From 6cc9b311af3633d244f526abed50c0d3b0ce06a1 Mon Sep 17 00:00:00 2001 From: Nicolas Lacasse Date: Tue, 11 Sep 2018 13:08:36 -0700 Subject: platform: Pass device fd into platform constructor. We were previously openining the platform device (i.e. /dev/kvm) inside the platfrom constructor (i.e. kvm.New). This requires that we have RW access to the platform device when constructing the platform. However, now that the runsc sandbox process runs as user "nobody", it is not able to open the platform device. This CL changes the kvm constructor to take the platform device FD, rather than opening the device file itself. The device file is opened outside of the sandbox and passed to the sandbox process. PiperOrigin-RevId: 212505804 Change-Id: I427e1d9de5eb84c84f19d513356e1bb148a52910 --- pkg/sentry/platform/kvm/kvm.go | 25 ++++++++++++++++--------- pkg/sentry/platform/kvm/kvm_test.go | 6 +++++- 2 files changed, 21 insertions(+), 10 deletions(-) (limited to 'pkg/sentry/platform/kvm') diff --git a/pkg/sentry/platform/kvm/kvm.go b/pkg/sentry/platform/kvm/kvm.go index 2dc3239a5..19bc2d515 100644 --- a/pkg/sentry/platform/kvm/kvm.go +++ b/pkg/sentry/platform/kvm/kvm.go @@ -17,6 +17,7 @@ package kvm import ( "fmt" + "os" "sync" "syscall" @@ -44,25 +45,29 @@ var ( globalErr error ) +// OpenDevice opens the KVM device at /dev/kvm and returns the File. +func OpenDevice() (*os.File, error) { + f, err := os.OpenFile("/dev/kvm", syscall.O_RDWR, 0) + if err != nil { + return nil, fmt.Errorf("error opening /dev/kvm: %v", err) + } + return f, nil +} + // New returns a new KVM-based implementation of the platform interface. -func New() (*KVM, error) { +func New(deviceFile *os.File) (*KVM, error) { // Allocate physical memory for the vCPUs. fm, err := filemem.New("kvm-memory") if err != nil { return nil, err } - // Try opening KVM. - fd, err := syscall.Open("/dev/kvm", syscall.O_RDWR, 0) - if err != nil { - return nil, fmt.Errorf("opening /dev/kvm: %v", err) - } - defer syscall.Close(fd) + fd := deviceFile.Fd() // Ensure global initialization is done. globalOnce.Do(func() { physicalInit() - globalErr = updateSystemValues(fd) + globalErr = updateSystemValues(int(fd)) ring0.Init(cpuid.HostFeatureSet()) }) if globalErr != nil { @@ -70,10 +75,12 @@ func New() (*KVM, error) { } // Create a new VM fd. - vm, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(fd), _KVM_CREATE_VM, 0) + vm, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, fd, _KVM_CREATE_VM, 0) if errno != 0 { return nil, fmt.Errorf("creating VM: %v", errno) } + // We are done with the device file. + deviceFile.Close() // Create a VM context. machine, err := newMachine(int(vm)) diff --git a/pkg/sentry/platform/kvm/kvm_test.go b/pkg/sentry/platform/kvm/kvm_test.go index 180bf7bb0..52448839f 100644 --- a/pkg/sentry/platform/kvm/kvm_test.go +++ b/pkg/sentry/platform/kvm/kvm_test.go @@ -39,7 +39,11 @@ type testHarness interface { func kvmTest(t testHarness, setup func(*KVM), fn func(*vCPU) bool) { // Create the machine. - k, err := New() + deviceFile, err := OpenDevice() + if err != nil { + t.Fatalf("error opening device file: %v", err) + } + k, err := New(deviceFile) if err != nil { t.Fatalf("error creating KVM instance: %v", err) } -- cgit v1.2.3