fixup! Adding runc jailing

xibz · xibz · commit c4b23fffbf26 · 2019-08-24T06:13:02.000Z
Signed-off-by: xibz &lt;impactbchang@gmail.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 .idea/
 bin/
+runtime/logs
 *stamp
diff --git a/proto/firecracker.proto b/proto/firecracker.proto
@@ -33,7 +33,7 @@ message CreateVMRequest {
     // Whether the VM should exit after all tasks running in it have been deleted.
     bool ExitAfterAllTasksDeleted = 9;
 
-		JailerConfig JailerConfig = 10;
+    JailerConfig JailerConfig = 10;
 }
 
 message StopVMRequest {
@@ -58,10 +58,10 @@ message SetVMMetadataRequest {
 }
 
 message JailerConfig {
-	// Determines whether or not the jailer should be disabled.
-	//
-	// Valid values are "ON", "OFF"
-	string State = 1;
-	uint32 UID = 2;
-	uint32 GID = 3;
+  // Determines whether or not the jailer should be disabled.
+  //
+  // Valid values are "ON", "OFF"
+  string State = 1;
+  uint32 UID = 2;
+  uint32 GID = 3;
 }
diff --git a/runtime/firecracker-runc-config.json.example b/runtime/firecracker-runc-config.json.example
@@ -7,7 +7,7 @@
             "gid": 0
         },
         "env": [
-            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            "PATH=/usr/local/bin"
         ],
         "cwd": "/",
         "capabilities": {
@@ -48,41 +48,6 @@
             "type": "proc",
             "source": "proc"
         },
-        {
-            "destination": "/dev/pts",
-            "type": "devpts",
-            "source": "devpts",
-            "options": [
-                "nosuid",
-                "noexec",
-                "newinstance",
-                "ptmxmode=0666",
-                "mode=0620",
-                "gid=5"
-            ]
-        },
-        {
-            "destination": "/dev/shm",
-            "type": "tmpfs",
-            "source": "shm",
-            "options": [
-                "nosuid",
-                "noexec",
-                "nodev",
-                "mode=1777",
-                "size=65536k"
-            ]
-        },
-        {
-            "destination": "/dev/mqueue",
-            "type": "mqueue",
-            "source": "mqueue",
-            "options": [
-                "nosuid",
-                "noexec",
-                "nodev"
-            ]
-        },
         {
             "destination": "/sys",
             "type": "sysfs",
@@ -141,6 +106,20 @@
             "devices": [
                 {
                     "allow": true,
+		    "major": 10,
+		    "minor": 232,
+                    "access": "rwm"
+                },
+                {
+                    "allow": true,
+		    "major": 10,
+		    "minor": 200,
+                    "access": "rwm"
+                },
+                {
+                    "allow": true,
+		    "major": 10,
+		    "minor": 241,
                     "access": "rwm"
                 }
             ]
diff --git a/runtime/jailer.go b/runtime/jailer.go
@@ -123,27 +123,28 @@ func (j *jailer) BuildHandler(logger *logrus.Entry, cfg *Config, socketPath *str
 	return firecracker.Handler{
 		Name: jailerHandlerName,
 		Fn: func(ctx context.Context, m *firecracker.Machine) error {
+			mode := os.FileMode(0700)
 			// Create the proper paths needed for the runc jailer
 			logger.Debugf("Creating root drive path %v", rootPath)
-			if err := os.MkdirAll(rootPath, 0777); err != nil {
+			if err := os.MkdirAll(rootPath, mode); err != nil {
 				return errors.Wrapf(err, "failed to create root path: %v", rootPath)
 			}
 
 			binPath := filepath.Join(rootPath, "usr", "local", "bin")
 			logger.Debugf("Creating /usr/local/bin %v", binPath)
-			if err := os.MkdirAll(binPath, 0777); err != nil {
+			if err := os.MkdirAll(binPath, mode); err != nil {
 				return errors.Wrapf(err, "failed to create /usr/local/bin in root path: %v", binPath)
 			}
 
 			devPath := filepath.Join(rootPath, "dev")
 			logger.Debugf("Creating /dev/net %v", devPath)
-			if err := os.MkdirAll(filepath.Join(devPath, "net"), 0777); err != nil {
+			if err := os.MkdirAll(filepath.Join(devPath, "net"), mode); err != nil {
 				return errors.Wrapf(err, "failed to create device path: %v", devPath)
 			}
 
 			contentsPath := j.ContentsPath()
 			logger.Debugf("Creating firecracker contents path %v", contentsPath)
-			if err := os.MkdirAll(contentsPath, 0777); err != nil {
+			if err := os.MkdirAll(contentsPath, mode); err != nil {
 				return errors.Wrapf(err, "failed to create contents path: %v", contentsPath)
 			}
 
diff --git a/runtime/jailer_test.go b/runtime/jailer_test.go
@@ -45,21 +45,6 @@ func TestCopyFile_invalidPaths(t *testing.T) {
 	assert.Error(t, err, "copyFile should have returned an error")
 }
 
-/*func TestCreateDevices(t *testing.T) {
-	testPath, err := ioutil.TempDir("./", "TestCreateDevices")
-	assert.NoError(t, err, "failed to create temp directory")
-	err = os.MkdirAll(testPath, os.ModePerm)
-	assert.NoErrorf(t, err, "failed to create %v", testPath)
-
-	defer func() {
-		os.RemoveAll(testPath)
-	}()
-
-	err = createDevices(testPath)
-	assert.NoError(t, err, "failed to create devices")
-	// TODO: ensure at least a device is created
-}*/
-
 func TestChownR(t *testing.T) {
 	internal.RequiresRoot(t)
 
diff --git a/tools/docker/firecracker-runc-config.json b/tools/docker/firecracker-runc-config.json
@@ -12,7 +12,7 @@
             "api.socket"
         ],
         "env": [
-            "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            "PATH=/usr/local/bin"
         ],
         "cwd": "/",
         "capabilities": {
@@ -50,41 +50,6 @@
             "type": "proc",
             "source": "proc"
         },
-        {
-            "destination": "/dev/pts",
-            "type": "devpts",
-            "source": "devpts",
-            "options": [
-                "nosuid",
-                "noexec",
-                "newinstance",
-                "ptmxmode=0666",
-                "mode=0620",
-                "gid=5"
-            ]
-        },
-        {
-            "destination": "/dev/shm",
-            "type": "tmpfs",
-            "source": "shm",
-            "options": [
-                "nosuid",
-                "noexec",
-                "nodev",
-                "mode=1777",
-                "size=65536k"
-            ]
-        },
-        {
-            "destination": "/dev/mqueue",
-            "type": "mqueue",
-            "source": "mqueue",
-            "options": [
-                "nosuid",
-                "noexec",
-                "nodev"
-            ]
-        },
         {
             "destination": "/sys",
             "type": "sysfs",
@@ -143,6 +108,20 @@
             "devices": [
                 {
                     "allow": true,
+		    "major": 10,
+		    "minor": 232,
+                    "access": "rwm"
+                },
+                {
+                    "allow": true,
+		    "major": 10,
+		    "minor": 200,
+                    "access": "rwm"
+                },
+                {
+                    "allow": true,
+		    "major": 10,
+		    "minor": 241,
                     "access": "rwm"
                 }
             ]

-Original file line number
+Diff line change
@@ @@ -1,3 +1,4 @@ @@
 .idea/
 bin/
 +runtime/logs
 *stamp