Adds jailer support to the runtime

This adds jailing to the runtime. Users are now able to enable jailing
by providing a jailer config and setting the "runc_binary" in the
firecracker json file.

Signed-off-by: xibz <[email protected]>

Author: xibz

runtime/config.go

@@ -47,11 +47,17 @@ type Config struct {
 	LogLevel              string `json:"log_level"`
 	HtEnabled             bool   `json:"ht_enabled"`
 	Debug                 bool   `json:"debug"`
-
 	// If a CreateVM call specifies no network interfaces and DefaultNetworkInterfaces is non-empty,
 	// the VM will default to using the network interfaces as specified here. This is especially
 	// useful when a CNI-based network interface is provided in DefaultNetworkInterfaces.
 	DefaultNetworkInterfaces []proto.FirecrackerNetworkInterface `json:"default_network_interfaces"`
+	JailerConfig             JailerConfig                        `json:"jailer"`
+}
+
+// JailerConfig houses a set of configurable values for jailing
+// TODO: Add netns field
+type JailerConfig struct {
+	RuncBinaryPath string `json:"runc_binary_path"`
 }
 
 // LoadConfig loads configuration from JSON file at 'path'
@@ -76,6 +82,7 @@ func LoadConfig(path string) (*Config, error) {
 		CPUCount:        defaultCPUCount,
 		CPUTemplate:     string(defaultCPUTemplate),
 	}
+
 	if err := json.Unmarshal(data, cfg); err != nil {
 		return nil, errors.Wrapf(err, "failed to unmarshal config from %q", path)
 	}

runtime/drive_handler.go

@@ -51,7 +51,10 @@ type stubDriveHandler struct {
 	mutex          sync.Mutex
 }
 
-func newStubDriveHandler(path string, logger *logrus.Entry, count int) (*stubDriveHandler, error) {
+// stubDrivesOpt is used to make and modify changes to the stub drives.
+type stubDrivesOpt func(stubDrives []models.Drive) error
+
+func newStubDriveHandler(path string, logger *logrus.Entry, count int, opts ...stubDrivesOpt) (*stubDriveHandler, error) {
 	h := stubDriveHandler{
 		RootPath: path,
 		logger:   logger,
@@ -60,6 +63,13 @@ func newStubDriveHandler(path string, logger *logrus.Entry, count int) (*stubDri
 	if err != nil {
 		return nil, err
 	}
+
+	for _, opt := range opts {
+		if err := opt(drives); err != nil {
+			h.logger.WithError(err).Debug("failed to apply option to stub drives")
+			return nil, err
+		}
+	}
 	h.drives = drives
 	return &h, nil
 }

runtime/firecracker-runc-config.json.example

@@ -0,0 +1,130 @@
+{
+    "ociVersion": "1.0.1",
+    "process": {
+        "terminal": false,
+        "user": {
+            "uid": 0,
+            "gid": 0
+        },
+        "args": [
+            "/firecracker",
+            "--api-sock",
+            "api.socket"
+        ],
+        "env": [
+            "PATH=/"
+        ],
+        "cwd": "/",
+        "capabilities": {
+            "effective": [
+            ],
+            "bounding": [
+            ],
+            "inheritable": [
+            ],
+            "permitted": [
+            ],
+            "ambient": [
+            ]
+        },
+        "rlimits": [
+            {
+                "type": "RLIMIT_NOFILE",
+                "hard": 1024,
+                "soft": 1024
+            }
+        ],
+        "noNewPrivileges": true
+    },
+    "root": {
+        "path": "rootfs",
+        "readonly": false
+    },
+    "hostname": "runc",
+    "mounts": [
+        {
+            "destination": "/proc",
+            "type": "proc",
+            "source": "proc"
+        }
+    ],
+    "linux": {
+        "devices": [
+            {
+               "path": "/dev/kvm",
+               "type": "c",
+               "major": 10,
+               "minor": 232,
+               "fileMode": 438,
+               "uid": 0,
+               "gid": 0
+            },
+            {
+               "path": "/dev/net/tun",
+               "type": "c",
+               "major": 10,
+               "minor": 200,
+               "fileMode": 438,
+               "uid": 0,
+               "gid": 0
+            }
+        ],
+        "resources": {
+            "devices": [
+                {
+                    "allow": false,
+                    "access": "rwm"
+                },
+                {
+                    "allow": true,
+                    "major": 10,
+                    "minor": 232,
+                    "access": "rwm"
+                },
+                {
+                    "allow": true,
+                    "major": 10,
+                    "minor": 200,
+                    "access": "rwm"
+                }
+            ]
+        },
+        "namespaces": [
+            {
+                "type": "cgroup"
+            },
+            {
+                "type": "pid"
+            },
+            {
+                "type": "network"
+            },
+            {
+                "type": "ipc"
+            },
+            {
+                "type": "uts"
+            },
+            {
+                "type": "mount"
+            }
+        ],
+        "maskedPaths": [
+            "/proc/asound",
+            "/proc/kcore",
+            "/proc/latency_stats",
+            "/proc/timer_list",
+            "/proc/timer_stats",
+            "/proc/sched_debug",
+            "/sys/firmware",
+            "/proc/scsi"
+        ],
+        "readonlyPaths": [
+            "/proc/bus",
+            "/proc/fs",
+            "/proc/irq",
+            "/proc/sys",
+            "/proc/sysrq-trigger"
+        ]
+    }
+}

