mirror of
https://github.com/containers/podman
synced 2024-10-19 00:34:18 +00:00
Make rootless privileged containers share the same tty devices as rootfull ones
Until Podman v4.3, privileged rootfull containers would expose all the host devices to the container while rootless ones would exclude `/dev/ptmx` and `/dev/tty*`. When5a2405ae1b
("Don't mount /dev/tty* inside privileged containers running systemd") landed, rootfull containers started excluding all the `/dev/tty*` devices when the container would be running in systemd mode, reducing the disparity between rootless and rootfull containers when running in this mode. However, this commit regressed some legitimate use cases: exposing non-virtual-terminal tty devices (modems, arduinos, serial consoles, ...) to the container, and the regression was addressed inf4c81b0aa5
("Only prevent VTs to be mounted inside privileged systemd containers"). This now calls into question why all tty devices were historically prevented from being shared to the rootless non-privileged containers. A look at the podman git history reveals that the code was introduced as part ofba430bfe5e
("podman v2 remove bloat v2"), and obviously was copy-pasted from some other code I couldn't find. In any case, we can easily guess that this check was put for the same reason5a2405ae1b
was introduced: to prevent breaking the host environment's consoles. This also means that excluding *all* tty devices is overbearing, and should instead be limited to just virtual terminals like we do on the rootfull path. This is what this commit does, thus making the rootless codepath behave like the rootfull one when in systemd mode. This leaves `/dev/ptmx` as the main difference between the two codepath. Based on the blog post from the then-runC maintainer[1] and this Red Hat bug[2], I believe that this is intentional and a needed difference for the rootless path. Closes: #16925 Suggested-by: Fabian Holler <mail@fholler.de> Signed-off-by: Martin Roukala (né Peres) <martin.roukala@mupuf.org> [1]: https://www.cyphar.com/blog/post/20160627-rootless-containers-with-runc [2]: https://bugzilla.redhat.com/show_bug.cgi?id=501718
This commit is contained in:
parent
d558a792f4
commit
70057c8b47
|
@ -7,7 +7,6 @@ import (
|
|||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"github.com/containers/podman/v4/libpod/define"
|
||||
|
@ -107,7 +106,18 @@ func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
|
|||
Source: d.Path,
|
||||
Options: []string{"slave", "nosuid", "noexec", "rw", "rbind"},
|
||||
}
|
||||
if d.Path == "/dev/ptmx" || strings.HasPrefix(d.Path, "/dev/tty") {
|
||||
|
||||
/* The following devices should not be mounted in rootless containers:
|
||||
*
|
||||
* /dev/ptmx: The host-provided /dev/ptmx should not be shared to
|
||||
* the rootless containers for security reasons, and
|
||||
* the container runtime will create it for us
|
||||
* anyway (ln -s /dev/pts/ptmx /dev/ptmx);
|
||||
* /dev/tty[0-9]+: Prevent the container from taking over the host's
|
||||
* virtual consoles, even when not in systemd mode
|
||||
* for backwards compatibility.
|
||||
*/
|
||||
if d.Path == "/dev/ptmx" || isVirtualConsoleDevice(d.Path) {
|
||||
continue
|
||||
}
|
||||
if _, found := mounts[d.Path]; found {
|
||||
|
@ -121,6 +131,16 @@ func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {
|
|||
}
|
||||
} else {
|
||||
for _, d := range hostDevices {
|
||||
/* Restrict access to the virtual consoles *only* when running
|
||||
* in systemd mode to improve backwards compatibility. See
|
||||
* https://github.com/containers/podman/issues/15878.
|
||||
*
|
||||
* NOTE: May need revisiting in the future to drop the systemd
|
||||
* condition if more use cases end up breaking the virtual terminals
|
||||
* of people who specifically disable the systemd mode. It would
|
||||
* also provide a more consistent behaviour between rootless and
|
||||
* rootfull containers.
|
||||
*/
|
||||
if systemdMode && isVirtualConsoleDevice(d.Path) {
|
||||
continue
|
||||
}
|
||||
|
|
|
@ -952,10 +952,29 @@ $IMAGE--c_ok" \
|
|||
run_podman stop -t 0 $cid
|
||||
}
|
||||
|
||||
# 16925: --privileged + --systemd = share non-virtual-terminal TTYs
|
||||
@test "podman run --privileged as root with systemd mounts non-vt /dev/tty devices" {
|
||||
skip_if_rootless "this test only makes sense as root"
|
||||
@test "podman run --privileged as rootless will not mount /dev/tty\d+" {
|
||||
skip_if_not_rootless "this test as rootless"
|
||||
|
||||
# First, confirm that we _have_ /dev/ttyNN devices on the host.
|
||||
# ('skip' would be nicer in some sense... but could hide a regression.
|
||||
# Fedora, RHEL, Debian, Ubuntu, Gentoo, all have /dev/ttyN, so if
|
||||
# this ever triggers, it means a real problem we should know about.)
|
||||
vt_tty_devices_count=$(find /dev -regex '/dev/tty[0-9].*' | wc -w)
|
||||
assert "$vt_tty_devices_count" != "0" \
|
||||
"Expected at least one /dev/ttyN device on host"
|
||||
|
||||
run_podman run --rm -d --privileged $IMAGE ./pause
|
||||
cid="$output"
|
||||
|
||||
run_podman exec $cid sh -c "find /dev -regex '/dev/tty[0-9].*' | wc -w"
|
||||
assert "$output" = "0" \
|
||||
"ls /dev/tty[0-9]: should have no ttyN devices"
|
||||
|
||||
run_podman stop -t 0 $cid
|
||||
}
|
||||
|
||||
# 16925: --privileged + --systemd = share non-virtual-terminal TTYs (both rootful and rootless)
|
||||
@test "podman run --privileged as root with systemd mounts non-vt /dev/tty devices" {
|
||||
# First, confirm that we _have_ non-virtual terminal /dev/tty* devices on
|
||||
# the host.
|
||||
non_vt_tty_devices_count=$(find /dev -regex '/dev/tty[^0-9].*' | wc -w)
|
||||
|
|
Loading…
Reference in a new issue