Merge pull request #5436 from amshinde/kata-ctl-drop-privs

Kata ctl drop privs
2025-09-03 01:44:29 +00:00 · 2022-10-26 11:37:27 -05:00
parent 8b0c830a23 c0f5bc81b7
commit 37f0cd1c8f
5 changed files with 1072 additions and 1 deletions
--- a/src/tools/kata-ctl/.gitignore
+++ b/src/tools/kata-ctl/.gitignore
@@ -1 +1 @@
-/vendor/
+src/ops/version.rs
--- a/src/tools/kata-ctl/Cargo.lock
+++ b/src/tools/kata-ctl/Cargo.lock
--- a/src/tools/kata-ctl/Cargo.toml
+++ b/src/tools/kata-ctl/Cargo.toml
@@ -17,6 +17,8 @@ anyhow = "1.0.31"
 clap = { version = "3.2.20", features = ["derive", "cargo"] }
 serde_json = "1.0.85"
 thiserror = "1.0.35"
 privdrop = "0.5.2"
 nix = "0.25.0"
 [target.'cfg(target_arch = "s390x")'.dependencies]
 reqwest = { version = "0.11", default-features = false, features = ["json", "blocking", "native-tls"] }
--- a/src/tools/kata-ctl/src/main.rs
+++ b/src/tools/kata-ctl/src/main.rs
@@ -7,6 +7,7 @@ mod arch;
 mod args;
 mod check;
 mod ops;
 mod utils;
 use anyhow::Result;
 use clap::Parser;
--- a/src/tools/kata-ctl/src/utils.rs
+++ b/src/tools/kata-ctl/src/utils.rs
@@ -0,0 +1,33 @@
 // Copyright (c) 2022 Intel Corporation
 //
 // SPDX-License-Identifier: Apache-2.0
 //
 #![allow(dead_code)]
 use anyhow::{anyhow, Result};
 const NON_PRIV_USER: &str = "nobody";
 pub fn drop_privs() -> Result<()> {
    if nix::unistd::Uid::effective().is_root() {
        privdrop::PrivDrop::default()
            .chroot("/")
            .user(NON_PRIV_USER)
            .apply()
            .map_err(|e| anyhow!("Failed to drop privileges to user {}: {}", NON_PRIV_USER, e))?;
    }
    Ok(())
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn test_drop_privs() {
        let res = drop_privs();
        assert!(res.is_ok());
    }
 }