Docker eCryptfs Capabilities and Cgroup

I'am trying to mount an eCryptfs volume on a running container after some test with root and privileged mode, all works great but now i'am going to restrict all access for security reason and .. without privileged mode all crash

So what privileged mode really do..

Related to docker documentation: https://docs.docker.com/engine/reference/commandline/run/

The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

After some test i got all this result

• root and privileged mode ( OK )
• no-root and privileged mode ( OK )
• root and no privileged mode ( KO )
• root and no privileged mode and all capabilities ( KO )
• no-root and no privileged mode and just needed capabilities ( KO ) <== i want this

I give all capabilities and i think the problem is coming with the limitations enforced by the device cgroup controller, i don't know how to resolve this problem, and how i can manually "lift" the needed limitation ?

I understand i need to access kernel parts:

• keyring to store/get encryption key/sign
• File System to mount the volume.

The first error message occurs when we use ecryptfs-add-passphrase

$ ecryptfs-add-passphrase
----------------------------------------------------------
Error: Inserting key into the user session keyring failed [-1]
Info: Check the system log for more information from libecryptfs
----------------------------------------------------------

$ cat /var/log/messages
----------------------------------------------------------
Jan  9 13:44:08 1e3c26af2f52 syslog.info syslogd started: BusyBox v1.31.1
Jan  9 13:44:12 1e3c26af2f52 user.err : keyctl_search failed: Operation not permitted errno=[1]
Jan  9 13:44:12 1e3c26af2f52 user.err : ecryptfs_add_passphrase_key_to_keyring: Error adding auth tok with sig [8e7c825e0139c417] to the keyring; rc = [-1]

The second error messages occurs when we use mount

$ mount -t ecryptfs -o key=passphrase:passphrase_passwd=${mountphrase},no_sig_cache=yes,verbose=no,ecryptfs_sig=${sig},ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no /tmp/encrypt /tmp/encrypt
----------------------------------------------------------
Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING; there is something wrong with your kernel keyring. Did you build key retention support into your kernel?
mount: permission denied (are you root?)

If I resolve the first error, I think the second will go away ( except if another one coming ), from capability or Kernel access restriction

if you want to test:

Dockerfile
----------------------------------------------------------
FROM alpine:latest AS encrypt

RUN apk update && apk upgrade
RUN apk add gnupg ecryptfs-utils nano sudo

RUN addgroup docker.worker && \
    adduser -G docker.worker -D -h /home/docker.worker -s /bin/nologin docker.worker

# in this context we got the script below
COPY /home/docker.worker .

RUN echo "docker.worker ALL=(root) NOPASSWD:/bin/mount">> /etc/sudoers
RUN mkdir -p /tmp/encrypt
RUN chown -R docker.worker:docker.worker /home/docker.worker /tmp/encrypt
RUN chmod -R 700 /home/docker.worker /tmp/encrypt

USER docker.worker:docker.worker

WORKDIR /home/docker.worker 

# For the moment go to ash but after its another bin
ENTRYPOINT ["/bin/ash","-c"]

The script create an eCryptfs volume on /tmp/encrypt and mount them.

$ ./mount /tmp/encrypt
----------------------------------------------------------
#!/bin/ash

#Set this variable to your mount passphrase. Ideally you'd get this from $1 input so that the actual value isn't stored in bash script. That would defeat the purpose.
mountphrase='YOURMOUNTPASSPHRASE' 

#Add tokens into user session keyring
printf "%s""${mountphrase}" | ecryptfs-add-passphrase > tmp.txt

#Now get the signature from the output of the above command
sig=`tail -1 tmp.txt | awk '{print $6}' | sed 's/\[//g' | sed 's/\]//g'`
rm -f tmp.txt #Remove temp file

mount -t ecryptfs -o key=passphrase:passphrase_passwd=${mountphrase},no_sig_cache=yes,verbose=no,ecryptfs_sig=${sig},ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $1 $1

Environnement:

Linux VMAlpine 4.19.80-0-vanilla #1-Alpine SMP Fri Oct 18 11:27:53 UTC 2019 x86_64 Linux

Client:
 Version:           18.09.8-ce
 API version:       1.39
 Go version:        go1.12.6
 Git commit:        0dd43dd87fd530113bf44c9bba9ad8b20ce4637f
 Built:             Sat Jul 20 15:20:06 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.09.8-ce
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.12.6
  Git commit:       0dd43dd87fd530113bf44c9bba9ad8b20ce4637f
  Built:            Sat Jul 20 15:19:08 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Related:

Using ecryptfs inside Docker without --privileged. Appropriate value for --device?