From f05ada592f526a60c18652c32014ff4e51e518b2 Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Fri, 1 Dec 2023 14:01:58 +0000 Subject: [PATCH 1/2] libs: protection: x86_64: drop root requirement for querying It is no longer necessary to be `root` to query the guest protection (TDX) on `x86_64` systems, so drop the requirement. > **Note:** > > This change drops the `nix` `Uid` import required for the `root` check. > But at the same time it adds it for PPC64le since that implementation of > `available_guest_protection()` needs it and it was previously missing. Fixes: #8548. Signed-off-by: James O. D. Hunt --- src/libs/kata-sys-util/src/protection.rs | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/src/libs/kata-sys-util/src/protection.rs b/src/libs/kata-sys-util/src/protection.rs index 51352a9d45..178b0813ee 100644 --- a/src/libs/kata-sys-util/src/protection.rs +++ b/src/libs/kata-sys-util/src/protection.rs @@ -13,7 +13,7 @@ use std::path::Path; use std::path::PathBuf; use thiserror::Error; -#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))] +#[cfg(any(target_arch = "s390x", target_arch = "powerpc64le"))] use nix::unistd::Uid; #[cfg(target_arch = "x86_64")] @@ -97,10 +97,6 @@ const TDX_MINOR_FILE: &str = "minor_version"; #[cfg(target_arch = "x86_64")] pub fn available_guest_protection() -> Result { - if !Uid::effective().is_root() { - return Err(ProtectionError::NoPerms); - } - arch_guest_protection( TDX_SYS_FIRMWARE_DIR, SEV_KVM_PARAMETER_PATH, @@ -262,23 +258,10 @@ pub fn available_guest_protection() -> Result #[cfg(test)] mod tests { use super::*; - use nix::unistd::Uid; use std::fs; use std::io::Write; use tempfile::tempdir; - #[test] - fn test_available_guest_protection_no_privileges() { - if !Uid::effective().is_root() { - let res = available_guest_protection(); - assert!(res.is_err()); - assert_eq!( - "No permission to check guest protection", - res.unwrap_err().to_string() - ); - } - } - #[test] fn test_arch_guest_protection_snp() { // Test snp From e1caca3e412fc8f4e9e619873ca405d0a736ff7f Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Fri, 1 Dec 2023 14:03:49 +0000 Subject: [PATCH 2/2] kata-ctl: Remove root requirement for "env" Remove the redundant `kata-ctl` `root` check when running the `env` command. This check duplicated the `GuestProtection` check, and that check is now no longer necessary anyway. Signed-off-by: James O. D. Hunt --- src/tools/kata-ctl/src/ops/env_ops.rs | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/tools/kata-ctl/src/ops/env_ops.rs b/src/tools/kata-ctl/src/ops/env_ops.rs index 7c33437299..109dce6a9b 100644 --- a/src/tools/kata-ctl/src/ops/env_ops.rs +++ b/src/tools/kata-ctl/src/ops/env_ops.rs @@ -13,7 +13,6 @@ use kata_sys_util::protection; use kata_types::config::TomlConfig; use anyhow::{anyhow, Context, Result}; -use nix::unistd::Uid; use serde::{Deserialize, Serialize}; use std::fs::File; use std::io::{self, Write}; @@ -473,10 +472,6 @@ pub fn get_env_info(toml_config: &TomlConfig) -> Result { } pub fn handle_env(env_args: EnvArgument) -> Result<()> { - if !Uid::effective().is_root() { - return Err(anyhow!("kata-ctl env command requires root privileges to get host information. Please run as root or use sudo")); - } - let mut file: Box = if let Some(path) = env_args.file { Box::new( File::create(path.as_str()).with_context(|| format!("Error creating file {}", path))?,