6

Background: I am running a docker container which needs to load/remove a kernel module which makes USB devices attached to a remote server available on the host which I then want to make available in the container.

It works when running the container with —-privileged and bind mounts for /lib/modules and /dev.

Now I want to remove privileged mode and just allow the minimum necessary access. I tried —-cap-add=all as a start, but that doesn’t seem enough. What else does —-privileged allow?

nfelger
  • 823
  • 9
  • 21
  • this also answers the question `what is the difference between "--privileged" and "--security-opt seccomp=unconfined"?`: privlileged gives more. seccomp=unconfined only gives access to additional syscalls. – Trevor Boyd Smith Mar 24 '23 at 15:39

1 Answers1

7

Setting privileged should modify:

  • capabilities: removing any capability restrictions
  • devices: the host devices will be visible
  • seccomp: removing restrictions on allowed syscalls
  • apparmor/selinux: policies aren't applied
  • cgroups: I don't believe the container is limited within a cgroup

That's from memory, I might be able to find some more digging in the code if this doesn't point you too your issue.

p.s. here is a link to the documentation on what --privileged does: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

Trevor Boyd Smith
  • 18,164
  • 32
  • 127
  • 177
BMitch
  • 231,797
  • 42
  • 475
  • 450
  • Fantastic, thank you! Any idea where I could find this documented? I had a look at the source, but all I could find was the lifting of capability restrictions here: https://github.com/moby/moby/blob/46cdcd206c56172b95ba5c77b827a722dab426c5/daemon/exec_linux.go – nfelger Mar 15 '21 at 14:01
  • @nfelger not sure. If it's not documented somewhere, it really should be. This was just from memory. – BMitch Mar 15 '21 at 14:14
  • 1
    @nfelger there's a variety of settings configured when you create the container: https://github.com/moby/moby/blob/470ae8422fc6f1845288eb7572253b08f1e6edf8/daemon/oci_linux.go – BMitch Mar 15 '21 at 14:26