config: Add examples for path_list configuration

The path_list configuration gives a series of regular expressions that limit which values are acceptable through annotations in order to avoid kata launching arbitrary binaries on the host when receiving an annotation. Fixes: #3004 Signed-off-by: Christophe de Dinechin <[email protected]>
kata-containers · Nov 11, 2020 · b7c8905 · b7c8905
1 parent f4dd729
commit b7c8905
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 11 deletions.
diff --git a/cli/config/configuration-acrn.toml.in b/cli/config/configuration-acrn.toml.in
@@ -16,6 +16,10 @@ ctlpath = "@ACRNCTLPATH@"
 kernel = "@KERNELPATH_ACRN@"
 image = "@IMAGEPATH@"
 
+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression
+# path_list = [ "@ACRNPATH@.*" ]
+
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.

diff --git a/cli/config/configuration-clh.toml.in b/cli/config/configuration-clh.toml.in
@@ -12,6 +12,9 @@
 
 [hypervisor.clh]
 path = "@CLHPATH@"
+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression
+# path_list = [ "@CLHPATH@.*" ]
 kernel = "@KERNELPATH_CLH@"
 image = "@IMAGEPATH@"
 

diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in
@@ -12,15 +12,21 @@
 
 [hypervisor.firecracker]
 path = "@FCPATH@"
+kernel = "@KERNELPATH_FC@"
+image = "@IMAGEPATH@"
+
+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression
+# path_list = [ "@FCPATH@.*" ]
+
 # Path for the jailer specific to firecracker
 # If the jailer path is not set kata will launch firecracker
 # without a jail. If the jailer is set firecracker will be
 # launched in a jailed enviornment created by the jailer
 # This is disabled by default as additional setup is required
 # for this feature today.
 #jailer_path = "@FCJAILERPATH@"
-kernel = "@KERNELPATH_FC@"
-image = "@IMAGEPATH@"
+
 
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
@@ -87,10 +93,10 @@ default_memory = @DEFMEMSZ@
 #memory_offset = 0
 
 # Disable block device from being used for a container's rootfs.
-# In case of a storage driver like devicemapper where a container's 
+# In case of a storage driver like devicemapper where a container's
 # root file system is backed by a block device, the block device is passed
-# directly to the hypervisor for performance reasons. 
-# This flag prevents the block device from being passed to the hypervisor, 
+# directly to the hypervisor for performance reasons.
+# This flag prevents the block device from being passed to the hypervisor,
 # 9pfs is used instead to pass the rootfs.
 disable_block_device_use = @DEFDISABLEBLOCK@
 
@@ -126,7 +132,7 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@"
 # Enabling this will result in the VM memory
 # being allocated using huge pages.
 # This is useful when you want to use vhost-user network
-# stacks within the container. This will automatically 
+# stacks within the container. This will automatically
 # result in memory pre allocation
 #enable_hugepages = true
 
@@ -143,17 +149,17 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@"
 # This option changes the default hypervisor and kernel parameters
 # to enable debug output where available. This extra output is added
 # to the proxy logs, but only when proxy debug is also enabled.
-# 
+#
 # Default false
 #enable_debug = true
 
 # Disable the customizations done in the runtime when it detects
 # that it is running on top a VMM. This will result in the runtime
 # behaving as it would when running on bare metal.
-# 
+#
 #disable_nesting_checks = true
 
-# This is the msize used for 9p shares. It is the number of bytes 
+# This is the msize used for 9p shares. It is the number of bytes
 # used for 9p packet payload.
 #msize_9p = @DEFMSIZE9P@
 
@@ -162,9 +168,9 @@ block_device_driver = "@DEFBLOCKSTORAGEDRIVER_FC@"
 # Default true
 use_vsock = true
 
-# VFIO devices are hotplugged on a bridge by default. 
+# VFIO devices are hotplugged on a bridge by default.
 # Enable hotplugging on root bus. This may be required for devices with
-# a large PCI bar, as this is a current limitation with hotplugging on 
+# a large PCI bar, as this is a current limitation with hotplugging on
 # a bridge. This value is valid for "pc" machine type.
 # Default false
 #hotplug_vfio_on_root_bus = true

diff --git a/cli/config/configuration-qemu-virtiofs.toml.in b/cli/config/configuration-qemu-virtiofs.toml.in
@@ -16,6 +16,10 @@ kernel = "@KERNELVIRTIOFSPATH@"
 image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 
+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression
+# path_list = [ "@QEMUPATH@.*" ]
+
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.

diff --git a/cli/config/configuration-qemu.toml.in b/cli/config/configuration-qemu.toml.in
@@ -12,6 +12,9 @@
 
 [hypervisor.qemu]
 path = "@QEMUPATH@"
+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression
+# path_list = [ "@QEMUPATH@.*" ]
 kernel = "@KERNELPATH@"
 initrd = "@INITRDPATH@"
 image = "@IMAGEPATH@"