hotplug of device in privileged rootless container loses permissions

[PhracturedBlue]

Issue Description

I run rootless podman as a user with the 'dialout' group using a privileged container, I lose access to a serial device if it is unplugged/replugged

Steps to reproduce the issue

podman run --privileged --group-add keep-groups alpine

Then:

ls -l /dev/ttyACM0
crw-rw----    1 nobody   nobody    166,   0 Dec 19 20:12 /dev/ttyACM0

(despite the nobody/nobody) I can indeed access the tty):

stty -F /dev/ttyACM0 speed 115200
9600

Now I uplug and replug the serial device, and see:

ls -l /dev/ttyACM0 
c---------    0 nobody   nobody    166,   0 Dec 19 20:21 /dev/ttyACM0

and indeed I cannot access the device:

stty -F /dev/ttyACM0 speed 115200
stty: can't open '/dev/ttyACM0': Permission denied

but on the host, the device has the expected groups:

ls -l /dev/ttyACM0 
crw-rw----    1 root     dialout   166,   0 Dec 19 12:21 /dev/ttyACM0

and if I exit/restart podman, the device is visible again

Describe the results you received

Permission denied

Describe the results you expected

access to the serial device after replug

podman info output

host:
  arch: arm64
  buildahVersion: 1.37.5
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-r0
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: unknown'
  cpuUtilization:
    idlePercent: 97.84
    systemPercent: 0.7
    userPercent: 1.46
  cpus: 4
  databaseBackend: sqlite
  distribution:
    distribution: alpine
    version: 3.21.0
  eventLogger: file
  freeLocks: 2041
  hostname: odroidc4-alpine
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1001
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 6.12.5
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 50913280
  memTotal: 3968016384
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-r1
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.0-r1
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.0
  ociRuntime:
    name: crun
    package: crun-1.18.2-r0
    path: /usr/bin/crun
    version: |-
      crun version 1.18.2
      commit: 00ab38af875ddd0d1a8226addda52e1de18339b5
      rundir: /tmp/storage-run-1001/crun
      spec: 1.0.0
      +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-2024.11.27-r0
    version: |
      pasta 2024_11_27.c0fbc7e
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: false
    path: /tmp/storage-run-1001/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 3931213824
  swapTotal: 3967807488
  uptime: 4h 55m 12.00s (Approximately 0.17 days)
  variant: v8
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
store:
  configFile: /home/docker-rootless/.config/containers/storage.conf
  containerStore:
    number: 2
    paused: 0
    running: 2
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /media/data/podman
  graphRootAllocated: 14564466688
  graphRootUsed: 5594226688
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 10
  runRoot: /tmp/storage-run-1001/containers
  transientStore: false
  volumePath: /media/data/podman/volumes
version:
  APIVersion: 5.2.5
  Built: 1729297171
  BuiltTime: Fri Oct 18 17:19:31 2024
  GitCommit: ""
  GoVersion: go1.23.2
  Os: linux
  OsArch: linux/arm64
  Version: 5.2.5

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

Runing on alpine linux 3.21.0 on aarch64

Additional information

No response

[PhracturedBlue]

FYI, I was able to work-around my issue using:

podman run --rm -it --mount type=bind,src=/dev,target=/dev,shared --mount type=bind,src=/sys,target=/sys,shared --group-add keep-groups alpine

instead of --privileged. It should be sufficient for my needs

[giuseppe]

that is the suggested way to deal with disappearing devices with rootless containers. Without root privileges, we can only bind mount devices inside the container, it is not possible to create device files

[PhracturedBlue]

Ok, if this is the intended behavior, is there somewhere it shouldbe documented? I would have expected --privileged would behave similar to bind mounting iwth rshared

[giuseppe]

rshared should not have any impact with rootless containers. A rootless container cannot propagate mounts to the host, so it is equivalent to rslave.

Are you sure that it makes any difference?