runtime/jailer.go

@@ -0,0 +1,76 @@
+// Copyright 2018-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package main
+
+import (
+	"context"
+
+	"github.com/firecracker-microvm/firecracker-go-sdk"
+	"github.com/sirupsen/logrus"
+
+	"github.com/firecracker-microvm/firecracker-containerd/internal/vm"
+	"github.com/firecracker-microvm/firecracker-containerd/proto"
+)
+
+const (
+	kernelImageFileName   = "kernel-image"
+	jailerHandlerName     = "firecracker-containerd-jail-handler"
+	jailerFifoHandlerName = "firecracker-containerd-jail-fifo-handler"
+	rootfsFolder          = "rootfs"
+
+	// TODO evenetually we can get rid of this when we add usernamespaces to
+	// jailing.
+	jailerUID = 300000
+	jailerGID = 300000
+)
+
+var (
+	runcConfigPath = "/etc/containerd/firecracker-runc-config.json"
+)
+
+// jailer will allow modification and provide options to the the Firecracker VM
+// to allow for jailing. In addition, this will allow for given files to be exposed
+// to the jailed filesystem.
+type jailer interface {
+	// BuildJailedMachine will modify the firecracker.Config and provide
+	// firecracker.Opt to be passed into firecracker.NewMachine which will allow
+	// for the VM to be jailed.
+	BuildJailedMachine(cfg *Config, machineCfg *firecracker.Config, vmID string) ([]firecracker.Opt, error)
+	// ExposeDeviceToJail will expose the given device provided by the snapshotter
+	// to the jailed filesystem
+	ExposeDeviceToJail(path string) error
+	// JailPath is used to return the directory we are supposed to be working in.
+	JailPath() vm.Dir
+	// StubDrivesOptions will return a set of options used to create a new stub
+	// drive handler.
+	StubDrivesOptions() []stubDrivesOpt
+}
+
+// newJailer is used to construct a jailer from the CreateVM request. If no
+// request or jailer config was provided, then the noopJailer will be returned.
+func newJailer(
+	ctx context.Context,
+	logger *logrus.Entry,
+	ociBundlePath string,
+	service *service,
+	request *proto.CreateVMRequest,
+) (jailer, error) {
+	if request == nil || request.JailerConfig == nil {
+		l := logger.WithField("jailer", "noop")
+		return newNoopJailer(ctx, l, service.shimDir), nil
+	}
+
+	l := logger.WithField("jailer", "runc")
+	return newRuncJailer(ctx, l, ociBundlePath, service.config.JailerConfig.RuncBinaryPath, jailerUID, jailerGID)
+}

runtime/jailer_test.go

@@ -0,0 +1,43 @@
+// Copyright 2018-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package main
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCopyFile_simple(t *testing.T) {
+	srcPath := "./firecracker-runc-config.json.example"
+	dstPath := "./test-copy-file"
+
+	const expectedMode = 0600
+	err := copyFile(srcPath, dstPath, expectedMode)
+	assert.NoError(t, err, "failed to copy file")
+	defer os.Remove(dstPath)
+
+	info, err := os.Stat(dstPath)
+	assert.NoError(t, err, "failed to stat file")
+	assert.Equal(t, os.FileMode(expectedMode), info.Mode())
+}
+
+func TestCopyFile_invalidPaths(t *testing.T) {
+	srcPath := "./invalid.path"
+	dstPath := "./test-copy-file"
+
+	err := copyFile(srcPath, dstPath, 0600)
+	assert.Error(t, err, "copyFile should have returned an error")
+}

runtime/noop_jailer.go

@@ -0,0 +1,65 @@
+// Copyright 2018-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//	http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package main
+
+import (
+	"context"
+
+	"github.com/firecracker-microvm/firecracker-containerd/internal/vm"
+	"github.com/firecracker-microvm/firecracker-go-sdk"
+	"github.com/sirupsen/logrus"
+)
+
+// noopJailer is a jailer that returns only successful responses and performs
+// no operations during calls
+type noopJailer struct {
+	logger  *logrus.Entry
+	shimDir vm.Dir
+	ctx     context.Context
+}
+
+func newNoopJailer(ctx context.Context, logger *logrus.Entry, shimDir vm.Dir) noopJailer {
+	return noopJailer{
+		logger:  logger,
+		shimDir: shimDir,
+		ctx:     ctx,
+	}
+}
+
+func (j noopJailer) BuildJailedMachine(cfg *Config, machineConfig *firecracker.Config, vmID string) ([]firecracker.Opt, error) {
+	cmd := firecracker.VMCommandBulder{}.
+		WithBin(cfg.FirecrackerBinaryPath).
+		WithSocketPath(j.JailPath().FirecrackerVSockRelPath()).
+		Build(j.ctx)
+
+	j.logger.Debug("noop operation for BuildJailedMachine")
+	return []firecracker.Opt{
+		firecracker.WithProcessRunner(cmd),
+	}, nil
+}
+
+func (j noopJailer) JailPath() vm.Dir {
+	j.logger.Debug("noop operation returning shim dir for JailPath")
+	return j.shimDir
+}
+
+func (j noopJailer) ExposeDeviceToJail(path string) error {
+	j.logger.Debug("noop operation for ExposeDeviceToJail")
+	return nil
+}
+
+func (j noopJailer) StubDrivesOptions() []stubDrivesOpt {
+	j.logger.Debug("noop operation for StubDrivesOptions")
+	return []stubDrivesOpt{}
+}