Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

Commit

Permalink
config: Protect jailer_path annotation
Browse files Browse the repository at this point in the history
The jailer_path annotation can be used to execute arbitrary code on
the host. Add a jailer_path_list configuration entry providing a list
of regular expressions that can be used to filter annotations that
represent valid file names.

Fixes: #3004

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
  • Loading branch information
c3d committed Nov 10, 2020
1 parent b588faf commit 0d5273a
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 0 deletions.
4 changes: 4 additions & 0 deletions cli/config/configuration-fc.toml.in
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@ image = "@IMAGEPATH@"
# for this feature today.
#jailer_path = "@FCJAILERPATH@"

# List of valid jailer path values for the hypervisor (default: empty)
# Each member of the list can be a regular expression
# jailer_path_list = [ "@FCJAILERPATH@.*" ]


# Optional space-separated list of options to pass to the guest kernel.
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
Expand Down
1 change: 1 addition & 0 deletions pkg/katautils/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
HypervisorPath: hypervisor,
HypervisorPathList: h.HypervisorPathList,
JailerPath: jailer,
JailerPathList: h.JailerPathList,
KernelPath: kernel,
InitrdPath: initrd,
ImagePath: image,
Expand Down
3 changes: 3 additions & 0 deletions virtcontainers/hypervisor.go
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,9 @@ type HypervisorConfig struct {
// JailerPath is the jailer executable host path.
JailerPath string

// JailerPathList is the list of jailer paths names allowed in annotations
JailerPathList []string

// BlockDeviceDriver specifies the driver to be used for block device
// either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver
BlockDeviceDriver string
Expand Down
2 changes: 2 additions & 0 deletions virtcontainers/persist.go
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
HypervisorPathList: sconfig.HypervisorConfig.HypervisorPathList,
HypervisorCtlPath: sconfig.HypervisorConfig.HypervisorCtlPath,
JailerPath: sconfig.HypervisorConfig.JailerPath,
JailerPathList: sconfig.HypervisorConfig.JailerPathList,
BlockDeviceDriver: sconfig.HypervisorConfig.BlockDeviceDriver,
HypervisorMachineType: sconfig.HypervisorConfig.HypervisorMachineType,
MemoryPath: sconfig.HypervisorConfig.MemoryPath,
Expand Down Expand Up @@ -520,6 +521,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
HypervisorPathList: hconf.HypervisorPathList,
HypervisorCtlPath: hconf.HypervisorCtlPath,
JailerPath: hconf.JailerPath,
JailerPathList: hconf.JailerPathList,
BlockDeviceDriver: hconf.BlockDeviceDriver,
HypervisorMachineType: hconf.HypervisorMachineType,
MemoryPath: hconf.MemoryPath,
Expand Down
3 changes: 3 additions & 0 deletions virtcontainers/persist/api/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,9 @@ type HypervisorConfig struct {
// JailerPath is the jailer executable host path.
JailerPath string

// JailerPathList is the list of jailer paths names allowed in annotations
JailerPathList []string

// BlockDeviceDriver specifies the driver to be used for block device
// either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver
BlockDeviceDriver string
Expand Down
7 changes: 7 additions & 0 deletions virtcontainers/pkg/oci/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -407,6 +407,13 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
config.HypervisorConfig.HypervisorPath = value
}

if value, ok := ocispec.Annotations[vcAnnotations.JailerPath]; ok {
if !regexpContains(runtime.HypervisorConfig.JailerPathList, value) {
return fmt.Errorf("jailer %v required from annotation is not valid", value)
}
config.HypervisorConfig.JailerPath = value
}

if value, ok := ocispec.Annotations[vcAnnotations.KernelParams]; ok {
if value != "" {
params := vc.DeserializeParams(strings.Fields(value))
Expand Down

0 comments on commit 0d5273a

Please sign in to comment.