an idea: run bootc install with less permissions by using the systemd directive OpenFile

[eriksjolund]

The new systemd directive OpenFile= is available in systemd 253 (released 15 February 2023).

Here is an untested idea: maybe it would possible to run rootless podman when installing with bootc.
I believe the installation would then be run with less permissions than usual.

So the idea would be to run something like

useradd test
loginctl enable-linger test
systemd-run --quiet \
              --property OpenFile=/dev/nvme0n1:fdnameinstalldevice \
              --property User=test \
              --collect \
              --pipe \
              --wait \
                 podman run \
                          --pull=never \
                          --rm \
                          --privileged \
                          --pid=host \
                          --net=none	\
                           quay.io/cgwalters/ ghcr.io/cgwalters/c9s-oscore \
                                bootc install \
                                   --target-no-signature-verification \
                                   --wipe \
                                   --block-setup tmp2-luks

Of course the functionality to use the passed in file descriptor would need to be implemented in bootc for the command above to work.

Is this even technically possible? What do you think? Maybe running rootless podman gives up too much privilege?

Here is a minimal test where a container writes to the file /var/file although the file is being owned by root and has file permissions 600.

# useradd test
# loginctl enable-linger test
# rpm -qf $(which systemd-run)
systemd-253-1.fc38.aarch64
# setenforce 0
# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# echo hello > /var/file
# chmod 600 /var/file
# systemd-run --quiet \
              --property OpenFile=/var/file \
              --property User=test \
              --collect \
              --pipe \
              --wait \
                 podman run \
                   --rm docker.io/library/fedora /usr/bin/bash -c "echo installing >&3"
# cat /var/file
installing
#

About the system:

# cat /etc/os-release
NAME="Fedora Linux"
VERSION="38.20230310.1.0 (CoreOS Prerelease)"
ID=fedora
VERSION_ID=38
VERSION_CODENAME=""
PLATFORM_ID="platform:f38"
PRETTY_NAME="Fedora CoreOS 38.20230310.1.0"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:38"
HOME_URL="https://getfedora.org/coreos/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-coreos/"
SUPPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
BUG_REPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=38
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=38
SUPPORT_END=2024-05-14
VARIANT="CoreOS"
VARIANT_ID=coreos
OSTREE_VERSION='38.20230310.1.0'

Update 2023-04-23

If there is no need for any network, then maybe it's possible to add

     --property "RestrictAddressFamilies=AF_UNIX AF_NETLINK" \
     --property NoNewPrivileges=yes \

Here is a minimal demo.

The file test1.sh contains

#!/bin/bash
systemd-run --quiet \
            --property User=test \
            --property "RestrictAddressFamilies=AF_UNIX AF_NETLINK" \
            --property NoNewPrivileges=yes \
            --collect \
            --pipe \
            --wait \
            podman run \
               --pull=always \
               --rm \
               --net=none	\
               docker.io/library/alpine \
                 sh -c "echo hello"

The file test2.sh has almost the same contents

--- test1.sh	2023-04-15 20:42:16.188364890 +0000
+++ test2.sh	2023-04-15 20:42:34.084676209 +0000
@@ -7,7 +7,7 @@
             --pipe \
             --wait \
             podman run \
-               --pull=always \
+               --pull=never \
                --rm \
                --net=none	\
                docker.io/library/alpine \

Run commands

# podman pull -q docker.io/library/alpine
51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
# bash test1.sh 
Trying to pull docker.io/library/alpine:latest...
Error: initializing source docker://alpine:latest: pinging container registry registry-1.docker.io: Get "https://registry-1.docker.io/v2/": dial tcp 18.215.138.58:443: socket: address family not supported by protocol
# bash test2.sh 
hello
# 

[cgwalters]

Ultimately, having the ability to manipulate a raw block device and create Linux filesystems on it is just a privileged operation. See https://lwn.net/Articles/934176/ and others.