Does using privileged flag or adding capabilities for rootless containers increase risk outside the container?

[acromc]

Hi all, does adding dangerous capabilities like SYS_ADMIN or running with privileged flag for a rootless container add any more privileges in the host user namespace?
In other words, is whether adding capabilities or running with privileged in a rootless container, or not, exactly the same from a security perspective in the outside world of the rootless container?

[rhatdan]

Depends on your definition of dangerous.
Bottom line adding capabilities to a rootless container or running with --privileged is close to the same dangerousness as the user account running the podman command. It grants no extra privileges to the user.

If you look at it from protecting the user account or the other containers run within the user account, then the more privileges you add to a container, lowers the container separation from the user account and from the user.

Remember though most of the valuable stuff on a host is in the users home directory. So protecting .ssh directories or the cache from the webrowser which might include internet passwords is a pretty valuable thing to attack. So limiting container access from the rootless user is very important.

[acromc]

@rhatdan thanks for the quick response! I think it's now more clear to me. In my case I am trying to do something like a multi-tenant architecture that runs CI code, each rootless container is run by a different user in the outer user namespace and each user has a different uid/gid map relative to its uid/gid. Nothing to worry about when it comes to .ssh dir or any other credentials that can be read by the users since these users are programmatically generated and actually do nothing except for starting the rootless containers that actually contain the possibly dangerous user code.