Sandbox2 does not work in Docker Container if it runs without --privileged flag
levshukovv opened this issue · comments
Hi colleagues!
I want to use sandbox2 inside docker container. To understand what capabilities I need to use I have build tools (andboxed_api/sandbox2/examples)/tool) and want to run it inside container
Dockerfile:
FROM mcr.microsoft.com/devcontainers/cpp:ubuntu-22.04
COPY sandbox2tool sandbox2tool
How I tried to run docker container and it did not work:
- docker run --cap-add CAP_SYS_ADMIN --cap-add CAP_NET_ADMIN -it sandbox_img/bin/bash
- docker run --rm -it --cap-add=ALL -it sandbox_img/bin/bash
- docker run --rm -it --cap-add=ALL --security-opt apparmor=unconfined -it sandbox_img/bin/bash
Error:
root ➜ / $ ./sandbox2tool /bin/sh
[global_forkclient.cc : 121] RAW: Starting global forkserver
[namespace.cc : 353] RAW: Check syscall(__NR_pivot_root, kSandbox2ChrootPath, realroot_path.c_str()) != -1 failed: pivot root: Operation not permitted [1]
[forkserver.cc : 594] RAW: Check TEMP_FAILURE_RETRY(read(fds[1], &unused, 1)) == 1 failed: synchronizing initial namespaces creation: No such file or directory [2]
E1124 11:12:41.759428 57 fork_client.cc:61] Receiving init PID from the ForkServer failed
E1124 11:12:41.759502 57 global_forkclient.cc:276] Global forkserver connection terminated
[global_forkclient.cc : 199] RAW: forkserver (pid=58) terminated by signal 6
E1124 11:12:41.759627 56 sandbox2tool.cc:235] Sandbox failed
E1124 11:12:41.759695 56 sandbox2tool.cc:241] Sandbox error: SETUP_ERROR - Code: FAILED_SUBPROCESS
If I run docker image with --privileged flag it works without any issue.
Hi there!
For the pivot_root
syscall itself, you'll need the CAP_SYS_ADMIN
capability, as you've already figured out.
On top of that, Docker also by default applies a seccomp policy, which interferes here. See the docs, pivot_root
is explicitly disallowed by default.
You can either continue with --privileged
(Sandbox2 is the only layer then), or try and add --security-opt seccomp=unconfined
to disable seccomp.
Thank you for the so fast reply!