containers
Added new functions: krun_setuid, krun_setgid
If I want to attach a host block device to a microVM, the /dev/disk* or /dev/rdisk* file needs to be opened by root.
However, I would like to avoid having to run the VMM as root too. Once the device is opened, we can drop privileges using setuid/setgid. This needs to happen inside krun_start_enter after setting up the device but before the virtual machine is started.
This can be solved by introducing two new configuration functions krun_setuid and krun_setgid.
At first, I tried to work around this by opening the block device myself, dropping privileges and configuring the VM to use /dev/fd/* path referencing the already open file descriptor. This worked with the read only flag. When I tried to enable write, opening /dev/fd/* (which is done by imago before starting the VM) resulted in permission denied error on macOS.
I assume extending the disk API to work with file descriptors directly could work too but adding uid/gid configuration seems more elegant and it's also more generic.