firecracker-microvm/firecracker

Investigate running the jailer with reduced set of capabilities

Open

#1,190 创建于 2019年7月22日

在 GitHub 查看
 (6 评论) (0 反应) (1 负责人)Rust (34,348 star) (2,393 fork)batch import
Good first issuePriority: LowStatus: ParkedType: Enhancement

描述

We currently start the jailer as the superuser (i.e. using sudo), and rely on the fact the process will deprivilege itself before exec-ing into Firecracker. It would be interesting to know if we can run the jailer using a more restricted set of capabilities instead of full superuser mode.

贡献者指南

技术栈
rust
领域
security
议题类型
research
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
4
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
1-2 days
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
stale
清晰度议题是否清楚说明期望改动、验收标准和下一步。
clear
前置要求
Linux capabilitiesRust programmingFirecracker architecture
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
20
研究方向
Review existing PR #1200 related to this issue. Examine the jailer source code in src/jailer/ to understand current capability usage. Investigate Linux capabilities necessary for jailer functionality and test running with a reduced set.