From 2d65b3bfd85c33c29d6d1d574badebf70e0453f7 Mon Sep 17 00:00:00 2001
From: Christophe de Dinechin <dinechin@redhat.com>
Date: Fri, 15 May 2020 17:49:01 +0200
Subject: [PATCH] config: Protect jailer_path annotation

The jailer_path annotation can be used to execute arbitrary code on
the host. Add a jailer_path_list configuration entry providing a list
of regular expressions that can be used to filter annotations that
represent valid file names.

Fixes: #901

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
---
 src/runtime/cli/config/configuration-fc.toml.in  | 4 ++++
 src/runtime/pkg/katautils/config.go              | 1 +
 src/runtime/virtcontainers/hypervisor.go         | 3 +++
 src/runtime/virtcontainers/persist.go            | 2 ++
 src/runtime/virtcontainers/persist/api/config.go | 3 +++
 src/runtime/virtcontainers/pkg/oci/utils.go      | 7 +++++++
 6 files changed, 20 insertions(+)

diff --git a/src/runtime/cli/config/configuration-fc.toml.in b/src/runtime/cli/config/configuration-fc.toml.in
index 7aa638e849..f54b7ba4ae 100644
--- a/src/runtime/cli/config/configuration-fc.toml.in
+++ b/src/runtime/cli/config/configuration-fc.toml.in
@@ -27,6 +27,10 @@ image = "@IMAGEPATH@"
 # for this feature today.
 #jailer_path = "@FCJAILERPATH@"
 
+# List of valid jailer path values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression
+# jailer_path_list = [ "@FCJAILERPATH@.*" ]
+
 
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go
index 5a5e45a00f..17f16fa92d 100644
--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@@ -535,6 +535,7 @@ func newFirecrackerHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		HypervisorPath:        hypervisor,
 		HypervisorPathList:    h.HypervisorPathList,
 		JailerPath:            jailer,
+		JailerPathList:        h.JailerPathList,
 		KernelPath:            kernel,
 		InitrdPath:            initrd,
 		ImagePath:             image,
diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go
index a7371c2a33..1c65c16d8c 100644
--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
@@ -284,6 +284,9 @@ type HypervisorConfig struct {
 	// JailerPath is the jailer executable host path.
 	JailerPath string
 
+	// JailerPathList is the list of jailer paths names allowed in annotations
+	JailerPathList []string
+
 	// BlockDeviceDriver specifies the driver to be used for block device
 	// either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver
 	BlockDeviceDriver string
diff --git a/src/runtime/virtcontainers/persist.go b/src/runtime/virtcontainers/persist.go
index ef762ba528..c02b0868a1 100644
--- a/src/runtime/virtcontainers/persist.go
+++ b/src/runtime/virtcontainers/persist.go
@@ -215,6 +215,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		HypervisorPathList:      sconfig.HypervisorConfig.HypervisorPathList,
 		HypervisorCtlPath:       sconfig.HypervisorConfig.HypervisorCtlPath,
 		JailerPath:              sconfig.HypervisorConfig.JailerPath,
+		JailerPathList:          sconfig.HypervisorConfig.JailerPathList,
 		BlockDeviceDriver:       sconfig.HypervisorConfig.BlockDeviceDriver,
 		HypervisorMachineType:   sconfig.HypervisorConfig.HypervisorMachineType,
 		MemoryPath:              sconfig.HypervisorConfig.MemoryPath,
@@ -478,6 +479,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		HypervisorPathList:      hconf.HypervisorPathList,
 		HypervisorCtlPath:       hconf.HypervisorCtlPath,
 		JailerPath:              hconf.JailerPath,
+		JailerPathList:          hconf.JailerPathList,
 		BlockDeviceDriver:       hconf.BlockDeviceDriver,
 		HypervisorMachineType:   hconf.HypervisorMachineType,
 		MemoryPath:              hconf.MemoryPath,
diff --git a/src/runtime/virtcontainers/persist/api/config.go b/src/runtime/virtcontainers/persist/api/config.go
index 1db4833025..86b1f2565c 100644
--- a/src/runtime/virtcontainers/persist/api/config.go
+++ b/src/runtime/virtcontainers/persist/api/config.go
@@ -69,6 +69,9 @@ type HypervisorConfig struct {
 	// JailerPath is the jailer executable host path.
 	JailerPath string
 
+	// JailerPathList is the list of jailer paths names allowed in annotations
+	JailerPathList []string
+
 	// BlockDeviceDriver specifies the driver to be used for block device
 	// either VirtioSCSI or VirtioBlock with the default driver being defaultBlockDriver
 	BlockDeviceDriver string
diff --git a/src/runtime/virtcontainers/pkg/oci/utils.go b/src/runtime/virtcontainers/pkg/oci/utils.go
index a96f920b89..236ea47dc4 100644
--- a/src/runtime/virtcontainers/pkg/oci/utils.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils.go
@@ -397,6 +397,13 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 		config.HypervisorConfig.HypervisorPath = value
 	}
 
+	if value, ok := ocispec.Annotations[vcAnnotations.JailerPath]; ok {
+		if !regexpContains(runtime.HypervisorConfig.JailerPathList, value) {
+			return fmt.Errorf("jailer %v required from annotation is not valid", value)
+		}
+		config.HypervisorConfig.JailerPath = value
+	}
+
 	if value, ok := ocispec.Annotations[vcAnnotations.KernelParams]; ok {
 		if value != "" {
 			params := vc.DeserializeParams(strings.Fields(value))