From 8f6b0a6a41dfb2e7d272f3ff0e37179b9290d506 Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Thu, 3 Oct 2019 21:23:19 +0000
Subject: [PATCH] virtcontainers: change firecracker socket permissions

For security reasons, let's make sure 'others' don't have access to the
firecracker hybrid vsock

fixes #2101

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 virtcontainers/fc.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/virtcontainers/fc.go b/virtcontainers/fc.go
index 332c038cc6..8d7974655a 100644
--- a/virtcontainers/fc.go
+++ b/virtcontainers/fc.go
@@ -599,6 +599,11 @@ func (fc *firecracker) fcStartVM() error {
 		return err
 	}
 
+	// make sure 'others' don't have access to this socket
+	if err := os.Chmod(filepath.Join(fc.jailerRoot, defaultHybridVSocketName), 0640); err != nil {
+		return fmt.Errorf("Could not change socket permissions: %v", err)
+	}
+
 	fc.state.set(vmReady)
 	return nil
 }