Skip to content

feat(suidhelper): run the firecracker jailer through the setuid helper#47

Merged
markovejnovic merged 2 commits into
mainfrom
feat/jailer-via-suidhelper
Jun 30, 2026
Merged

feat(suidhelper): run the firecracker jailer through the setuid helper#47
markovejnovic merged 2 commits into
mainfrom
feat/jailer-via-suidhelper

Conversation

@markovejnovic

@markovejnovic markovejnovic commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

No description provided.

The BEAM no longer invokes the jailer binary directly. It calls the helper
with a new `jailer` subcommand passing only untrusted-origin values (--id,
--uid, --gid, repeated --cgroup KEY=VALUE, --api-sock); the helper reads the
firecracker/jailer binary paths, chroot base, parent cgroup and accepted
uid/gid band from its trusted /etc/hyper/config.toml, validates the caller's
args, re-acquires permanent root, and execve's the jailer in place (same pid,
so MuonTrap.Daemon keeps supervising it).

Config: the helper's tool paths move into a `[tools]` table (joining the
existing dmsetup/losetup/blockdev with new firecracker/jailer keys) and jail
placement into `[jails]` (cgroup, uid_gid_range) -- matching the namespaces
the Elixir node already reads. firecracker/jailer have no default and surface
BinError::Unconfigured when absent; a present uid_gid_range with min==0 or
min>max is fatal at load.

Adds setuid_privileged::become_root_permanently (seal real+effective+saved
uid/gid to 0, reset supplementary groups) for the execve handoff -- no Drop
guard because execve replaces the image and the jailer drops its own privs.

jailer.rs validates every caller value with refusal-first proptests (vm_id,
id range, cgroup KEY=VALUE, api-sock shape). Elixir Jailer.command/2 emits the
trimmed argv against Cfg.Tools.suidhelper().
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 51.25000% with 117 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
native/suidhelper/src/tools/jailer.rs 42.85% 92 Missing ⚠️
native/suidhelper/src/config.rs 83.60% 10 Missing ⚠️
native/suidhelper/src/util/setuid_privileged.rs 0.00% 9 Missing ⚠️
native/suidhelper/src/main.rs 0.00% 4 Missing ⚠️
lib/hyper/node/fire_vmm/jailer.ex 60.00% 2 Missing ⚠️

📢 Thoughts on this report? Let us know!

@markovejnovic markovejnovic merged commit d5a2b3d into main Jun 30, 2026
@markovejnovic markovejnovic deleted the feat/jailer-via-suidhelper branch June 30, 2026 21:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant