Do not run as root as absolutely necessary

[robbyoconnor]

Root in containers means root in the host. This is bad.

[kylemanna]

The container runs as root to fix the UID/GID mismatch problems that occur with Linux bind mounts. Do you have a better way to fix this?

[robbyoconnor]

i...guess...I'll hack at it and see what kind of a middle ground I can arrive at

[kylemanna]

I don't think you're going to do much better, welcome to suggestions though.

Let's explore why we care about running or not running as root:

1. This container isn't about securing the Docker build or offering security isolation, it's goal is to streamline the build process.
2. That said, this image provides a Docker entry point that switches to the un-privileged aosp user. All steps in the build process are hence executed unprivileged, so any rogue build scripts in Android should be no more privileged this the aosp user.
3. The remaining exploit surface for running this as root is then the user on the host invoking docker, who could bypass the entry point. This user could bypass everything and just do something like docker run --rm -it -v /:/ubuntu-root ubuntu and do whatever they want.

What are you trying to protect against?

[kylemanna]

Digging in more, it's possible that the root privilege could be workaround since it appears progress has been made on https://github.com/docker/docker/issues/7198 -- perhaps you can investigate that?

I'd like to know if the fix mitigates the need for the entry-point work around and how widely the merged feature is distributed (i.e. what docker release was it first included in, how many people are running that release or later?)

[robbyoconnor]

Let's just act like this never happened :smile:

[kylemanna]

Let's just act like this never happened :smile:

I'd love to not run as root, but I think we're blocked by Docker features for the time being. :)

Thanks for investigating though!