Skip to content

feat(suidhelper): chroot-jail grant-api op to hand the API socket to the node#45

Merged
markovejnovic merged 1 commit into
mainfrom
feat/grant-api-op
Jun 30, 2026
Merged

feat(suidhelper): chroot-jail grant-api op to hand the API socket to the node#45
markovejnovic merged 1 commit into
mainfrom
feat/grant-api-op

Conversation

@markovejnovic

@markovejnovic markovejnovic commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

No description provided.

…the node

The jailer drops firecracker to a per-VM uid/gid and chroots it, so the
node user (a different uid) gets EACCES connecting to the API socket the
jailer leaves at <jail>/root/api.socket owned by the per-VM id. This new
op chowns just that socket to the helper's caller and chmods it 0660, and
opens the parent root dir to the caller's group (chgrp + 0710) so the node
can traverse into it -- per-VM isolation otherwise untouched.

Security: the socket is validated as a SafePath reached by an O_NOFOLLOW
walk from JAIL_BASE, every op is fd-relative on the pinned root fd, the leaf
must be exactly <exec>/<id>/root/api.socket and fstatat(AT_SYMLINK_NOFOLLOW)
must report a socket -- a planted file or symlink is refused, never touched.
A missing socket anywhere on the path is Pending (firecracker not up yet),
not an error.

Adds the SafeDir stat/chmod/chmod_self/chgrp_self primitives this needs.
Nothing on main invokes the op yet; the FireVMM caller lands with the boot
path.
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 71.60494% with 23 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
...tive/suidhelper/src/tools/chroot_jail/grant_api.rs 74.46% 12 Missing ⚠️
native/suidhelper/src/util/safe_dir.rs 69.69% 10 Missing ⚠️
native/suidhelper/src/tools/chroot_jail/mod.rs 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

@markovejnovic markovejnovic merged commit a25b3ac into main Jun 30, 2026
5 checks passed
@markovejnovic markovejnovic deleted the feat/grant-api-op branch June 30, 2026 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant