-
Notifications
You must be signed in to change notification settings - Fork 18.8k
Description
Description
This PR inhibits access to the host's /sys/firmware from unprivileged containers. But in 64-bit builds of the Raspberry PI OS, and possibly other OS's, the information that used to be in /proc/cpuinfo is now in /sys/firmware (and symlinked into /proc/device-tree).
The following files are some of those commonly used by non-root applications to detect the device model. For an example, see rpi-ws281x.
/sys/firmware/devicetree/base/serial-number
/sys/firmware/devicetree/base/model
/sys/firmware/devicetree/base/system/linux,revision
/sys/firmware/devicetree/base/system/linux,serial
Inhibiting access to /sys/firmware prevents a lot of existing software from running in a container. A less broad restriction may be appropriate, or perhaps a capability that doesn't require full privileged access.
Steps to reproduce the issue:
- On a Raspberry Pi 3B+
docker build balenalib/raspberrypi3-64-python:3.10-builddocker run -it <image-ID> bashpip install rpi-ws281xpythonimport _rpi_ws281x as wsleds = ws.new_ws2811_t()print (ws.ws2811_get_return_t_str(ws.ws2811_init(leds)))
Describe the results you received:
"Hardware revision is not supported"
Describe the results you expected:
"Success"
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
Client:
Version: 19.03.18
API version: 1.40
Go version: go1.12.17
Git commit: 840aacc77b6c600b3b929fe9e4d9356a322b9e5b
Built: Tue Jun 8 10:32:15 2021
OS/Arch: linux/arm64
Experimental: false
Server:
Engine:
Version: 19.03.18
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: 840aacc77b6c600b3b929fe9e4d9356a322b9e5b
Built: Tue Jun 8 10:32:15 2021
OS/Arch: linux/arm64
Experimental: true
containerd:
Version: 1.2.0+unknown
GitCommit:
runc:
Version: 1.0.0-rc4+dev
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
balena-engine-init:
Version: 0.13.0
GitCommit: 949e6fa-dirty
Output of docker info:
Client:
Debug Mode: false
Server:
Containers: 21
Running: 2
Paused: 0
Stopped: 19
Images: 5
Server Version: 19.03.18
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 120
Dirperm1 Supported: true
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host null
Log: journald json-file local
Swarm:
NodeID:
Is Manager: false
Node Address:
Runtimes: bare runc
Default Runtime: runc
Init Binary: balena-engine-init
containerd version:
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: 949e6fa-dirty (expected: fec3683b971d9)
Kernel Version: 5.4.83-v8
Operating System: balenaOS 2.80.3+rev1
OSType: linux
Architecture: aarch64
CPUs: 4
Total Memory: 962MiB
Name: 15f241a
ID: WOTW:AJV6:W24J:VF6Z:IM7E:474Z:YW3H:XYGC:U4CK:D4OJ:AH2S:OPNP
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Additional environment details (AWS, VirtualBox, physical, etc.):
Happen to be using balena, but not intending for that to be relevant.