@@ -245,17 +245,23 @@ func (j *runcJailer) BuildLinkFifoHandler() firecracker.Handler {
245
245
contentsPath := j .RootPath ()
246
246
fifoFileName := filepath .Base (m .Cfg .LogFifo )
247
247
newFifoPath := filepath .Join (contentsPath , fifoFileName )
248
- if err := os .Link (m .Cfg .LogFifo , newFifoPath ); err != nil {
248
+ // Since Firecracker is unaware that we are in a jailed environment and
249
+ // what owner/group to set this as when creating, we will manually have
250
+ // to adjust the permission bits ourselves
251
+ if err := linkAndChown (m .Cfg .LogFifo , newFifoPath , j .Config .UID , j .Config .GID ); err != nil {
249
252
return err
250
253
}
251
- m .Cfg .LogFifo = newFifoPath
254
+ // this path needs to be relative to the root path, and since we are
255
+ // placing the file in the root path the LogFifo value should just be the
256
+ // file name.
257
+ m .Cfg .LogFifo = fifoFileName
252
258
253
259
metricFifoFileName := filepath .Base (m .Cfg .MetricsFifo )
254
260
newMetricFifoPath := filepath .Join (contentsPath , metricFifoFileName )
255
- if err := os . Link (m .Cfg .MetricsFifo , newMetricFifoPath ); err != nil {
261
+ if err := linkAndChown (m .Cfg .MetricsFifo , newMetricFifoPath , j . Config . UID , j . Config . GID ); err != nil {
256
262
return err
257
263
}
258
- m .Cfg .MetricsFifo = newMetricFifoPath
264
+ m .Cfg .MetricsFifo = metricFifoFileName
259
265
260
266
return nil
261
267
},
@@ -493,6 +499,18 @@ func mkdirAllWithPermissions(path string, mode os.FileMode, uid, gid uint32) err
493
499
return nil
494
500
}
495
501
502
+ func linkAndChown (src , dst string , uid , gid uint32 ) error {
503
+ if err := os .Link (src , dst ); err != nil {
504
+ return err
505
+ }
506
+
507
+ if err := os .Chown (dst , int (uid ), int (gid )); err != nil {
508
+ return err
509
+ }
510
+
511
+ return nil
512
+ }
513
+
496
514
func getNetNS (spec specs.Spec ) string {
497
515
for _ , ns := range spec .Linux .Namespaces {
498
516
if ns .Type == networkNamespaceRuncName {
0 commit comments