firecracker: drop sudo sh -c, race chown against SDK probe in Go
Replace the shell-string launcher in buildProcessRunner with a direct
exec.Command. The previous sh -c wrapper relied on shellQuote escaping
for every MachineConfig field that flowed into the launch script; any
future field that ever carried an attacker-controlled value would have
become RCE-as-root. The new path passes binary path and flags as
separate argv entries, so there is no shell to interpret anything.
The wrapper also did two things the shell can no longer do for us:
1. umask 077 — moved to syscall.Umask in cmd/bangerd/main.go so every
firecracker child (and any other file the daemon creates) inherits
0600 by default. Single-user dev sandbox state should be private.
2. chown_watcher — the SDK's HTTP probe inside Machine.Start connects
to the API socket the moment it appears. Under sudo the socket is
created root-owned and the daemon's connect(2) gets EACCES, so the
post-Start EnsureSocketAccess never runs. The shell papered over
this with a backgrounded chown loop. Replaced by
fcproc.EnsureSocketAccessForAsync: same race-window guarantee, in
pure Go, kicked off in LaunchFirecracker right before Start and
awaited right after.
Tests updated: shell-substring assertions replaced with cmd-arg
assertions, plus a new fcproc test pinning the async chown sequence.
Smoke (full systemd two-service install + KVM scenarios) passes.
This commit is contained in:
parent
c4e1cb5953
commit
d73efe6fbc
6 changed files with 181 additions and 91 deletions
|
|
@ -5,6 +5,7 @@ import (
|
|||
"context"
|
||||
"log/slog"
|
||||
"net"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"testing"
|
||||
|
|
@ -72,7 +73,7 @@ func TestBuildConfig(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestBuildProcessRunnerUsesSudoShellWrapper(t *testing.T) {
|
||||
func TestBuildProcessRunnerInvokesSudoWithDirectArgs(t *testing.T) {
|
||||
cmd := buildProcessRunner(MachineConfig{
|
||||
BinaryPath: "/repo/firecracker",
|
||||
SocketPath: "/tmp/fc.sock",
|
||||
|
|
@ -80,53 +81,48 @@ func TestBuildProcessRunnerUsesSudoShellWrapper(t *testing.T) {
|
|||
VMID: "vm-1",
|
||||
}, nil)
|
||||
|
||||
// No shell, no string interpolation: the binary path and every flag
|
||||
// are independent argv entries. Even if MachineConfig ever carried an
|
||||
// attacker-controlled value, there's no shell to interpret it.
|
||||
wantArgs := []string{"sudo", "-n", "-E", "/repo/firecracker", "--api-sock", "/tmp/fc.sock", "--id", "vm-1"}
|
||||
if !equalStrings(cmd.Args, wantArgs) {
|
||||
t.Fatalf("args = %v, want %v", cmd.Args, wantArgs)
|
||||
}
|
||||
if cmd.Path != "/usr/bin/sudo" && cmd.Path != "sudo" {
|
||||
t.Fatalf("command path = %q", cmd.Path)
|
||||
}
|
||||
if len(cmd.Args) != 6 {
|
||||
t.Fatalf("args = %v", cmd.Args)
|
||||
}
|
||||
if cmd.Args[1] != "-n" || cmd.Args[2] != "-E" || cmd.Args[3] != "sh" || cmd.Args[4] != "-c" {
|
||||
t.Fatalf("args = %v", cmd.Args)
|
||||
}
|
||||
script := cmd.Args[5]
|
||||
|
||||
// The firecracker exec must run in the foreground so its exit
|
||||
// status propagates through sh back to the SDK.
|
||||
if !strings.Contains(script, "exec '/repo/firecracker' --api-sock '/tmp/fc.sock' --id 'vm-1'") {
|
||||
t.Fatalf("script missing firecracker exec: %q", script)
|
||||
}
|
||||
// umask stays — the security intent is unchanged.
|
||||
if !strings.Contains(script, "umask 077") {
|
||||
t.Fatalf("script dropped umask 077: %q", script)
|
||||
}
|
||||
// Background watcher chowns both the API socket and the vsock
|
||||
// socket to the invoking user as soon as they appear, so
|
||||
// firecracker-go-sdk's waitForSocket HTTP probe (which needs
|
||||
// connect access) isn't blocked on root-owned sockets.
|
||||
if !strings.Contains(script, `chown "$SUDO_UID:$SUDO_GID" '/tmp/fc.sock'`) {
|
||||
t.Fatalf("script missing API-socket chown: %q", script)
|
||||
}
|
||||
if !strings.Contains(script, `chown "$SUDO_UID:$SUDO_GID" '/tmp/vsock.sock'`) {
|
||||
t.Fatalf("script missing vsock-socket chown: %q", script)
|
||||
}
|
||||
if cmd.Cancel != nil {
|
||||
t.Fatal("process runner should not be tied to a request context")
|
||||
}
|
||||
}
|
||||
|
||||
func TestBuildProcessRunnerOmitsVSockChownWhenUnset(t *testing.T) {
|
||||
func TestBuildProcessRunnerOmitsSudoWhenAlreadyRoot(t *testing.T) {
|
||||
if os.Geteuid() != 0 {
|
||||
t.Skip("requires root to exercise the no-sudo branch")
|
||||
}
|
||||
cmd := buildProcessRunner(MachineConfig{
|
||||
BinaryPath: "/repo/firecracker",
|
||||
SocketPath: "/tmp/fc.sock",
|
||||
VMID: "vm-1",
|
||||
}, nil)
|
||||
script := cmd.Args[5]
|
||||
if strings.Contains(script, "vsock") {
|
||||
t.Fatalf("script should not mention vsock when VSockPath is empty: %q", script)
|
||||
wantArgs := []string{"/repo/firecracker", "--api-sock", "/tmp/fc.sock", "--id", "vm-1"}
|
||||
if !equalStrings(cmd.Args, wantArgs) {
|
||||
t.Fatalf("args = %v, want %v", cmd.Args, wantArgs)
|
||||
}
|
||||
}
|
||||
|
||||
func equalStrings(a, b []string) bool {
|
||||
if len(a) != len(b) {
|
||||
return false
|
||||
}
|
||||
for i := range a {
|
||||
if a[i] != b[i] {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func TestSDKLoggerBridgeEmitsStructuredDebugLogs(t *testing.T) {
|
||||
var buf bytes.Buffer
|
||||
logger := slog.New(slog.NewJSONHandler(&buf, &slog.HandlerOptions{Level: slog.LevelDebug}))
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue