Unprivileged Container with privileged executables?

svarlitskiy · May 11, 2021, 6:56pm

I am trying to create an unprivileged container with a several privileged executables. Currently, I need the container to have access to rdmsr and wrmsr. How can I mount these files within the container so that the container can access them without mounting the entire /usr/sbin folder? Or is there a way to set permissions on the executables within the container so that they have root access?

# Root on main machine
root@arch# rdmsr 0x1a4:0xf
0

# Root on container
root@C1# rdmsr 0x1a4:0xf
rdmsr: open: Permission denied

# Container Config ( lxc config show C1 -e )
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Archlinux current amd64 (20210507_04:18)
  image.os: Archlinux
  image.release: current
  image.serial: "20210507_04:18"
  image.type: squashfs
  image.variant: default
  volatile.base_image: bccfc09597d84d773a29c1fc32f021c63ea917070d0b45820a15662c04994812
  volatile.eth0.hwaddr: 00:16:3e:00:2c:d9
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: RUNNING
  volatile.uuid: c263c21e-b00a-417f-8799-180597e7e2b4
devices:
  eth0:
    name: eth0
    network: lxdbr0
    type: nic
  msr:
    path: /dev/cpu
    source: /dev/cpu
    type: disk
  root:
    path: /
    pool: default
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

stgraber · May 11, 2021, 7:09pm

The short answer is that you can’t. Capabilities inside an unprivileged container are relative to the user namespace and so no amount of extra capabilities or file permissions on this binary are going to let you do this.

Your main way out of this is to run a privileged container.

In theory an alternative would be to add syscall interception support for the syscalls needed for this at which point LXD can add config options to allow your container to perform those syscalls. This is unlikely to really happen in this case though as we need to put quite a bit of effort into every syscall we wire for this and so tend to focus on more commonly required things (setxattr, mount, ebpf, …).

Another option would be for you to run a small piece of code on your host system which exposes this functionality over a unix socket, then pass that into your container so the container can talk to the privileged piece of software which then makes the call it wants (with any safety checks you may find applicable).