github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-27 15:57:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #8549 from jodh-intel/tdx-no-root

Browse Source 
libs: protection: x86_64: drop root requirement for querying
This commit is contained in:
James O. D. Hunt 2023-12-04 13:03:10 +00:00 committed by GitHub
commit e4aebb4560
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 1 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/libs/kata-sys-util/src/protection.rs
View File

@ -13,7 +13,7 @@ use std::path::Path;
use std::path::PathBuf; use std::path::PathBuf;
use thiserror::Error; use thiserror::Error;
#[cfg(any(target_arch = "s390x", target_arch = "x86_64"))] #[cfg(any(target_arch = "s390x", target_arch = "powerpc64le"))]
use nix::unistd::Uid; use nix::unistd::Uid;
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
@ -97,10 +97,6 @@ const TDX_MINOR_FILE: &str = "minor_version";
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
pub fn available_guest_protection() -> Result<GuestProtection, ProtectionError> { pub fn available_guest_protection() -> Result<GuestProtection, ProtectionError> {
if !Uid::effective().is_root() {
return Err(ProtectionError::NoPerms);
}
arch_guest_protection( arch_guest_protection(
TDX_SYS_FIRMWARE_DIR, TDX_SYS_FIRMWARE_DIR,
SEV_KVM_PARAMETER_PATH, SEV_KVM_PARAMETER_PATH,
@ -262,23 +258,10 @@ pub fn available_guest_protection() -> Result<GuestProtection, ProtectionError>
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;
use nix::unistd::Uid;
use std::fs; use std::fs;
use std::io::Write; use std::io::Write;
use tempfile::tempdir; use tempfile::tempdir;
#[test]
fn test_available_guest_protection_no_privileges() {
if !Uid::effective().is_root() {
let res = available_guest_protection();
assert!(res.is_err());
assert_eq!(
"No permission to check guest protection",
res.unwrap_err().to_string()
);
}
}
#[test] #[test]
fn test_arch_guest_protection_snp() { fn test_arch_guest_protection_snp() {
// Test snp // Test snp

5
src/tools/kata-ctl/src/ops/env_ops.rs
View File

@ -13,7 +13,6 @@ use kata_sys_util::protection;
use kata_types::config::TomlConfig; use kata_types::config::TomlConfig;
use anyhow::{anyhow, Context, Result}; use anyhow::{anyhow, Context, Result};
use nix::unistd::Uid;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use std::fs::File; use std::fs::File;
use std::io::{self, Write}; use std::io::{self, Write};
@ -473,10 +472,6 @@ pub fn get_env_info(toml_config: &TomlConfig) -> Result<EnvInfo> {
} }
pub fn handle_env(env_args: EnvArgument) -> Result<()> { pub fn handle_env(env_args: EnvArgument) -> Result<()> {
if !Uid::effective().is_root() {
return Err(anyhow!("kata-ctl env command requires root privileges to get host information. Please run as root or use sudo"));
}
let mut file: Box<dyn Write> = if let Some(path) = env_args.file { let mut file: Box<dyn Write> = if let Some(path) = env_args.file {
Box::new( Box::new(
File::create(path.as_str()).with_context(|| format!("Error creating file {}", path))?, File::create(path.as_str()).with_context(|| format!("Error creating file {}", path))?,