From b588faf8bb2f75d6ae8e74ed1941fe9fa494a823 Mon Sep 17 00:00:00 2001 From: Christophe de Dinechin Date: Fri, 15 May 2020 17:40:43 +0200 Subject: [PATCH] config: Add examples for path_list configuration The path_list configuration gives a series of regular expressions that limit which values are acceptable through annotations in order to avoid kata launching arbitrary binaries on the host when receiving an annotation. Fixes: #3004 Signed-off-by: Christophe de Dinechin --- cli/config/configuration-acrn.toml.in | 4 +++ cli/config/configuration-clh.toml.in | 3 ++ cli/config/configuration-fc.toml.in | 28 +++++++++++-------- .../configuration-qemu-virtiofs.toml.in | 4 +++ cli/config/configuration-qemu.toml.in | 3 ++ 5 files changed, 31 insertions(+), 11 deletions(-) diff --git a/cli/config/configuration-acrn.toml.in b/cli/config/configuration-acrn.toml.in index cd6eb78860..880430ec08 100644 --- a/cli/config/configuration-acrn.toml.in +++ b/cli/config/configuration-acrn.toml.in @@ -16,6 +16,10 @@ ctlpath = "@ACRNCTLPATH@" kernel = "@KERNELPATH_ACRN@" image = "@IMAGEPATH@" +# List of valid annotations values for the hypervisor (default: empty) +# Each member of the list can be a regular expression +# path_list = [ "@ACRNPATH@.*" ] + # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. diff --git a/cli/config/configuration-clh.toml.in b/cli/config/configuration-clh.toml.in index 7a746b8665..31e94c3b1f 100644 --- a/cli/config/configuration-clh.toml.in +++ b/cli/config/configuration-clh.toml.in @@ -12,6 +12,9 @@ [hypervisor.clh] path = "@CLHPATH@" +# List of valid annotations values for the hypervisor (default: empty) +# Each member of the list can be a regular expression +# path_list = [ "@CLHPATH@.*" ] kernel = "@KERNELPATH_CLH@" image = "@IMAGEPATH@" diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in index b92873cee4..7f1c009b79 100644 --- a/cli/config/configuration-fc.toml.in +++ b/cli/config/configuration-fc.toml.in @@ -12,6 +12,13 @@ [hypervisor.firecracker] path = "@FCPATH@" +kernel = "@KERNELPATH_FC@" +image = "@IMAGEPATH@" + +# List of valid annotations values for the hypervisor (default: empty) +# Each member of the list can be a regular expression +# path_list = [ "@FCPATH@.*" ] + # Path for the jailer specific to firecracker # If the jailer path is not set kata will launch firecracker # without a jail. If the jailer is set firecracker will be @@ -19,8 +26,7 @@ path = "@FCPATH@" # This is disabled by default as additional setup is required # for this feature today. #jailer_path = "@FCJAILERPATH@" -kernel = "@KERNELPATH_FC@" -image = "@IMAGEPATH@" + # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having @@ -87,10 +93,10 @@ default_memory = @DEFMEMSZ@ #memory_offset = 0 # Disable block device from being used for a container's rootfs. -# In case of a storage driver like devicemapper where a container's +# In case of a storage driver like devicemapper where a container's # root file system is backed by a block device, the block device is passed -# directly to the hypervisor for performance reasons. -# This flag prevents the block device from being passed to the hypervisor, +# directly to the hypervisor for performance reasons. +# This flag prevents the block device from being passed to the hypervisor, # 9pfs is used instead to pass the rootfs. disable_block_device_use = @DEFDISABLEBLOCK@ @@ -126,7 +132,7 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@" # Enabling this will result in the VM memory # being allocated using huge pages. # This is useful when you want to use vhost-user network -# stacks within the container. This will automatically +# stacks within the container. This will automatically # result in memory pre allocation #enable_hugepages = true @@ -143,17 +149,17 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@" # This option changes the default hypervisor and kernel parameters # to enable debug output where available. This extra output is added # to the proxy logs, but only when proxy debug is also enabled. -# +# # Default false #enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. -# +# #disable_nesting_checks = true -# This is the msize used for 9p shares. It is the number of bytes +# This is the msize used for 9p shares. It is the number of bytes # used for 9p packet payload. #msize_9p = @DEFMSIZE9P@ @@ -162,9 +168,9 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@" # Default true use_vsock = true -# VFIO devices are hotplugged on a bridge by default. +# VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with -# a large PCI bar, as this is a current limitation with hotplugging on +# a large PCI bar, as this is a current limitation with hotplugging on # a bridge. This value is valid for "pc" machine type. # Default false #hotplug_vfio_on_root_bus = true diff --git a/cli/config/configuration-qemu-virtiofs.toml.in b/cli/config/configuration-qemu-virtiofs.toml.in index 9217c0f6ad..fddd250fa7 100644 --- a/cli/config/configuration-qemu-virtiofs.toml.in +++ b/cli/config/configuration-qemu-virtiofs.toml.in @@ -16,6 +16,10 @@ kernel = "@KERNELVIRTIOFSPATH@" image = "@IMAGEPATH@" machine_type = "@MACHINETYPE@" +# List of valid annotations values for the hypervisor (default: empty) +# Each member of the list can be a regular expression +# path_list = [ "@QEMUPATH@.*" ] + # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. diff --git a/cli/config/configuration-qemu.toml.in b/cli/config/configuration-qemu.toml.in index cf9fd68d93..1830c6c72d 100644 --- a/cli/config/configuration-qemu.toml.in +++ b/cli/config/configuration-qemu.toml.in @@ -12,6 +12,9 @@ [hypervisor.qemu] path = "@QEMUPATH@" +# List of valid annotations values for the hypervisor (default: empty) +# Each member of the list can be a regular expression +# path_list = [ "@QEMUPATH@.*" ] kernel = "@KERNELPATH@" initrd = "@INITRDPATH@" image = "@IMAGEPATH@"