[Alupis]

I imagine a competent sysadmin deploying this won't just blindly copy/paste the `chmod 777` command into their terminal... this is likely just a "quick, getting started" sort of thing.

Since only the Firecracker user needs read/write access, it would be trivial to limit that to just the Firecracker user or group.

[how2cflags]

So apparently on another page on their site they are using "sudo setfacl -m u:${USER}:rw /dev/kvm" instead. Too confusing. Source: https://aws.amazon.com/blogs/aws/firecracker-lightweight-vir...

[wstuartcl]

From the announcement: Built-In Security: We provide compute security barriers that enable multitenant workloads, and cannot be mistakenly disabled by customers. Customer workloads are simultaneously considered sacred (shall not be touched) and malicious (shall be defended against).

Step one, here is a guide that effectively removes all protections on the host system.

Win.