Bug#1078205: systemd: can't start polkitd in a podman container without CAP_SYS_ADMIN

Thu, 08 Aug 2024 01:24:15 -0700 

Package: systemd
Version: 256.4-2
Severity: normal
Forwarded: https://github.com/systemd/systemd/issues/29860

Steps to reproduce:

* install autopkgtest, podman and their Recommends

* autopkgtest-build-podman --init=systemd --release=sid

    - any podman container that includes systemd-sysv and has /sbin/init
      as its entry point will do, this is just a convenient way to get one

    - if you don't want to have to trust Dockerhub, instead use
      mmdebstrap --variant=minbase sid - | \
      autopkgtest-build-podman --init=systemd --release=sid --tarball=-
      (requires autopkgtest from testing/unstable)

    - if your apt proxy is mis-detected (#1078076)
      add --apt-proxy=DIRECT or --apt-proxy=http://192.168.122.1:3142
      to the a-b-podman arguments

* podman run --rm -it autopkgtest/systemd/debian:sid
  and note the container ID (it's the hostname)

* in another terminal:
  podman exec -i $container_id journalctl -f

* in another terminal:
  podman exec -i $container_id apt install polkitd

* in another terminal (can be the same one as apt):
  podman exec -i $container_id systemctl start polkit.service

Expected result: polkit.service starts successfully, possibly with weaker
sandboxing than it was ideally meant to have (for example ProtectHostname=yes
gets ignored)

Actual result:

Aug 08 08:05:25 e1cbf9b28e82 systemd[1]: Starting polkit.service - 
Authorization Manager...
Aug 08 08:05:25 e1cbf9b28e82 (polkitd)[384]: polkit.service: 
ProtectHostname=yes is configured, but UTS namespace setup is prohibited 
(container manager?), ignoring namespace setup.
Aug 08 08:05:25 e1cbf9b28e82 (polkitd)[384]: polkit.service: Failed to keep 
CAP_SYS_ADMIN: Operation not permitted
Aug 08 08:05:25 e1cbf9b28e82 (polkitd)[384]: polkit.service: Failed at step 
USER spawning /usr/lib/polkit-1/polkitd: Operation not permitted

Workaround (1): add --cap-add=CAP_SYS_ADMIN to the `podman run` arguments

Workaround (2): write the reduced restrictions below into the container's
/etc/systemd/system/polkit.service.d/local.conf, then run
`systemctl daemon-reload`, then try again

[Service]
MemoryDenyWriteExecute=no
PrivateDevices=no
LockPersonality=no
ProtectKernelModules=no
ProtectKernelLogs=no
ProtectKernelTunables=no
ProtectClock=no
ProtectHostname=no
RestrictAddressFamilies=
RestrictNamespaces=no
RestrictRealtime=no
RestrictSUIDSGID=no
SystemCallArchitectures=
SystemCallFilter=

(this list is derived from the upstream issue report, I haven't confirmed
whether all of these parameters are actually required)

Thanks,
    smcv

Reply via email to