Can a podman container access the podman unix sock using a volume mounted without getting a permission denied ?

[cmoulliard]

When I mount the podman sock of the user 1000 within a container I got a "permission denied" when the application tries to access it using export DOCKER_HOST="unix:///workdir/podman.sock"

Step to reproduce

systemctl --user enable --now podman.socket

IMAGE=IMAGE
quay.io/redhat-user-workloads/cmoullia-tenant/paketo-container/paketo-container:1b33482b7bb6c50de716136d815aae49e3e03d1c@sha256:77ba890ac85bbe0ed8118be6aa5332e34c43230c76ee3129e015b019ac710288

git clone https://github.com/paketo-community/builder-ubi-base.git

mkdir -p scripts
cat <<EOF > scripts/remote-script.sh
#!/bin/bash
set -e

echo "### List workdir files"
ls -la /workdir

export DOCKER_HOST="unix:///workdir/podman.sock"

pack config experimental true
pack builder create my-ubi-builder --config /source/builder.toml
EOF
chmod +x  scripts/remote-script.sh

podman run \
  --security-opt label=disable \
  --security-opt seccomp=unconfined \
  -v "$(pwd)/scripts:/scripts:Z" \
  -v "$(pwd)/builder-ubi-base:/source:Z" \
  -v "$XDG_RUNTIME_DIR/podman/podman.sock:/workdir/podman.sock:Z" \
  --rm $IMAGE /scripts/remote-script.sh

Error

ERROR: invalid run image config: failed to fetch image: permission denied while trying to connect to the Docker daemon socket at unix:///workdir/podman.sock: Post "http://%2Fworkdir%2Fpodman.sock/v1.38/images/create?fromImage=paketocommunity%2Frun-ubi-base&tag=latest": dial unix /workdir/podman.sock: connect: permission denied

The permission denied is certainly related to the fact that the file is mounted using root

### List workdir files
total 0
drwxr-xr-x. 1 paketo paketo 25 Oct 17 08:26 .
dr-xr-xr-x. 1 root   root   61 Oct 17 08:26 ..
srw-rw----. 1 root   root    0 Oct 17 07:50 podman.sock

[cmoulliard]

I will wait what the users will reply but that works if I pass as parameter --user=0 to the command podman run

[rhatdan]

Permission denied will happen based on either SELinux or DAC. For SELinux you will need to disable enforcement for the container.

--security-opt label=disabled

For DAC, if the user owning the podman.sock is different then the user within the container, then it will be denied. You can try to play games with the group access on the socket and set the socket to 660. But you will need to make sure the group access for the user running podman leaks into the container --group-add keep-groups

  --group-add strings                        Add additional groups to the primary container process. 'keep-groups' allows container processes to use supplementary groups.

[cmoulliard]

What is DAC ?
Is it --security-opt label=disabled OR --security-opt label=disable that we should use ?
Do we also need this parameter --security-opt seccomp=unconfined ?

[rhatdan]

DAC==Discretionary Access Control (Standard unix permissions, UIG/GID permissions).
--security-opt label=disable
Seccomp should not require changes.