Skip to content

Commit 72340ca

Browse files
ilstamilstam
committed
docs: Clarify that all jailer inputs must be trusted
Document that the operator invoking the jailer is part of the trusted computing base and that all paths provided to the jailer are considered trusted. It is the operator's responsibility to ensure these paths and their parent directories have appropriate permissions to prevent unauthorized modification by other local users. Signed-off-by: Ilias Stamatis <ilstam@amazon.com>
1 parent 3a16ebd commit 72340ca

2 files changed

Lines changed: 14 additions & 0 deletions

File tree

docs/jailer.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -263,6 +263,15 @@ Note: default value for `<api-sock>` is `/run/firecracker.socket`.
263263

264264
### Observations
265265

266+
- All inputs to the jailer are considered trusted, including the paths provided
267+
via `--exec-file`, `--chroot-base-dir`, and `--netns`, as well as any
268+
resources placed inside the jail root directory. Cgroup mount points are
269+
discovered from `/proc/mounts` and are managed by the kernel, so they are
270+
inherently trusted. The operator invoking the jailer is part of the trusted
271+
computing base. It is the operator's responsibility to ensure that these paths
272+
and their parent directories have appropriate ownership and permissions (e.g.,
273+
root-owned, not world-writable) to prevent unauthorized modification by other
274+
local users.
266275
- The user must create hard links for (or copy) any resources which will be
267276
provided to the VM via the API (disk images, kernel images, named pipes, etc)
268277
inside the jailed root folder. Also, permissions must be properly managed for

docs/prod-host-setup.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,11 @@ namespace isolation and drops privileges of the Firecracker process.
9696

9797
To set up the jailer correctly, you'll need to:
9898

99+
- Ensure that all paths provided to the jailer (`--exec-file`,
100+
`--chroot-base-dir`, `--netns`) and their parent directories are not writable
101+
by unprivileged users. The jailer treats all its inputs as trusted; it is the
102+
operator's responsibility to ensure that these paths cannot be tampered with
103+
by other local users.
99104
- Create a dedicated non-privileged POSIX user and group to run Firecracker
100105
under. Use the created POSIX user and group IDs in Jailer's `--uid <uid>` and
101106
`--gid <gid>` flags, respectively. This will run the Firecracker as the

0 commit comments

Comments
 (0)