Rootless podman run --privileged fails if there is an inaccessible /dev subdirectory

[QazerLab]

/kind bug

Description

Current implementation of privileged containers uses libcontainer's HostDevices() function to obtain the list of host devices. This function returns any error arising when accessing the subdirectories in /dev. This means, that having some inaccessible (by current user) subdirectory in /dev makes rootless podman run --privileged crash, e.g.:

$ podman run --privileged alpine
Error: open /dev/vboxusb: permission denied

Dir permissions are:

$ stat /dev/vboxusb/
...
Access: (0750/drwxr-x---)  Uid: (    0/    root)   Gid: (  108/vboxusers)

Steps to reproduce the issue:

1. Create a subdirectory in /dev which is not accessible to ordinary users: sudo mkdir -m 0700 /dev/kaboom
2. Run privileged rootless container: podman run --privileged alpine

Describe the results you received:

podman crashes with the permission denied error.

Describe the results you expected:

Inaccessible directory is ignored.

[mheon]

@giuseppe Probably related to the code added to add devices to privileged rootless containers?

[giuseppe]

since I already have a PR that changes the code to handle devices when rootless, I've added a patch to take care of this issue as well: #3909

[carbolymer]

I think I'm experiencing this exact issue on 4.1.0:

% podman run --rm --privileged bash
Error: crun: error stat'ing file `/dev/vboxusb/001/002`: Permission denied: OCI permission denied
% podman --version                 
podman version 4.1.0
% /usr/bin/ls -al /dev/vboxusb/001
total 0
drwxr-x--- 2 root vboxusers     80 May 18 08:14 .
drwxr-x--- 4 root vboxusers     80 May 18 08:14 ..
crw-rw---- 1 root vboxusers 189, 1 May 18 08:14 002
crw-rw---- 1 root vboxusers 189, 2 May 18 08:14 003

[rhatdan]

This looks likely to be a different issue, please open a new one. This could be something that crun is causing. Are you running in rootless mode?

[carbolymer]

Rootless. Opened #14284.