Skip to content

Instantly share code, notes, and snippets.

@supechicken

supechicken/privileged-crostini.md

Created June 17, 2024 16:09
Show Gist options
  • Save supechicken/25542b86ff84b314a98a82c82df74021 to your computer and use it in GitHub Desktop.
Save supechicken/25542b86ff84b314a98a82c82df74021 to your computer and use it in GitHub Desktop.
Download ZIP
[Guide] Obtain full access to the underlying VM inside Crostini containers
Raw
privileged-crostini.md

Obtain full access to the underlying VM inside Crostini containers

Overview

As you might know, all Crostini containers are running under the "unprivileged container" mode and are kind of restricted, which means:

  • Unable to load any kernel modules
  • Unable to mount any disk/loopback images natively (although you could use FUSE to achieve a similar result, that's complicated to use)
  • Unable to setup device mappers

So what's the solution? This guide will cover things below:

  • Switch penguin (the default container) to a privileged container
  • Disable security measures applied to the container (will not harm security in this case, jump to Disable security measures section below for more information)
  • Mount non-restricted /dev filesystem

Before you start

  • Open crosh by pressing Ctrl+Alt+T
  • Type vmc start termina to enter the interactive shell of termina (the underlying VM of all Crostini containers)
  • Type lxc stop penguin to shut down the default container (penguin)

Switching to privileged container

By switching to privileged container, interacting with the VM kernel from inside of containers are possible now.

  • Paste and execute the following in the crosh window opened above:
lxc config set penguin security.privileged true

Disable security measures

By default, LXD will apply multiple security measures to every container. Ensuring anything running inside of the container will not screw up the host system.

However, we don't need most of them since all containers are already running under a VM and will not affect ChromeOS itself anyway

seccomp

The seccomp facility is responsible for blocking some powerful system calls inside the container that might cause side effects to the host system. (for example, loading kernel modules with modprobe)

  • Paste and execute the following in the crosh window opened above:
lxc config set penguin security.syscalls.deny ''

CGroup device controller

The cgroup device controller is responsible for limiting block/character device access from inside of containers, preventing unauthorized access to storage devices/kernel features in the host system. (notice that the term "host system" here is referring to the underlying termina VM, not ChromeOS itself)

  • Paste and execute the following in the crosh window opened above:
lxc config set penguin raw.lxc - <<EOF
lxc.cgroup.devices.deny =
lxc.cgroup2.devices.deny =
EOF

Mount non-restricted /dev filesystem

Now we should have full access to the underlying VM from the inside of containers, the last step is to mount a regular /dev filesystem to let userspace program actually "see" and access all kernel features (like the loopback controller)

  • Open the Crostini terminal, boot the container and execute the following:
sudo su
mount -t devtmpfs devtmpfs /dev
mount -t devpts devpts /dev/pts
exit

All done

  • Now you should be able to do everything you want to the VM system, with unblocked access to several kernel features like loopback mounting
@marioseixas
Copy link

awesome

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment