Frigate security improvements

[Caros2017]

Derived from a closed ticket(#41).

I think we can all agree that more security on Frigate is very much wanted. Using a specific UID and GID will be the best final solution, but dropping the privileged: true will be a major step forward already.

The main issue will be probably if it is possible to use Frigate as non-root and still be able to access the Google Coral.

I think there are three (main) challenges.
1: /dev/dri/renderD128. In synology this is indeed mapped to group videodriver. Noted by @weltenwort :

For accessing the DRI device we might be able to use the same solution as described in jellyfin/jellyfin#2281. The device /dev/dri/renderD128 has the group videodriver on my host.

Regarding the coral USB device: Not sure if it possible to only mount a sub-tree of /dev/usb into the container. If it is, then a udev rule on the host and a group assignment similar to the above might help? 🤔

2: Coral USB drive. I am not sure if it is possible to only mount a subtree. Other issue I see is that you never know which device it gets mounted to? For Zigbee and Z-wave sticks I use these udev statements:

KERNEL=="ttyACM[0-9]*",OWNER="docker_user",GROUP="docker"
KERNEL=="ttyUSB[0-9]*",OWNER="docker_user",GROUP="docker"

To be honest I am lacking knowledge here.

3: Frigate seems to use S6-Overlay. There is also the possibility to drop privileges within S6-Overlay: user-directive

Just wanted to open this discussion to keep this topic active. I think a lot of people using Frigate are worried about the excessive privileges needed. Especially when running on a NAS. Not because I don't trust Frigate, but because of massive privilege escalation possibilities if there is a breach somewhere.

Related issues:
blakeblackshear/frigate#3434
blakeblackshear/frigate#3108

[weltenwort]

Thanks for keeping track of this! ❤️

[Caros2017]

Yes I am able to run Frigate without privileged: true :)

This is what I did:
I have searched for my Coral and found out that the device host-ID started with 18d1

I confirmed this with:
$ lsusb | grep -i 18d1

Then I wanted to add udev rules. I was looking for parameters for this device and found the following. At the time of searching it was mounted under /dev/bus/usb/002/006. But be aware that 006 can change each reconnect.

# udevadm info -a -n /dev/bus/usb/002/006 | grep -i idvendor
    ATTR{idVendor}=="18d1"
# udevadm info -a -n /dev/bus/usb/002/006 | grep -i idproduct
    ATTR{idProduct}=="9302"

Next step add a rule to my custom udev rules and added this one to my file /usr/lib/udev/rules.d/99-ttyusb.rules:
SUBSYSTEM=="usb",DRIVER=="usb",ATTR{idVendor}=="18d1",ATTR{idProduct}=="9302",OWNER="docker_user",GROUP="docker"

After a reload of the rules(udevadm control --reload-rules && udevadm trigger), this works:

$ls -lah /dev/bus/usb/002/006
crw------- 1 docker_user docker 189, 133 Sep 26 20:24 /dev/bus/usb/002/006

But there I made a mistake. Since I don't know yet how to change S6 overlay to use custom users, for testing purposes I have changed it to:
SUBSYSTEM=="usb",DRIVER=="usb",ATTR{idVendor}=="18d1",ATTR{idProduct}=="9302",MODE="0777"

Then I went trying to mount a subtree without root. This is almost impossible, because the main tree needs root. So I decided to -instead of mounting a volume- mount it as a device. This worked in my docker-compose:

devices:
    - "/dev/bus/usb/002/006:/dev/bus/usb/002/006"

But since this can always change, I tried adding a SYMLINK:
SUBSYSTEM=="usb",DRIVER=="usb",ATTR{idVendor}=="18d1",ATTR{idProduct}=="9302",MODE="0777",SYMLINK+="googlecoral"

This worked! I now have a /dev/googlecoral

$ ls -lah /dev/googlecoral
lrwxrwxrwx 1 root root 15 Sep 26 20:24 /dev/googlecoral -> bus/usb/002/006

So now I can change my docker-compose to basically any subtree in /dev/bus/usb within the docker container:

devices:
    - "/dev/googlecoral:/dev/bus/usb/002/006"

The only thing I don't understand (yet) is how S6 works with dropping priviliges. I could use some help there. But for now, I run Frigate without privileged: true

[Caros2017]

Update:
I ran into multiple issues. Possibly I was lucky the first time. After reconnecting the Coral it didn't work anymore. But now it seems to work stable! :)

Issue number 1:
The device host ID changed. So I had to add another udev rule:

SUBSYSTEM=="usb",DRIVER=="usb",ATTR{idVendor}=="18d1",ATTR{idProduct}=="9302",MODE="0777",SYMLINK+="googlecoral"
SUBSYSTEM=="usb",DRIVER=="usb",ATTR{idVendor}=="1a6e",ATTR{idProduct}=="089a",MODE="0777",SYMLINK+="googlecoral"

See also: Reddit

Issue number 2:
This one kept me busy for a longer time. I don't understand why it worked in the first time. I couldn't get it working anymore, if I only mounted the specific device. Then I ran into this post: Frigate Github, which stated that the Google Coral needs the whole USB Bus it's connected to.

I tried to confirm this and when using privilige: true I could see that always every USB device was mounted even without statements in the docker-compose.

So I changed my docker-compose to:

    devices:
      - "/dev/bus/usb:/dev/bus/usb"

And I don't seem to need the SYMLINK although it makes things more clean imho.

[weltenwort]

Interesting, so we need to mount the whole tree, but only need permissions to the specific device? That's good news.

And great idea with the symlink. I wonder why the ids changed for you. Mine match 18d1 (Google Inc.) and 9302 which should be fixed in the firmware of the device. 🤔

Thanks for sharing your investigation so far! I'll try to apply it to my setup soon.

[Caros2017]

I don't know why it worked yesterday perfectly with the symlink and today I couldn't get it working anymore, after I removed and added the Google Coral to my Synology. Then I found the post about the whole three. But in my case it seems to work now. Just add the whole /dev/bus/usb and set the rights individually on the Google Coral. I have now many times removed the device and rebooted the Synology twice. It's still working. So you don't seem to need the Symlink.

90% of the time the idVendor is 18d1, only 10% of the time it seems to change to 1a6e. There seems to be no logic behind it, but I also can't find any new idVendors, so it seems to be only two.

Really looking forward to your results, hope it works! What I noticed is that if you have privilige: true, you can see al the USB-devices even without declaring them in docker. That's how much power you give to this container, which I really dislike.

[baylanger]

Quickly chipping in.... I too noticed ID changed in the past while I was also trying to make this work "rock solid".

I'm quite busy past 3 weeks, should have time to try the recipe later this week.

[Caros2017]

Thanks for your reply also! Looking forward to hear your results, once you had the possibility to test.

[Caros2017]

I assume you haven't been able to test yet? ;)

[weltenwort]

Looks like we're observing this effect here: google-coral/edgetpu#536. So there might not be a way around specifying the two sets of ids in the udev rules.

[Caros2017]

Yes, in that post they are referring to the Reddit I have also added. I saw there that they had exactly the same two Vendor ID's. Since they are limited to only two, I have no issues by stating them separately.