firecracker: drop sudo sh -c, race chown against SDK probe in Go
Replace the shell-string launcher in buildProcessRunner with a direct
exec.Command. The previous sh -c wrapper relied on shellQuote escaping
for every MachineConfig field that flowed into the launch script; any
future field that ever carried an attacker-controlled value would have
become RCE-as-root. The new path passes binary path and flags as
separate argv entries, so there is no shell to interpret anything.
The wrapper also did two things the shell can no longer do for us:
1. umask 077 — moved to syscall.Umask in cmd/bangerd/main.go so every
firecracker child (and any other file the daemon creates) inherits
0600 by default. Single-user dev sandbox state should be private.
2. chown_watcher — the SDK's HTTP probe inside Machine.Start connects
to the API socket the moment it appears. Under sudo the socket is
created root-owned and the daemon's connect(2) gets EACCES, so the
post-Start EnsureSocketAccess never runs. The shell papered over
this with a backgrounded chown loop. Replaced by
fcproc.EnsureSocketAccessForAsync: same race-window guarantee, in
pure Go, kicked off in LaunchFirecracker right before Start and
awaited right after.
Tests updated: shell-substring assertions replaced with cmd-arg
assertions, plus a new fcproc test pinning the async chown sequence.
Smoke (full systemd two-service install + KVM scenarios) passes.
This commit is contained in:
parent
c4e1cb5953
commit
d73efe6fbc
6 changed files with 181 additions and 91 deletions
|
|
@ -201,60 +201,27 @@ func defaultDriveID(drive DriveConfig, fallback string) string {
|
|||
return fallback
|
||||
}
|
||||
|
||||
// buildProcessRunner constructs the *exec.Cmd the SDK will start. Args are
|
||||
// passed directly — no shell, no string interpolation — so any future change
|
||||
// to MachineConfig fields can't smuggle shell metacharacters into the launch.
|
||||
//
|
||||
// The daemon and root-helper processes set umask 077 at startup, so the
|
||||
// API/vsock sockets firecracker creates inherit 0600 mode without needing a
|
||||
// shell-level `umask` wrapper.
|
||||
//
|
||||
// When firecracker has to be launched under sudo (non-root daemon), the
|
||||
// resulting sockets are root-owned. The caller (LaunchFirecracker) kicks off
|
||||
// fcproc.EnsureSocketAccessForAsync immediately *before* Machine.Start so the
|
||||
// chown wins the race against the SDK's HTTP probe over the API socket. That
|
||||
// replaces the previous in-shell chown_watcher.
|
||||
func buildProcessRunner(cfg MachineConfig, logFile *os.File) *exec.Cmd {
|
||||
args := []string{"--api-sock", cfg.SocketPath, "--id", cfg.VMID}
|
||||
var cmd *exec.Cmd
|
||||
if os.Geteuid() == 0 {
|
||||
script := "umask 077 && exec " + shellQuote(cfg.BinaryPath) +
|
||||
" --api-sock " + shellQuote(cfg.SocketPath) +
|
||||
" --id " + shellQuote(cfg.VMID)
|
||||
cmd := exec.Command("sh", "-c", script)
|
||||
cmd.Stdin = nil
|
||||
if logFile != nil {
|
||||
cmd.Stdout = logFile
|
||||
cmd.Stderr = logFile
|
||||
}
|
||||
return cmd
|
||||
cmd = exec.Command(cfg.BinaryPath, args...)
|
||||
} else {
|
||||
cmd = exec.Command("sudo", append([]string{"-n", "-E", cfg.BinaryPath}, args...)...)
|
||||
}
|
||||
// Two moving parts, run inside a single sudo'd shell:
|
||||
//
|
||||
// 1. umask 077 + exec firecracker → the API and vsock sockets
|
||||
// firecracker creates are born 0600 owned by root (sudo user),
|
||||
// not 0755. Without the umask there's a real window where a
|
||||
// local attacker could hit the control plane.
|
||||
//
|
||||
// 2. A background subshell polls for each expected socket and
|
||||
// chowns it to $SUDO_UID:$SUDO_GID as soon as it appears.
