firecracker-microvm/firecracker

Investigate running the jailer with reduced set of capabilities

Open

#1190 opened on Jul 22, 2019

View on GitHub
 (6 comments) (0 reactions) (1 assignee)Rust (34,348 stars) (2,393 forks)batch import
Good first issuePriority: LowStatus: ParkedType: Enhancement

Description

We currently start the jailer as the superuser (i.e. using sudo), and rely on the fact the process will deprivilege itself before exec-ing into Firecracker. It would be interesting to know if we can run the jailer using a more restricted set of capabilities instead of full superuser mode.

Contributor guide

Tech stack
rust
Domain
security
Issue type
research
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Linux capabilitiesRust programmingFirecracker architecture
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Review existing PR #1200 related to this issue. Examine the jailer source code in src/jailer/ to understand current capability usage. Investigate Linux capabilities necessary for jailer functionality and test running with a reduced set.