fixup! Adding runc jailing

Signed-off-by: xibz <[email protected]>

Author: xibz

proto/firecracker.pb.go

@@ -33,10 +33,7 @@ message CreateVMRequest {
     // Whether the VM should exit after all tasks running in it have been deleted.
     bool ExitAfterAllTasksDeleted = 9;
 
-    // Determines whether or not the jailer should be disabled.
-		//
-		// Valid values are "ON", "OFF"
-		string Jailing = 10;
+		JailerConfig JailerConfig = 10;
 }
 
 message StopVMRequest {
@@ -59,3 +56,12 @@ message SetVMMetadataRequest {
     string VMID = 1;
     string Metadata = 2;
 }
+
+message JailerConfig {
+	// Determines whether or not the jailer should be disabled.
+	//
+	// Valid values are "ON", "OFF"
+	string State = 1;
+	uint32 UID = 2;
+	uint32 GID = 3;
+}

proto/firecracker.proto

@@ -49,10 +49,6 @@ integ-test:
 			--volume /dev:/dev \
 			--volume /run/udev/control:/run/udev/control \
 			--volume $(CURDIR)/logs:/var/log/firecracker-containerd-test \
-			--device=/dev/vhost-vsock:/dev/vhost-vsock \
-			--device=/dev/vsock:/dev/vsock \
-			--device=/dev/kvm:/dev/kvm \
-			--device=/dev/loop-control:/dev/loop-control \
 			--env ENABLE_ISOLATED_TESTS=1 \
 			--workdir="/firecracker-containerd/runtime" \
 			--init \

runtime/Makefile

@@ -48,6 +48,11 @@ type Config struct {
 	HtEnabled             bool   `json:"ht_enabled"`
 	Debug                 bool   `json:"debug"`
 
+	JailerConfig JailerConfig `json:"jailer"`
+}
+
+// JailerConfig houses a set of configurable values for jailing
+type JailerConfig struct {
 	DisableJailing bool `json:"disable_jailing"`
 	UID            *int `json:"uid"`
 	GID            *int `json:"gid"`
@@ -87,18 +92,18 @@ var (
 	// file
 	ErrNoUIDProvided = fmt.Errorf("no uid provided in configuration")
 	// ErrNoGIDProvided returns when no GID was specified in the configuration
-	// file
+	// filme
 	ErrNoGIDProvided = fmt.Errorf("no gid provided in configuration")
 )
 
 // Validate ensures that the configuration file has valid values
 func (c *Config) Validate() error {
-	if !c.DisableJailing {
-		if c.UID == nil {
+	if !c.JailerConfig.DisableJailing {
+		if c.JailerConfig.UID == nil {
 			return ErrNoUIDProvided
 		}
 
-		if c.GID == nil {
+		if c.JailerConfig.GID == nil {
 			return ErrNoGIDProvided
 		}
 	}

runtime/config.go

@@ -111,7 +111,7 @@ func (h *stubDriveHandler) createStubDrive(driveID, path string) error {
 			h.logger.WithError(err).Errorf("unexpected error during %v close", f.Name())
 		}
 	}()
-	if err := f.Chmod(0666); err != nil {
+	if err := f.Chmod(0600); err != nil {
 		return err
 	}
 

runtime/drive_handler.go

@@ -7,8 +7,7 @@
             "gid": 0
         },
         "env": [
-            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-            "TERM=xterm"
+            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
         ],
         "cwd": "/",
         "capabilities": {
@@ -109,6 +108,35 @@
         }
     ],
     "linux": {
+        "devices": [
+	    {
+                "path": "/dev/kvm",
+		"type": "c",
+		"major": 10,
+		"minor": 232,
+		"fileMode": 438,
+		"uid": 0,
+		"gid": 0
+	    },
+	    {
+                "path": "/dev/net/tun",
+		"type": "c",
+		"major": 10,
+		"minor": 200,
+		"fileMode": 438,
+		"uid": 0,
+		"gid": 0
+	    },
+	    {
+                "path": "/dev/vhost-vsock",
+		"type": "c",
+		"major": 10,
+		"minor": 241,
+		"fileMode": 438,
+		"uid": 0,
+		"gid": 0
+	    }
+	],
         "resources": {
             "devices": [
                 {