  databaseBackend: boltdb
  distribution:
    distribution: manjaro
    version: unknown
  eventLogger: journald
  freeLocks: 2045
  hostname: AIO
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.6.9-1-MANJARO
  linkmode: dynamic
  logDriver: journald
  memFree: 61452943360
  memTotal: 67334270976
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: /usr/lib/podman/netavark 由 netavark 1.9.0-1 所拥有
    path: /usr/lib/podman/netavark
    version: netavark 1.9.0
  ociRuntime:
    name: crun
    package: /usr/bin/crun 由 crun 1.12-1 所拥有
    path: /usr/bin/crun
    version: |-
      crun version 1.12
      commit: ce429cb2e277d001c2179df1ac66a470f00802ae
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: false
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /sbin/slirp4netns
    package: /usr/bin/slirp4netns 由 slirp4netns 1.2.2-1 所拥有
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 134666514432
  swapTotal: 134666514432
  uptime: 3h 10m 34.00s (Approximately 0.12 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 3
    paused: 0
    running: 3
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mountopt: nodev
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 279748542464
  graphRootUsed: 62352732160
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "true"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 4
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.8.2
  Built: 1702505246
  BuiltTime: Thu Dec 14 06:07:26 2023
  GitCommit: aa546902fa1a927b3d770528565627d1395b19f3-dirty
  GoVersion: go1.21.5
  Os: linux
  OsArch: linux/amd64
  Version: 4.8.2

sudo pacman -Qi podman
Name            : podman
Version         : 4.8.2-1
Description     : Tool and library for running OCI-based containers in pods
Architecture    : x86_64
URL             : https://github.com/containers/podman
Licenses        : Apache-2.0
Groups          : None
Provides        : None
Depends On      : catatonit  conmon  containers-common  crun  gcc-libs  glibc  iptables  device-mapper  libdevmapper.so=1.02-64  gpgme  libgpgme.so=11-64  libseccomp  libseccomp.so=2-64  slirp4netns
Optional Deps   : apparmor: for AppArmor support [installed]
                  btrfs-progs: support btrfs backend devices [installed]
                  cni-plugins: for an alternative container-network-stack implementation
                  fuse-overlayfs: for storage driver in rootless environment
                  passt: for alternative rootless network support
                  podman-compose: for docker-compose compatibility
                  podman-docker: for Docker-compatible CLI
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 81.66 MiB
Packager        : Morten Linderud <[email protected]>
Build Date      : Thu 14 Dec 2023 06:07:26 AM CST
Install Date    : Tue 02 Jan 2024 10:21:33 PM CST
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

Podman in a container

No

Privileged Or Rootless

Privileged

Upstream Latest Release

No

Additional environment details

physics

sudo inxi -a
CPU: 6-core AMD Ryzen 5 5600 (-MT MCP-) speed/min/max: 2525/2200/4467 MHz
Kernel: 6.6.9-1-MANJARO x86_64 Up: 3h 26m Mem: 3.7/62.71 GiB (5.9%)
Storage: 73.17 TiB (16.7% used) Procs: 490 Shell: Sudo 1.9.15p4 inxi: 3.3.31

Additional information

logread.log
https://gist.github.com/daiaji/cbb1832c309b15af05279df88043e469
https://lxr.openwrt.org/source/procd/jail/jail.c
lxc/lxc-ci#586
coolsnowwolf/lede#10534

[rhatdan]

Seems like you need CAP_SYS_ADMIN

[rhatdan]

There are multiple layers of security all you did is turn off seccomp, but you still need to deal with Linux Capabilties like CAP_SYS_ADMIN.

[daiaji]

Actually, it's precisely because of CAP_ SYS_ ADMIN looks too scary, that's why I'm seeking other solutions.😂

[daiaji]

Might the inclusion of -cap-add SYS_PTRACE be more advantageous?

[rhatdan]

If it works then yes.