From c9637770e3463e7c9251f4c40e848e172a293c98 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Thu, 19 Nov 2020 15:49:16 -0600 Subject: [PATCH] cli: check modules and permissions before loading a module Before loading a module, the check subcommand should check if the current user can load it. fixes #3085 Signed-off-by: Julio Montes --- cli/kata-check.go | 10 +++++++++- cli/kata-check_amd64_test.go | 4 ++++ cli/kata-check_test.go | 2 ++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/cli/kata-check.go b/cli/kata-check.go index 47c3b02bd4..b709fc5289 100644 --- a/cli/kata-check.go +++ b/cli/kata-check.go @@ -134,17 +134,25 @@ func getCPUFlags(cpuinfo string) string { // haveKernelModule returns true if the specified module exists // (either loaded or available to be loaded) func haveKernelModule(module string) bool { + kmodLog := kataLog.WithField("module", module) + // First, check to see if the module is already loaded path := filepath.Join(sysModuleDir, module) if katautils.FileExists(path) { return true } + // Only root can load modules + if os.Getuid() != 0 { + kmodLog.Error("Module is not loaded and it can not be inserted. Please consider running with sudo or as root") + return false + } + // Now, check if the module is unloaded, but available. // And modprobe it if so. cmd := exec.Command(modProbeCmd, module) if output, err := cmd.CombinedOutput(); err != nil { - kataLog.WithField("module", module).WithError(err).Warnf("modprobe insert module failed: %s", string(output)) + kmodLog.WithError(err).WithField("output", string(output)).Warnf("modprobe insert module failed") return false } return true diff --git a/cli/kata-check_amd64_test.go b/cli/kata-check_amd64_test.go index 23f4aa028f..d162efa187 100644 --- a/cli/kata-check_amd64_test.go +++ b/cli/kata-check_amd64_test.go @@ -47,6 +47,8 @@ func TestCCCheckCLIFunction(t *testing.T) { var cpuData []testCPUData var moduleData []testModuleData + t.Skip(testDisabledAsNonRoot) + if cpuType == cpuTypeIntel { cpuData = []testCPUData{ {archGenuineIntel, "lm vmx sse4_1", false}, @@ -245,6 +247,8 @@ func TestCheckCheckKernelModulesNoUnrestrictedGuest(t *testing.T) { } func TestCheckHostIsVMContainerCapable(t *testing.T) { + t.Skip(testDisabledAsNonRoot) + assert := assert.New(t) dir, err := ioutil.TempDir("", "") diff --git a/cli/kata-check_test.go b/cli/kata-check_test.go index 771f2fde90..7c0e3eb127 100644 --- a/cli/kata-check_test.go +++ b/cli/kata-check_test.go @@ -514,6 +514,8 @@ func TestCheckCheckCPUAttribs(t *testing.T) { } func TestCheckHaveKernelModule(t *testing.T) { + t.Skip(testDisabledAsNonRoot) + assert := assert.New(t) dir, err := ioutil.TempDir("", "")