Could someone (or OP) enlighten me on what requires this flag? I thought the container would also get access to the anbox kernel modules that I have installed already.
--privileged is required for nesting an Anbox (LXC) inside Docker.
But you don't need to worry too much because Anbox launches "unprivileged" LXC using user namespaces.
You can confirm that all Android process are running as non-root users by executing `docker exec aind ps -ef`.
Ah gotcha, thanks for replying. I spun up a copy on a disposable machine and I was able to VNC into the container and everything. I like the window manager that's installed on it. Seems lightweight. Looking forward to exploring this tool!
But docker runs still with root privileges (or your user must be in the docker group, which is equivalent to root - so is also in the official documentation explained)
Right I get that, it's because the docker daemon needs root access to do its management stuff. But as far as running random "bad things" off docker hub, I always assume it's going to be fenced off. Like by default, the containers cannot read external files or open up host ports, etc. But with --privileged I guess it can do anything.
I'm a big fan of people supplying pre-built docker images because it lets me try out their software in what I assume to be a sandbox. I'm a little less wary when it comes to docker -- almost to the point of being nonchalant, running random images willy-nilly without digging into the source code even a tiny bit. Granted, that behavior is probably gonna bite me in the ass one day. But it's definitely better than the `curl http://example.com | bash -` and `sudo make install` patterns.
Whenever I see someone's instructions telling me to use `docker --network=host` or `docker --privileged`, I can't help but panic a little... "Am I going to regret running this developer's code as root on my machine?" A little justification from the OP eases my mind, that's all. Which he did :)
I think you're putting too much faith in the security of docker... It is only superficially secure, and any real evil software can break out of it since the attack surface is huuuge (every loaded kernel driver).
Docker has a number of security layers that can make breakout more challenging, specifically dropped capabilities, a seccomp filter and (on debian/ubuntu) an AppArmor profile installed.
I wouldn't agree that it's trivially possible to breakout of a default configured Docker container, not every attacker is packing a Linux Privesc 0-day and the knowledge to use it.
repeat after me - "there are no isolation boundaries with containers" "containers are insecure"
Containers are broken by default because they share a kernel. If you want to use a container to have a replicable build environment fine - but for operational use in the context of "being secure" - no no no no.
The user who runs the docker command can indeed always get root (with a default install, assuming you're not using rootless) but the process inside the container isn't going to necessarily breakout.
That's why --privileged is generally a bad idea, unless you really need it, as it removes the isolation that Docker adds.
This is a very, very, very bad idea. Just encrypt your phone with a strong passcode and backup regularly. Making your phone entirely dependent on a strong internet connection is a recipe for a bad time.
I agree that the phone should be encrypted (in conjunction with aind), but people are likely to set weak passcode like "1234" (or finger pattern) because they want to open email/phone/twitter/maps/payment apps in a few seconds.
aind is expected to be used only for sensitive apps, with more strong passcode.
25 comments
[ 2.9 ms ] story [ 44.9 ms ] threadCould someone (or OP) enlighten me on what requires this flag? I thought the container would also get access to the anbox kernel modules that I have installed already.
--privileged is required for nesting an Anbox (LXC) inside Docker. But you don't need to worry too much because Anbox launches "unprivileged" LXC using user namespaces. You can confirm that all Android process are running as non-root users by executing `docker exec aind ps -ef`.
Probably aind doesn't work with rootless Docker currently mostly because of squashfs stuff, but I believe we can workaround that relatively easily.
I'm a big fan of people supplying pre-built docker images because it lets me try out their software in what I assume to be a sandbox. I'm a little less wary when it comes to docker -- almost to the point of being nonchalant, running random images willy-nilly without digging into the source code even a tiny bit. Granted, that behavior is probably gonna bite me in the ass one day. But it's definitely better than the `curl http://example.com | bash -` and `sudo make install` patterns.
Whenever I see someone's instructions telling me to use `docker --network=host` or `docker --privileged`, I can't help but panic a little... "Am I going to regret running this developer's code as root on my machine?" A little justification from the OP eases my mind, that's all. Which he did :)
I wouldn't agree that it's trivially possible to breakout of a default configured Docker container, not every attacker is packing a Linux Privesc 0-day and the knowledge to use it.
Containers are broken by default because they share a kernel. If you want to use a container to have a replicable build environment fine - but for operational use in the context of "being secure" - no no no no.
That's why --privileged is generally a bad idea, unless you really need it, as it removes the isolation that Docker adds.
Not mentioned as a purpose..
I can add it to the scope of the project if it works.
The biggest advantage of running Android on cloud/edge I think is anti-theft.
Also, it will be soon able to run multiple aind pods on Kubernetes with distinct UID mappings. (I need to submit patches to Anbox upstream)
what is this anti-theft? What's being stolen?
Someone steals your smartphone now -> they've got everything , and a smartphone
vs
Someone steals your clouded smartphone -> they've got an empty smartphone and no data.
aind is expected to be used only for sensitive apps, with more strong passcode.