|
||||
//
|
||||
// The chown is required *before* the firecracker-go-sdk's
|
||||
// waitForSocket returns from Machine.Start — the SDK does both an
|
||||
// os.Stat and an HTTP GET over the socket, and AF_UNIX connect(2)
|
||||
// needs write permission on the socket file. With the socket at
|
||||
// 0600 root:root, the daemon process (running as the invoking
|
||||
// user) gets EACCES on connect and the SDK loops until its 3s
|
||||
// timeout. The daemon's post-Start EnsureSocketAccess chown would
|
||||
// fix it, but Start never returns to hand control back.
|
||||
//
|
||||
// Racing the chown inside sudo's shell closes the gap: by the
|
||||
// time the SDK's HTTP probe fires, the socket is already owned by
|
||||
// the invoking user.
|
||||
chownWatcher := func(path string) string {
|
||||
// Bounded poll: 20 × 50ms = 1s. Matches the SDK's 3s wait
|
||||
// budget with headroom and bails quietly if firecracker
|
||||
// never creates the socket (e.g. bad args — the error
|
||||
// surfaces through firecracker's non-zero exit).
|
||||
return `for _ in $(seq 1 20); do [ -S ` + shellQuote(path) + ` ] && break; sleep 0.05; done; ` +
|
||||
`[ -S ` + shellQuote(path) + ` ] && chown "$SUDO_UID:$SUDO_GID" ` + shellQuote(path) + ` || true`
|
||||
}
|
||||
watchers := chownWatcher(cfg.SocketPath)
|
||||
if strings.TrimSpace(cfg.VSockPath) != "" {
|
||||
watchers += "; " + chownWatcher(cfg.VSockPath)
|
||||
}
|
||||
script := "umask 077 && (" + watchers + ") & exec " + shellQuote(cfg.BinaryPath) +
|
||||
" --api-sock " + shellQuote(cfg.SocketPath) +
|
||||
" --id " + shellQuote(cfg.VMID)
|
||||
// sudo -E preserves SUDO_UID / SUDO_GID (sudo sets them itself
|
||||
// regardless, but -E is already the convention in this codebase
|
||||
// and the background subshell needs them).
|
||||
cmd := exec.Command("sudo", "-n", "-E", "sh", "-c", script)
|
||||
cmd.Stdin = nil
|
||||
if logFile != nil {
|
||||
cmd.Stdout = logFile
|
||||
|
|
@ -263,10 +230,6 @@ func buildProcessRunner(cfg MachineConfig, logFile *os.File) *exec.Cmd {
|
|||
return cmd
|
||||
}
|
||||
|
||||
func shellQuote(value string) string {
|
||||
return "'" + strings.ReplaceAll(value, "'", `'"'"'`) + "'"
|
||||
}
|
||||
|
||||
func newLogger(base *slog.Logger) *logrus.Entry {
|
||||
logger := logrus.New()
|
||||
logger.SetOutput(io.Discard)
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import (
|
|||
"context"
|
||||
"log/slog"
|
||||
"net"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"testing"
|
||||
|
|
@ -72,7 +73,7 @@ func TestBuildConfig(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestBuildProcessRunnerUsesSudoShellWrapper(t *testing.T) {
|
||||
func TestBuildProcessRunnerInvokesSudoWithDirectArgs(t *testing.T) {
|
||||
cmd := buildProcessRunner(MachineConfig{
|
||||
BinaryPath: "/repo/firecracker",
|
||||
SocketPath: "/tmp/fc.sock",
|
||||
|
|
@ -80,53 +81,48 @@ func TestBuildProcessRunnerUsesSudoShellWrapper(t *testing.T) {
|
|||
VMID: "vm-1",
|
||||
}, nil)
|
||||
|
||||
// No shell, no string interpolation: the binary path and every flag
|
||||
// are independent argv entries. Even if MachineConfig ever carried an
|
||||
// attacker-controlled value, there's no shell to interpret it.
