firecracker-microvm/firecracker

Investigate running the jailer with reduced set of capabilities

Open

#1,190 建立於 2019年7月22日

在 GitHub 查看
 (6 留言) (0 反應) (1 負責人)Rust (34,348 star) (2,393 fork)batch import
Good first issuePriority: LowStatus: ParkedType: Enhancement

描述

We currently start the jailer as the superuser (i.e. using sudo), and rely on the fact the process will deprivilege itself before exec-ing into Firecracker. It would be interesting to know if we can run the jailer using a more restricted set of capabilities instead of full superuser mode.

貢獻者指南

技術棧
rust
領域
security
議題類型
research
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
4
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
1-2 days
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
stale
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
clear
前置要求
Linux capabilitiesRust programmingFirecracker architecture
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
20
研究方向
Review existing PR #1200 related to this issue. Examine the jailer source code in src/jailer/ to understand current capability usage. Investigate Linux capabilities necessary for jailer functionality and test running with a reduced set.