Visibility of all of the hosts USB devices in containers

I’m running LXD 4.8 on Ubuntu 20.04 and I’ve created a Ubuntu 20.04 cloud image unprivileged container.

I’ve not added any usb passthrough but I can use lsusb to list all of the hosts USB devices.

Is there anyway to make the hosts USB devices invisible by default.

Config as follows:-

architecture: x86_64
config:
image.architecture: amd64
image.description: ubuntu 20.04 LTS amd64 (release) (20201201)
image.label: release
image.os: ubuntu
image.release: focal
image.serial: “20201201”
image.type: squashfs
image.version: “20.04”
limits.cpu.priority: “0”
limits.memory: 2GB
user.user-data: |
#cloud-config
timezone: ‘Europe/London’
package_update: ‘true’
packages:
- build-essential
- wget
[snipped]
volatile.base_image: 3e9403fe7645000fc49ec89bca056c7fd53e9a142a3a9054ee02c13a2f14b6d0
volatile.eth0.host_name: vethe93589d0
volatile.eth0.hwaddr: 00:16:3e:c3:cd:a7
volatile.idmap.base: “0”
volatile.idmap.current: ‘[{“Isuid”:true,“Isgid”:false,“Hostid”:1000000,“Nsid”:0,“Maprange”:1000},{“Isuid”:true,“Isgid”:true,“Hostid”:1000,“Nsid”:1000,“Maprange”:1},{“Isuid”:true,“Isgid”:false,“Hostid”:1001001,“Nsid”:1001,“Maprange”:999998999},{“Isuid”:false,“Isgid”:true,“Hostid”:1000000,“Nsid”:0,“Maprange”:1000},{“Isuid”:true,“Isgid”:true,“Hostid”:1000,“Nsid”:1000,“Maprange”:1},{“Isuid”:false,“Isgid”:true,“Hostid”:1001001,“Nsid”:1001,“Maprange”:999998999}]’
volatile.idmap.next: ‘[{“Isuid”:true,“Isgid”:false,“Hostid”:1000000,“Nsid”:0,“Maprange”:1000},{“Isuid”:true,“Isgid”:true,“Hostid”:1000,“Nsid”:1000,“Maprange”:1},{“Isuid”:true,“Isgid”:false,“Hostid”:1001001,“Nsid”:1001,“Maprange”:999998999},{“Isuid”:false,“Isgid”:true,“Hostid”:1000000,“Nsid”:0,“Maprange”:1000},{“Isuid”:true,“Isgid”:true,“Hostid”:1000,“Nsid”:1000,“Maprange”:1},{“Isuid”:false,“Isgid”:true,“Hostid”:1001001,“Nsid”:1001,“Maprange”:999998999}]’
volatile.last_state.idmap: ‘[{“Isuid”:true,“Isgid”:false,“Hostid”:1000000,“Nsid”:0,“Maprange”:1000},{“Isuid”:true,“Isgid”:true,“Hostid”:1000,“Nsid”:1000,“Maprange”:1},{“Isuid”:true,“Isgid”:false,“Hostid”:1001001,“Nsid”:1001,“Maprange”:999998999},{“Isuid”:false,“Isgid”:true,“Hostid”:1000000,“Nsid”:0,“Maprange”:1000},{“Isuid”:true,“Isgid”:true,“Hostid”:1000,“Nsid”:1000,“Maprange”:1},{“Isuid”:false,“Isgid”:true,“Hostid”:1001001,“Nsid”:1001,“Maprange”:999998999}]’
volatile.last_state.power: RUNNING
volatile.uuid: 491f6bb3-d6e9-4513-94f6-493cf2ec834f
devices: {}
ephemeral: false
profiles:

• default
• zpool
  stateful: false
  description: Demo Cloud-init

You mean that when you run lsusb in an unprivileged container, you get a list of the host’s available USB devices. In fact, the same goes with lspci, etc.

Obviously, still you cannot access them until they get provisioned, but still that information is made known to the container.

This question is similar to Hide CPU model name The answer appears to be that you cannot hide that information.

Thanks I guess there are limits to how much you can hide about a shared kernel…

Yeah, /sys is effectively always shared. We can prevent access to the actual block/char device but we can’t really make it disappear from device listings.

I tried a chmod 550 on /sys and I get

2020/12/03 14:15:16.160236 system_key.go:154: cannot determine cgroup version: cannot determine filesystem type: cannot statfs path: permission denied

When I exec to the container…

However when I chmod 550 /sys/devices then I get nothing…

Is there a downside to this approach…?

The main downside is that this is global to the entire system, so you may actually break software running as unprivileged users on the host too.

550 on /sys would prevent seeing /sys/fs/cgroup which is what’s causing you that error.
/sys/devices feels less problematic though you’ll likely prevent accessing a bunch of network-related files which are properly namespaced and may well be used by the container.