config: Add security warning on configuration examples

Add the following text explaining the risk of using regular expressions in path lists: Each member of the list can be a regular expression, but prefer names. Otherwise, please read and understand the following carefully. SECURITY WARNING: If you use regular expressions, be mindful that an attacker could craft an annotation that uses .. to escape the paths you gave. For example, if your regexp is /bin/qemu.* then if there is a directory named /bin/qemu.d/, then an attacker can pass an annotation containing /bin/qemu.d/../put-any-binary-name-here and attack your host. Fixes: #901 Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2025-10-31 09:26:52 +00:00 · 2020-05-15 18:26:29 +02:00
parent b21a829c61
commit 5588165399
5 changed files with 43 additions and 9 deletions
--- a/src/runtime/cli/config/configuration-acrn.toml.in
+++ b/src/runtime/cli/config/configuration-acrn.toml.in
@@ -17,7 +17,13 @@ kernel = "@KERNELPATH_ACRN@"
 image = "@IMAGEPATH@"

 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@ACRNPATH@.*" ]

 # List of valid annotations values for ctlpath (default: empty)
--- a/src/runtime/cli/config/configuration-clh.toml.in
+++ b/src/runtime/cli/config/configuration-clh.toml.in
@@ -12,12 +12,19 @@

 [hypervisor.clh]
 path = "@CLHPATH@"
-# List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
-# path_list = [ "@CLHPATH@.*" ]
 kernel = "@KERNELPATH_CLH@"
 image = "@IMAGEPATH@"

+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
+# path_list = [ "@CLHPATH@.*" ]
+
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.
--- a/src/runtime/cli/config/configuration-fc.toml.in
+++ b/src/runtime/cli/config/configuration-fc.toml.in
@@ -16,7 +16,13 @@ kernel = "@KERNELPATH_FC@"
 image = "@IMAGEPATH@"

 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@FCPATH@.*" ]

 # Path for the jailer specific to firecracker
--- a/src/runtime/cli/config/configuration-qemu-virtiofs.toml.in
+++ b/src/runtime/cli/config/configuration-qemu-virtiofs.toml.in
@@ -17,7 +17,13 @@ image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"

 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@QEMUPATH@.*" ]

 # Optional space-separated list of options to pass to the guest kernel.
--- a/src/runtime/cli/config/configuration-qemu.toml.in
+++ b/src/runtime/cli/config/configuration-qemu.toml.in
@@ -12,6 +12,15 @@

 [hypervisor.qemu]
 path = "@QEMUPATH@"
+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
+# path_list = [ "@QEMUPATH@.*" ]
 kernel = "@KERNELPATH@"
 image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"