virtcontainers: change firecracker socket permissions

For security reasons, let's make sure 'others' don't have access to the firecracker hybrid vsock fixes #2101 Signed-off-by: Julio Montes <[email protected]>
kata-containers · Oct 3, 2019 · 8f6b0a6 · 8f6b0a6
1 parent 46d1957
commit 8f6b0a6
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/virtcontainers/fc.go b/virtcontainers/fc.go
@@ -599,6 +599,11 @@ func (fc *firecracker) fcStartVM() error {
 		return err
 	}
 
+	// make sure 'others' don't have access to this socket
+	if err := os.Chmod(filepath.Join(fc.jailerRoot, defaultHybridVSocketName), 0640); err != nil {
+		return fmt.Errorf("Could not change socket permissions: %v", err)
+	}
+
 	fc.state.set(vmReady)
 	return nil
 }