Search code examples
linuxdockersecuritykernelpodman

Why can't I read from `/proc/timer_list`?


I'm trying to read from /proc/timer_list in a Docker container. I think I'm doing everything right, and yet I get permission denied.

$ podman run --privileged ubuntu:wily cat /proc/timer_list
cat: /proc/timer_list: Permission denied

I believe that --privileged should prevent the container from masking anything, including /proc/timer_list.

findmnt confirms this; if I understand this output correctly, it means there aren't any masked paths under /proc.

$ podman run --privileged ubuntu:wily findmnt /proc
TARGET SOURCE FSTYPE OPTIONS
/proc  proc   proc   rw,nosuid,nodev,noexec,relatime

And obviously, the cat /proc/timer_list is running as root.

So what else is needed?

I've tried various versions of ubuntu. I went as far back as wily because I'd seen that timer_list might have been removed around 2017.

This is for a fun little project, that isn't leaving my machine, so things can be wildly insecure.

I have read this related Stack Overflow thread on reading from /proc in --privileged containers but it doesn't seem to help me, or perhaps I don't understand it.


Thanks to Richard Huxton for the answer. This worked for me on MacOS 12.6 and podman 4.2.1.

$ podman machine --stop
$ podman machine set --rootful
$ podman machine start
$ sudo podman run --privileged -it ubuntu:wily
root@f004a8a0229e:/# cat /proc/timer_list
Timer List Version: v0.9
HRTIMER_MAX_CLOCK_BASES: 8
now at 62526451236 nsecs
...

Solution

  • The --privileged flag when you run podman rootless obviously can't give your container privileges you don't have as a normal user.

    So unless you can do cat /proc/timer_list as your normal user (which the $ prompt suggests you are) it won't work. I certainly can't access it as my normal user.

    So - you'll need to run your podman container as root to access root stuff.