Hello folks!
If I understood correctly, it looks like in order to make evdev to run on the container and allow access to devices on /dev/*, the container must be set as privileged which means, the host will map all the devices on the container.
Although it works, it is far from ideal security-wise if you consider the least privilege idea.
So, is there a way to map only the devices I want on a particular container and start evdev only with them?
Thank you!
Gutemberg
Yes, there is an alternative. Please check this page to see how to do that: https://www.balena.io/docs/learn/develop/hardware/
I’ve saw that but I couldn’t make it work.
use the
cap_addanddevicessettings to map in the correct hardware access to the container
What are the permissions that I need to add there for:
Since the application requires access to invoke ioctl APIs, idk if SYS_RAWIO is correct…
Thanks
Hi @galvesribeiro, I think for the USB device specifically you probably will need to use a privileged container, since most usb devices can enumerate to a different number. One way to make sure the usb devices have a fixed name is to set a hostOS udev rule to map it to a specific name. Have a look at this blog post https://www.balena.io/blog/balena-fin-gps-tracker-project/ (specifically the section titled " Custom udev rules" which maps the modem (usb-serial) device to /dev/NMEA.gps and then that device gets mapped into the container using the --device compose directive.