SYS_MKNOD denied by default

[tangentsoft]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Various places in the docs claim the SYS_MKNOD capability is granted by default. It is not, as is easy to see with:

$ sudo podman run busybox mknod foo c 1 3
mknod: foo: Operation not permitted

I happen to think this is a good thing, as mknod is potentially quite dangerous, so if it's genuinely needed — thus justifying the use of rootful containers — it should be added to the build and then denied on create and run, baking the additional /dev nodes into an immutable base layer of the container.

That said, this is a "regression" relative to Docker Engine, which grants this by default. I won't say you should be compatible with them at this level, but if not, you should document the difference.

Output of podman version:

Client:       Podman Engine
Version:      4.2.0
API Version:  4.2.0
Go Version:   go1.18.4
Built:        Mon Aug 22 06:28:20 2022
OS/Arch:      linux/amd64

Output of podman info:

host:
  arch: amd64
  buildahVersion: 1.27.0
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.3-1.el9.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.3, commit: 8d561e47dd44c98c15c24a5e16aa1fc187df1b75'
  cpuUtilization:
    idlePercent: 99.79
    systemPercent: 0.05
    userPercent: 0.16
  cpus: 10
  distribution:
    distribution: '"centos"'
    version: "9"
  eventLogger: journald
  hostname: carmine
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.14.0-148.el9.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 996864000
  memTotal: 3826176000
  networkBackend: netavark
  ociRuntime:
    name: crun
    package: crun-1.5-1.el9.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.5
      commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_NET_RAW,CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.2.0-2.el9.x86_64
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.4.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.2
  swapFree: 4294963200
  swapTotal: 4294963200
  uptime: 10h 10m 34.00s (Approximately 0.42 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /home/tangent/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/tangent/.local/share/containers/storage
  graphRootAllocated: 63762120704
  graphRootUsed: 7267127296
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 26
  runRoot: /run/user/1000/containers
  volumePath: /home/tangent/.local/share/containers/storage/volumes
version:
  APIVersion: 4.2.0
  Built: 1661171300
  BuiltTime: Mon Aug 22 06:28:20 2022
  GitCommit: ""
  GoVersion: go1.18.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.2.0

(Note the confirmation under security.capabilities.)

Package info (e.g. output of rpm -q podman or apt list podman):

podman-4.2.0-3.el9.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

No. If it's changed since CentOS Stream 9 was released, I'll be vaguely interested to know, but this is what I have for the next several years. I won't be building and installing new versions of Podman on my servers just to get around this.

[rhatdan]

This is intentional, as we feel that the Docker default is dangerous, and almost never needed. So Podman and Buildah decided to remove it by default.

We also remove CAP_NET_RAW and CAP_AUDIT_WRITE, which are not needed by almost all containers and potentially could lead to hacks.

[rhatdan]

Where in the docs does it claim SYS_MKNOD is allowed by default?

[tangentsoft]

Here, for one.

[rhatdan]

Thanks I will fix that,.

I can not find any others, but then again I did not find this one. :^(

[rhatdan]

If you find more instances of bad docs, please reopen. Thanks @tangentsoft for pointing this out.