Run Minijail in rootless container

[iklabib]

Hi,

I am trying to run Minijail a sandbox tool a kind of bubblewrap and Nsjail within rootless Podman.

On my bare metal system running Pop OS (Ubuntu 22.04) with Podman 3.4.4, and on an Ubuntu Server 24.04 VM with Podman 4.9.3, I get the following result:

# minijail0 --config config.cfg -C box -- /usr/bin/python3
libminijail[1]: remount: Operation not permitted
libminijail[2]: child process 3 received signal 11

Meanwhile, trying the same command under Fedora 40 Server (Podman 5.1.0) yields this result:

libminijail[3]: failed to set rlimit
Aborted (core dumped)

Here is my minijail config

% minijail-config-file v0
u = user
g = user

N 
l 
p 
n 
b = /bin 
b = /usr/bin 
b = /lib 
b = /usr/lib 
b = /usr/include 
k = none,/tmp,tmpfs,MS_NOSUID|MS_NODEV|MS_NOEXEC,mode=1777,size=67108864
env-reset 
env-add="PATH=/bin:/usr/bin"
env-add="HOME=/home/user"
env-add="PWD=/home/user"
env-add="USER=user"
env-add="USERNAME=user"
R=RLIMIT_CORE,1,1
R=RLIMIT_CPU,6,6
R=RLIMIT_MEMLOCK,67108864,67108864
R=RLIMIT_NPROC,8,8

I run the containers with seccomp, AppArmor, and/or SELinux disabled, and with additional cap_sys_admin and cap_sys_resource capabilities.

There is no problem when running Podman as priviliged root or using Docker (version 26.1.4, build 5650f9b).

Here is my containerfile if anyone wants to reproduce the issue.

FROM docker.io/library/alpine:3.20 as build
RUN apk add --no-cache clang make libcap-dev
ADD https://chromium.googlesource.com/chromiumos/platform/minijail/+archive/99e8fd4bf9aaf62eab9b3cabddc2939cb3427029.tar.gz minijail.tar.gz
RUN mkdir minijail && tar -xzf minijail.tar.gz -C minijail && rm minijail.tar.gz && cd minijail && make

FROM docker.io/library/alpine:3.20
RUN apk add --no-cache libcap bash

COPY --chmod=775 --from=build /minijail/minijail0 /usr/bin/minijail0
COPY --chmod=775 --from=build /minijail/libminijail.so /usr/lib/libminijail.so
COPY --chmod=775 --from=build /minijail/libminijailpreload.so /lib/libminijailpreload.so
COPY --chmod=644 --from=build /minijail/libminijail.h /usr/include/libminijail.h
COPY --chmod=644 --from=build /minijail/minijail0.1 /minijail/minijail0.1
COPY --chmod=644 --from=build /minijail/minijail0.5 /minijail/minijail0.5

ENV USER user
ENV HOME /home/user
RUN adduser -D --home $HOME $USER 
RUN chown -R user:user ${HOME}

ENTRYPOINT [ "bash" ]

Any ideas on how to debug this? Thanks

[Luap99]

Uncomment the rlimit lines until it works.
In general a rootless users never can set a higher limit than it already has (well for the hard limit that is). So if you try to set memlock to soothing like 67108864 you already need to have that already or a higher limit.

As root (CAP_SYS_RESOURCE) is required to raise the hard limit which you have as real root running with --priviliged but never with rooless podman.

[iklabib]

You are right, memlock within container is way lower than rlimit configuration.