config: Protect jailer_path annotation

c3d · fidencio · commit 94076a64ddab · 2020-11-11T09:39:42.000+01:00
The jailer_path annotation can be used to execute arbitrary code on the host. Add a jailer_path_list configuration entry providing a list of regular expressions that can be used to filter annotations that represent valid file names. Fixes: #3004 Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in
@@ -27,6 +27,10 @@ image = "@IMAGEPATH@"
 # for this feature today.
 #jailer_path = "@FCJAILERPATH@"
 
+# List of valid jailer path values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression
+# jailer_path_list = [ "@FCJAILERPATH@.*" ]
+
 
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go
@@ -543,6 +543,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		HypervisorPath:        hypervisor,
 		HypervisorPathList:    h.HypervisorPathList,
 		JailerPath:            jailer,
+		JailerPathList:        h.JailerPathList,
 		KernelPath:            kernel,
 		InitrdPath:            initrd,
 		ImagePath:             image,
diff --git a/virtcontainers/hypervisor.go b/virtcontainers/hypervisor.go
@@ -284,6 +284,9 @@ type HypervisorConfig struct {
 	// JailerPath is the jailer executable host path.
 	JailerPath string
 
+	// JailerPathList is the list of jailer paths names allowed in annotations
+	JailerPathList []string
+
 	// BlockDeviceDriver specifies the driver to be used for block device
 	// either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver
 	BlockDeviceDriver string
diff --git a/virtcontainers/persist.go b/virtcontainers/persist.go
@@ -225,6 +225,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		HypervisorPathList:      sconfig.HypervisorConfig.HypervisorPathList,
 		HypervisorCtlPath:       sconfig.HypervisorConfig.HypervisorCtlPath,
 		JailerPath:              sconfig.HypervisorConfig.JailerPath,
+		JailerPathList:          sconfig.HypervisorConfig.JailerPathList,
 		BlockDeviceDriver:       sconfig.HypervisorConfig.BlockDeviceDriver,
 		HypervisorMachineType:   sconfig.HypervisorConfig.HypervisorMachineType,
 		MemoryPath:              sconfig.HypervisorConfig.MemoryPath,
@@ -516,6 +517,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		HypervisorPathList:      hconf.HypervisorPathList,
 		HypervisorCtlPath:       hconf.HypervisorCtlPath,
 		JailerPath:              hconf.JailerPath,
+		JailerPathList:          hconf.JailerPathList,
 		BlockDeviceDriver:       hconf.BlockDeviceDriver,
 		HypervisorMachineType:   hconf.HypervisorMachineType,
 		MemoryPath:              hconf.MemoryPath,
diff --git a/virtcontainers/persist/api/config.go b/virtcontainers/persist/api/config.go
@@ -66,6 +66,9 @@ type HypervisorConfig struct {
 	// JailerPath is the jailer executable host path.
 	JailerPath string
 
+	// JailerPathList is the list of jailer paths names allowed in annotations
+	JailerPathList []string
+
 	// BlockDeviceDriver specifies the driver to be used for block device
 	// either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver
 	BlockDeviceDriver string
diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go
@@ -404,6 +404,13 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 		config.HypervisorConfig.HypervisorPath = value
 	}
 
+	if value, ok := ocispec.Annotations[vcAnnotations.JailerPath]; ok {
+		if !regexpContains(runtime.HypervisorConfig.JailerPathList, value) {
+			return fmt.Errorf("jailer %v required from annotation is not valid", value)
+		}
+		config.HypervisorConfig.JailerPath = value
+	}
+
 	if value, ok := ocispec.Annotations[vcAnnotations.KernelParams]; ok {
 		if value != "" {
 			params := vc.DeserializeParams(strings.Fields(value))
