diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 6aaa11e072df..0761848c51dd 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -275,7 +275,7 @@ DEFBINDMOUNTS := [] DEFSERVICEOFFLOAD ?= false # SNP -DEFSNPGUEST ?= true +DEFSNPGUEST ?= false # Based on SEV Secure Nested Paging Firmware ABI Specification section 4.3 # unspecified or == 0 --> 0x30000 i.e. Bit#17 is '1' and Bit#16 is '1' (SMT is allowed) DEFSNPGUESTPOLICY ?= 0x30000 diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 0851bbaaa897..aa4324ef0ded 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -40,7 +40,7 @@ rootfs_type=@DEFROOTFSTYPE@ # * Intel TDX # # Default false -confidential_guest = true +#confidential_guest = true # Enable running clh VMM as a non-root user. # By default clh VMM run as root. When this is set to true, clh VMM process runs as diff --git a/src/runtime/pkg/resourcecontrol/cgroups.go b/src/runtime/pkg/resourcecontrol/cgroups.go index be8e9dc97369..6d9257473277 100644 --- a/src/runtime/pkg/resourcecontrol/cgroups.go +++ b/src/runtime/pkg/resourcecontrol/cgroups.go @@ -60,6 +60,7 @@ func sandboxDevices() []specs.LinuxDeviceCgroup { "/dev/zero", "/dev/urandom", "/dev/console", + "/dev/ptmx", } // Processes running in a device-cgroup are constrained, they have acccess diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 9ee0149648eb..f57b8de9838d 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -33,7 +33,7 @@ AGENT_POLICY_FILE=${AGENT_POLICY_FILE:-"allow-all.rego"} lib_file="${script_dir}/../scripts/lib.sh" source "$lib_file" -agent_policy_file="$(readlink -f "${script_dir}/../../../src/kata-opa/${AGENT_POLICY_FILE}")" +[ "${AGENT_POLICY}" == "yes" ] && agent_policy_file="$(readlink -f "${script_dir}/../../../src/kata-opa/${AGENT_POLICY_FILE}")" #For cross build CROSS_BUILD=${CROSS_BUILD:-false} @@ -330,7 +330,7 @@ check_env_variables() [ -n "${KERNEL_MODULES_DIR}" ] && [ ! -d "${KERNEL_MODULES_DIR}" ] && die "KERNEL_MODULES_DIR defined but is not an existing directory" - [ ! -f "${agent_policy_file}" ] && die "agent policy file not found in '${agent_policy_file}'" + [ "${AGENT_POLICY}" == "yes" ] && [ ! -f "${agent_policy_file}" ] && die "agent policy file not found in '${agent_policy_file}'" [ -n "${OSBUILDER_VERSION}" ] || die "need osbuilder version" }