I am trying to create an unprivileged container with a several privileged executables. Currently, I need the container to have access to rdmsr and wrmsr. How can I mount these files within the container so that the container can access them without mounting the entire /usr/sbin folder? Or is there a way to set permissions on the executables within the container so that they have root access?
# Root on main machine
root@arch# rdmsr 0x1a4:0xf
0
# Root on container
root@C1# rdmsr 0x1a4:0xf
rdmsr: open: Permission denied
# Container Config ( lxc config show C1 -e )
architecture: x86_64
config:
image.architecture: amd64
image.description: Archlinux current amd64 (20210507_04:18)
image.os: Archlinux
image.release: current
image.serial: "20210507_04:18"
image.type: squashfs
image.variant: default
volatile.base_image: bccfc09597d84d773a29c1fc32f021c63ea917070d0b45820a15662c04994812
volatile.eth0.hwaddr: 00:16:3e:00:2c:d9
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
volatile.last_state.power: RUNNING
volatile.uuid: c263c21e-b00a-417f-8799-180597e7e2b4
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
msr:
path: /dev/cpu
source: /dev/cpu
type: disk
root:
path: /
pool: default
type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""