config: Protect vhost_user_store_path against annotation attacks

This path could be used to overwrite data on the host. Fixes: #3004 Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
kata-containers · Nov 10, 2020 · 2f0360b · 2f0360b
1 parent fba4619
commit 2f0360b
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 2 deletions.
diff --git a/cli/config/configuration-qemu-virtiofs.toml.in b/cli/config/configuration-qemu-virtiofs.toml.in
@@ -212,6 +212,9 @@ vhost_user_store_path = "@DEFVHOSTUSERSTOREPATH@"
 # Enabling this will result in the VM device having iommu_platform=on set
 #enable_iommu_platform = true
 
+# List of valid annotations values for the virtiofs daemon (default: empty)
+# vhost_user_store_path_list = [ "/empty/space", "/multiverse/quantum-foam" ]
+
 # Enable file based guest memory support. The default is an empty string which
 # will disable this feature. In the case of virtio-fs, this is enabled
 # automatically and '/dev/shm' is used as the backing folder.

diff --git a/cli/config/configuration-qemu.toml.in b/cli/config/configuration-qemu.toml.in
@@ -218,6 +218,9 @@ vhost_user_store_path = "@DEFVHOSTUSERSTOREPATH@"
 # Enabling this will result in the VM device having iommu_platform=on set
 #enable_iommu_platform = true
 
+# List of valid annotations values for the virtiofs daemon (default: empty)
+# vhost_user_store_path_list = [ "/empty/space", "/multiverse/quantum-foam" ]
+
 # Enable file based guest memory support. The default is an empty string which
 # will disable this feature. In the case of virtio-fs, this is enabled
 # automatically and '/dev/shm' is used as the backing folder.
@@ -491,7 +494,6 @@ experimental=@DEFAULTEXPFEATURES@
 # If enabled, containers are allowed to join the pid namespace of the agent
 # when the env variable KATA_AGENT_PIDNS is set for a container.
 # Use this with caution and only when required, as this option allows the container
-# to access the agent process. It is recommended to enable this option 
+# to access the agent process. It is recommended to enable this option
 # only in debug scenarios and with containers with lowered priveleges.
 #enable_agent_pidns = true
-
diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go
@@ -709,6 +709,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		DisableVhostNet:         h.DisableVhostNet,
 		EnableVhostUserStore:    h.EnableVhostUserStore,
 		VhostUserStorePath:      h.vhostUserStorePath(),
+		VhostUserStorePathList:  h.VhostUserStorePathList,
 		GuestHookPath:           h.guestHookPath(),
 	}, nil
 }

diff --git a/virtcontainers/hypervisor.go b/virtcontainers/hypervisor.go
@@ -418,6 +418,9 @@ type HypervisorConfig struct {
 	// related folders, sockets and device nodes should be.
 	VhostUserStorePath string
 
+	// VhostUserStorePathList is the list of valid values for vhost-user paths
+	VhostUserStorePathList []string
+
 	// GuestHookPath is the path within the VM that will be used for 'drop-in' hooks
 	GuestHookPath string
 

diff --git a/virtcontainers/persist.go b/virtcontainers/persist.go
@@ -260,6 +260,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		DisableVhostNet:         sconfig.HypervisorConfig.DisableVhostNet,
 		EnableVhostUserStore:    sconfig.HypervisorConfig.EnableVhostUserStore,
 		VhostUserStorePath:      sconfig.HypervisorConfig.VhostUserStorePath,
+		VhostUserStorePathList:  sconfig.HypervisorConfig.VhostUserStorePathList,
 		GuestHookPath:           sconfig.HypervisorConfig.GuestHookPath,
 		VMid:                    sconfig.HypervisorConfig.VMid,
 	}
@@ -555,6 +556,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		DisableVhostNet:         hconf.DisableVhostNet,
 		EnableVhostUserStore:    hconf.EnableVhostUserStore,
 		VhostUserStorePath:      hconf.VhostUserStorePath,
+		VhostUserStorePathList:  hconf.VhostUserStorePathList,
 		GuestHookPath:           hconf.GuestHookPath,
 		VMid:                    hconf.VMid,
 	}

diff --git a/virtcontainers/persist/api/config.go b/virtcontainers/persist/api/config.go
@@ -189,6 +189,9 @@ type HypervisorConfig struct {
 	// related folders, sockets and device nodes should be.
 	VhostUserStorePath string
 
+	// VhostUserStorePathList is the list of valid values for vhost-user paths
+	VhostUserStorePathList []string
+
 	// GuestHookPath is the path within the VM that will be used for 'drop-in' hooks
 	GuestHookPath string
 

diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go
@@ -459,6 +459,13 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 		config.HypervisorConfig.DisableVhostNet = disableVhostNet
 	}
 
+	if value, ok := ocispec.Annotations[vcAnnotations.VhostUserStorePath]; ok {
+		if !regexpContains(runtime.HypervisorConfig.VhostUserStorePathList, value) {
+			return fmt.Errorf("vhost store path %v required from annotation is not valid", value)
+		}
+		config.HypervisorConfig.VhostUserStorePath = value
+	}
+
 	if value, ok := ocispec.Annotations[vcAnnotations.GuestHookPath]; ok {
 		if value != "" {
 			config.HypervisorConfig.GuestHookPath = value