Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .buildkite/hooks/pre-exit
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash

sudo rm -rf testdata/logs
6 changes: 4 additions & 2 deletions .buildkite/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,9 @@ steps:
queue: "${BUILDKITE_AGENT_META_DATA_QUEUE:-default}"
distro: "${BUILDKITE_AGENT_META_DATA_DISTRO}"
hostname: "${BUILDKITE_AGENT_META_DATA_HOSTNAME}"
# TODO: Remove this once v0.21.0 has been released
soft_fail: # we softfail here since v0.20.0 jailer tests will be broken.
- exit_status: "*"

- label: ':hammer: test against firecracker master'
env:
Expand All @@ -120,8 +123,7 @@ steps:
queue: "${BUILDKITE_AGENT_META_DATA_QUEUE:-default}"
distro: "${BUILDKITE_AGENT_META_DATA_DISTRO}"
hostname: "${BUILDKITE_AGENT_META_DATA_HOSTNAME}"
soft_fail:
- exit_status: "*"
# TODO: move soft_fail here once v0.21.0 of firecracker has been released

- label: 'go mod tidy'
commands:
Expand Down
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ vmlinux
root-drive.img
TestPID.img
build/

testdata/logs/
65 changes: 23 additions & 42 deletions jailer.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ import (
const (
// defaultJailerPath is the default chroot base directory that the jailer
// will use if no other base directory was provided.
defaultJailerPath = "/srv/jailer/firecracker"
defaultJailerPath = "/srv/jailer"
defaultJailerBin = "jailer"

rootfsFolderName = "root"
Expand All @@ -38,20 +38,6 @@ var (
ErrMissingJailerConfig = fmt.Errorf("jailer config was not set for use")
)

// SeccompLevelValue represents a secure computing level type.
type SeccompLevelValue int

// secure computing levels
const (
// SeccompLevelDisable is the default value.
SeccompLevelDisable SeccompLevelValue = iota
// SeccompLevelBasic prohibits syscalls not whitelisted by Firecracker.
SeccompLevelBasic
// SeccompLevelAdvanced adds further checks on some of the parameters of the
// allowed syscalls.
SeccompLevelAdvanced
)

// JailerConfig is jailer specific configuration needed to execute the jailer.
type JailerConfig struct {
// GID the jailer switches to as it execs the target binary.
Expand Down Expand Up @@ -90,15 +76,6 @@ type JailerConfig struct {
// STDERR to /dev/null
Daemonize bool

// SeccompLevel specifies whether seccomp filters should be installed and how
// restrictive they should be. Possible values are:
//
// 0 : (default): disabled.
// 1 : basic filtering. This prohibits syscalls not whitelisted by Firecracker.
// 2 : advanced filtering. This adds further checks on some of the
// parameters of the allowed syscalls.
SeccompLevel SeccompLevelValue

// ChrootStrategy will dictate how files are transfered to the root drive.
ChrootStrategy HandlersAdapter

Expand All @@ -121,10 +98,10 @@ type JailerCommandBuilder struct {
node int

// optional params
chrootBaseDir string
netNS string
daemonize bool
seccompLevel SeccompLevelValue
chrootBaseDir string
netNS string
daemonize bool
firecrackerArgs []string

stdin io.Reader
stdout io.Writer
Expand Down Expand Up @@ -155,12 +132,15 @@ func (b JailerCommandBuilder) Args() []string {
args = append(args, "--netns", b.netNS)
}

args = append(args, "--seccomp-level", strconv.Itoa(int(b.seccompLevel)))

if b.daemonize {
args = append(args, "--daemonize")
}

if len(b.firecrackerArgs) > 0 {
args = append(args, "--")
args = append(args, b.firecrackerArgs...)
}

return args
}

Expand Down Expand Up @@ -229,14 +209,6 @@ func (b JailerCommandBuilder) WithDaemonize(daemonize bool) JailerCommandBuilder
return b
}

// WithSeccompLevel will set the provided level to the builder. This represents
// the seccomp filters that should be installed and how restrictive they should
// be.
func (b JailerCommandBuilder) WithSeccompLevel(level SeccompLevelValue) JailerCommandBuilder {
b.seccompLevel = level
return b
}

// Stdout will return the stdout that will be used when creating the
// firecracker exec.Command
func (b JailerCommandBuilder) Stdout() io.Writer {
Expand Down Expand Up @@ -276,6 +248,13 @@ func (b JailerCommandBuilder) WithStdin(stdin io.Reader) JailerCommandBuilder {
return b
}

// WithFirecrackerArgs will adds these arguments to the end of the argument
// chain which the jailer will intepret to belonging to Firecracke
func (b JailerCommandBuilder) WithFirecrackerArgs(args ...string) JailerCommandBuilder {
b.firecrackerArgs = args
return b
}

// Build will build a jailer command.
func (b JailerCommandBuilder) Build(ctx context.Context) *exec.Cmd {
cmd := exec.CommandContext(
Expand Down Expand Up @@ -304,12 +283,12 @@ func (b JailerCommandBuilder) Build(ctx context.Context) *exec.Cmd {
func jail(ctx context.Context, m *Machine, cfg *Config) error {
jailerWorkspaceDir := ""
if len(cfg.JailerCfg.ChrootBaseDir) > 0 {
jailerWorkspaceDir = filepath.Join(cfg.JailerCfg.ChrootBaseDir, "firecracker", cfg.JailerCfg.ID, rootfsFolderName)
jailerWorkspaceDir = filepath.Join(cfg.JailerCfg.ChrootBaseDir, filepath.Base(cfg.JailerCfg.ExecFile), cfg.JailerCfg.ID, rootfsFolderName)
} else {
jailerWorkspaceDir = filepath.Join(defaultJailerPath, cfg.JailerCfg.ID, rootfsFolderName)
jailerWorkspaceDir = filepath.Join(defaultJailerPath, filepath.Base(cfg.JailerCfg.ExecFile), cfg.JailerCfg.ID, rootfsFolderName)
}

cfg.SocketPath = filepath.Join(jailerWorkspaceDir, "api.socket")
cfg.SocketPath = filepath.Join(jailerWorkspaceDir, "run", "firecracker.socket")

stdout := cfg.JailerCfg.Stdout
if stdout == nil {
Expand All @@ -329,7 +308,9 @@ func jail(ctx context.Context, m *Machine, cfg *Config) error {
WithExecFile(cfg.JailerCfg.ExecFile).
WithChrootBaseDir(cfg.JailerCfg.ChrootBaseDir).
WithDaemonize(cfg.JailerCfg.Daemonize).
WithSeccompLevel(cfg.JailerCfg.SeccompLevel).
WithFirecrackerArgs(
"--seccomp-level", cfg.SeccompLevel.String(),
).
WithStdout(stdout).
WithStderr(stderr)

Expand Down
Loading