diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in index 7f1c009b79..27bd421401 100644 --- a/cli/config/configuration-fc.toml.in +++ b/cli/config/configuration-fc.toml.in @@ -27,6 +27,10 @@ image = "@IMAGEPATH@" # for this feature today. #jailer_path = "@FCJAILERPATH@" +# List of valid jailer path values for the hypervisor (default: empty) +# Each member of the list can be a regular expression +# jailer_path_list = [ "@FCJAILERPATH@.*" ] + # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go index df32e9770f..5d90c42179 100644 --- a/pkg/katautils/config.go +++ b/pkg/katautils/config.go @@ -568,6 +568,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { HypervisorPath: hypervisor, HypervisorPathList: h.HypervisorPathList, JailerPath: jailer, + JailerPathList: h.JailerPathList, KernelPath: kernel, InitrdPath: initrd, ImagePath: image, diff --git a/virtcontainers/hypervisor.go b/virtcontainers/hypervisor.go index e380b27cdc..51afd051c1 100644 --- a/virtcontainers/hypervisor.go +++ b/virtcontainers/hypervisor.go @@ -287,6 +287,9 @@ type HypervisorConfig struct { // JailerPath is the jailer executable host path. JailerPath string + // JailerPathList is the list of jailer paths names allowed in annotations + JailerPathList []string + // BlockDeviceDriver specifies the driver to be used for block device // either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver BlockDeviceDriver string diff --git a/virtcontainers/persist.go b/virtcontainers/persist.go index 32602f8b07..cd5da2cd26 100644 --- a/virtcontainers/persist.go +++ b/virtcontainers/persist.go @@ -227,6 +227,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) { HypervisorPathList: sconfig.HypervisorConfig.HypervisorPathList, HypervisorCtlPath: sconfig.HypervisorConfig.HypervisorCtlPath, JailerPath: sconfig.HypervisorConfig.JailerPath, + JailerPathList: sconfig.HypervisorConfig.JailerPathList, BlockDeviceDriver: sconfig.HypervisorConfig.BlockDeviceDriver, HypervisorMachineType: sconfig.HypervisorConfig.HypervisorMachineType, MemoryPath: sconfig.HypervisorConfig.MemoryPath, @@ -520,6 +521,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) { HypervisorPathList: hconf.HypervisorPathList, HypervisorCtlPath: hconf.HypervisorCtlPath, JailerPath: hconf.JailerPath, + JailerPathList: hconf.JailerPathList, BlockDeviceDriver: hconf.BlockDeviceDriver, HypervisorMachineType: hconf.HypervisorMachineType, MemoryPath: hconf.MemoryPath, diff --git a/virtcontainers/persist/api/config.go b/virtcontainers/persist/api/config.go index a14109e17c..8c82be8df5 100644 --- a/virtcontainers/persist/api/config.go +++ b/virtcontainers/persist/api/config.go @@ -69,6 +69,9 @@ type HypervisorConfig struct { // JailerPath is the jailer executable host path. JailerPath string + // JailerPathList is the list of jailer paths names allowed in annotations + JailerPathList []string + // BlockDeviceDriver specifies the driver to be used for block device // either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver BlockDeviceDriver string diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go index 4fe1ea9073..81573c1f32 100644 --- a/virtcontainers/pkg/oci/utils.go +++ b/virtcontainers/pkg/oci/utils.go @@ -407,6 +407,13 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig, config.HypervisorConfig.HypervisorPath = value } + if value, ok := ocispec.Annotations[vcAnnotations.JailerPath]; ok { + if !regexpContains(runtime.HypervisorConfig.JailerPathList, value) { + return fmt.Errorf("jailer %v required from annotation is not valid", value) + } + config.HypervisorConfig.JailerPath = value + } + if value, ok := ocispec.Annotations[vcAnnotations.KernelParams]; ok { if value != "" { params := vc.DeserializeParams(strings.Fields(value))