|
||||
wantArgs := []string{"sudo", "-n", "-E", "/repo/firecracker", "--api-sock", "/tmp/fc.sock", "--id", "vm-1"}
|
||||
if !equalStrings(cmd.Args, wantArgs) {
|
||||
t.Fatalf("args = %v, want %v", cmd.Args, wantArgs)
|
||||
}
|
||||
if cmd.Path != "/usr/bin/sudo" && cmd.Path != "sudo" {
|
||||
t.Fatalf("command path = %q", cmd.Path)
|
||||
}
|
||||
if len(cmd.Args) != 6 {
|
||||
t.Fatalf("args = %v", cmd.Args)
|
||||
}
|
||||
if cmd.Args[1] != "-n" || cmd.Args[2] != "-E" || cmd.Args[3] != "sh" || cmd.Args[4] != "-c" {
|
||||
t.Fatalf("args = %v", cmd.Args)
|
||||
}
|
||||
script := cmd.Args[5]
|
||||
|
||||
// The firecracker exec must run in the foreground so its exit
|
||||
// status propagates through sh back to the SDK.
|
||||
if !strings.Contains(script, "exec '/repo/firecracker' --api-sock '/tmp/fc.sock' --id 'vm-1'") {
|
||||
t.Fatalf("script missing firecracker exec: %q", script)
|
||||
}
|
||||
// umask stays — the security intent is unchanged.
|
||||
if !strings.Contains(script, "umask 077") {
|
||||
t.Fatalf("script dropped umask 077: %q", script)
|
||||
}
|
||||
// Background watcher chowns both the API socket and the vsock
|
||||
// socket to the invoking user as soon as they appear, so
|
||||
// firecracker-go-sdk's waitForSocket HTTP probe (which needs
|
||||
// connect access) isn't blocked on root-owned sockets.
|
||||
if !strings.Contains(script, `chown "$SUDO_UID:$SUDO_GID" '/tmp/fc.sock'`) {
|
||||
t.Fatalf("script missing API-socket chown: %q", script)
|
||||
}
|
||||
if !strings.Contains(script, `chown "$SUDO_UID:$SUDO_GID" '/tmp/vsock.sock'`) {
|
||||
t.Fatalf("script missing vsock-socket chown: %q", script)
|
||||
}
|
||||
if cmd.Cancel != nil {
|
||||
t.Fatal("process runner should not be tied to a request context")
|
||||
}
|
||||
}
|
||||
|
||||
func TestBuildProcessRunnerOmitsVSockChownWhenUnset(t *testing.T) {
|
||||
func TestBuildProcessRunnerOmitsSudoWhenAlreadyRoot(t *testing.T) {
|
||||
if os.Geteuid() != 0 {
|
||||
t.Skip("requires root to exercise the no-sudo branch")
|
||||
}
|
||||
cmd := buildProcessRunner(MachineConfig{
|
||||
BinaryPath: "/repo/firecracker",
|
||||
SocketPath: "/tmp/fc.sock",
|
||||
VMID: "vm-1",
|
||||
}, nil)
|
||||
script := cmd.Args[5]
|
||||
if strings.Contains(script, "vsock") {
|
||||
t.Fatalf("script should not mention vsock when VSockPath is empty: %q", script)
|
||||
wantArgs := []string{"/repo/firecracker", "--api-sock", "/tmp/fc.sock", "--id", "vm-1"}
|
||||
if !equalStrings(cmd.Args, wantArgs) {
|
||||
t.Fatalf("args = %v, want %v", cmd.Args, wantArgs)
|
||||
}
|
||||
}
|
||||
|
||||
func equalStrings(a, b []string) bool {
|
||||
if len(a) != len(b) {
|
||||
return false
|
||||
}
|
||||
for i := range a {
|
||||
if a[i] != b[i] {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func TestSDKLoggerBridgeEmitsStructuredDebugLogs(t *testing.T) {
|
||||
var buf bytes.Buffer
|
||||
logger := slog.New(slog.NewJSONHandler(&buf, &slog.HandlerOptions{Level: slog.LevelDebug}))
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue