If I understood correctly, it looks like in order to make
evdev to run on the container and allow access to devices on
/dev/*, the container must be set as
privileged which means, the host will map all the devices on the container.
Although it works, it is far from ideal security-wise if you consider the least privilege idea.
So, is there a way to map only the devices I want on a particular container and start
evdev only with them?
Yes, there is an alternative. Please check this page to see how to do that: https://www.balena.io/docs/learn/develop/hardware/
I’ve saw that but I couldn’t make it work.
devices settings to map in the correct hardware access to the container
What are the permissions that I need to add there for:
- USB Printer
- Linux Framebuffer
- USB Serial device
Since the application requires access to invoke
ioctl APIs, idk if
SYS_RAWIO is correct…
Hi @galvesribeiro, I think for the USB device specifically you probably will need to use a privileged container, since most usb devices can enumerate to a different number. One way to make sure the usb devices have a fixed name is to set a hostOS udev rule to map it to a specific name. Have a look at this blog post https://www.balena.io/blog/balena-fin-gps-tracker-project/ (specifically the section titled " Custom udev rules" which maps the modem (usb-serial) device to
/dev/NMEA.gps and then that device gets mapped into the container using the
--device compose directive.