virtcontainers: change firecracker socket permissions

For security reasons, let's make sure 'others' don't have access to the firecracker hybrid vsock fixes #2101 Signed-off-by: Julio Montes <julio.montes@intel.com>
2025-06-27 15:57:09 +00:00 · 2019-10-03 21:23:19 +00:00 · 2019-10-03 21:23:19 +00:00 · 8f6b0a6a41
commit 8f6b0a6a41
parent 46d1957e0f
1 changed files with 5 additions and 0 deletions
--- a/virtcontainers/fc.go
+++ b/virtcontainers/fc.go
@ -599,6 +599,11 @@ func (fc *firecracker) fcStartVM() error {
 		return err
 	}

+	// make sure 'others' don't have access to this socket
+	if err := os.Chmod(filepath.Join(fc.jailerRoot, defaultHybridVSocketName), 0640); err != nil {
+		return fmt.Errorf("Could not change socket permissions: %v", err)
+	}
+
 	fc.state.set(vmReady)
 	return nil
 }