Run minijail in rootless container

[Ikhwanul Labib]

Hi, 

I am trying to run Minijail within a rootless Podman. 

On my bare metal system running Pop OS (Ubuntu 22.04) with Podman 3.4.4, and on an Ubuntu Server 24.04 VM with Podman 4.9.3, I get the following result:

# minijail0 --config config.cfg -C box -- /usr/bin/python3
libminijail[1]: remount: Operation not permitted
libminijail[2]: child process 3 received signal 11

Meanwhile trying the same command under Fedora 40 Server (Podman 5.1.0), I get the following result:
libminijail[3]: failed to set rlimit
Aborted (core dumped)

I run the containers with seccomp, apparmor and/or SElinux disabled, and with additional cap_sys_admin and cap_sys_resource. 

There is no problem when running Podman as root or using Docker ( version 26.1.4, build 5650f9b).

I have attached my Minijail config and containerfile if anyone want to reproduce why issue.

Is it possible to run Minijail within a rootless container? Any idea how to debug this? Thanks.

[Jorge Lucangeli Obes]

There are certain privilege-dropping system calls that do require root or CAP_SYS_ADMIN, so if the Minijail invocation inside the container does not have CAP_SYS_ADMIN, I would expect things to break.

 

--
You received this message because you are subscribed to the Google Groups "minijail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to minijail+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/7f73d031-7c0f-4584-b79e-693bc3279aaan%40chromium.org.