Explicitly map /dev/* devices without privileged mode

Hello folks!

If I understood correctly, it looks like in order to make evdev to run on the container and allow access to devices on /dev/*, the container must be set as privileged which means, the host will map all the devices on the container.

Although it works, it is far from ideal security-wise if you consider the least privilege idea.

So, is there a way to map only the devices I want on a particular container and start evdev only with them?

Thank you!

Yes, there is an alternative. Please check this page to see how to do that: https://www.balena.io/docs/learn/develop/hardware/

I’ve saw that but I couldn’t make it work.

use the cap_add and devices settings to map in the correct hardware access to the container

What are the permissions that I need to add there for:

  1. USB Printer
  2. Linux Framebuffer
  3. USB Serial device

Since the application requires access to invoke ioctl APIs, idk if SYS_RAWIO is correct…


Hi @galvesribeiro, I think for the USB device specifically you probably will need to use a privileged container, since most usb devices can enumerate to a different number. One way to make sure the usb devices have a fixed name is to set a hostOS udev rule to map it to a specific name. Have a look at this blog post https://www.balena.io/blog/balena-fin-gps-tracker-project/ (specifically the section titled " Custom udev rules" which maps the modem (usb-serial) device to /dev/NMEA.gps and then that device gets mapped into the container using the --device compose directive.