Loading kernel module from within a podman rootless container

[SoapGentoo]

I am developing against a bespoke piece of hardware (an FPGA) with kernel drivers we are writing ourselves (don't ask). We have an application suite that then accesses the FPGA through some /dev/xyz node the kernel driver creates.

In order to avoid spewing lots of rpms and files over the system for our CI, I would like to

1. install the kernel module in a container
2. load the kernel module and have it create the /dev/xyz node
3. run our applications and tests against it
4. unload the kernel module
5. blow away the container (we ran it with --rm)

Unfortunately, I have not managed to load a kernel module in a rootless container with every permutation of known caps and priviledged flags:

podman run --rm --privileged --cap-add=CAP_SYS_MODULE --security-opt seccomp=unconfined --security-opt apparmor=unconfined -it myimage
<install kernel module>
[root@10b59318bc79 ~]# modprobe hello-world
modprobe: ERROR: could not insert 'hello_world': Operation not permitted

If I start the container under root, everything works. What am I missing? I have given podman the necessary caps:

$ getcap /usr/bin/podman
/usr/bin/podman cap_sys_module,cap_mknod=eip

[Luap99]

Well think about it from security perspective. If you can load an arbitrary from a rootless context you can completely comprise any kernel with that as the kernel module can do anything in kernel space basically.

As such it is impossible to load kernel modules from a user namespace, https://man7.org/linux/man-pages/man7/user_namespaces.7.html

On the other hand, there are many privileged operations that
affect resources that are not associated with any namespace type,
for example, changing the system (i.e., calendar) time (governed
by CAP_SYS_TIME), loading a kernel module (governed by
CAP_SYS_MODULE), and creating a device (governed by CAP_MKNOD).
Only a process with privileges in the initial user namespace can
perform such operations.

[rhatdan]

Run the container as root and it should work.