config: Add security warning on configuration examples

Add the following text explaining the risk of using regular
expressions in path lists:

Each member of the list can be a regular expression, but prefer names.
Otherwise, please read and understand the following carefully.
SECURITY WARNING: If you use regular expressions, be mindful that
an attacker could craft an annotation that uses .. to escape the paths
you gave. For example, if your regexp is /bin/qemu.* then if there is
a directory named /bin/qemu.d/, then an attacker can pass an annotation
containing /bin/qemu.d/../put-any-binary-name-here and attack your host.

Fixes: #901

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>

src/runtime/cli/config/configuration-acrn.toml.in

@@ -17,7 +17,13 @@ kernel = "@KERNELPATH_ACRN@"
 image = "@IMAGEPATH@"
 
 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@ACRNPATH@.*" ]
 
 # List of valid annotations values for ctlpath (default: empty)

src/runtime/cli/config/configuration-clh.toml.in

@@ -12,12 +12,19 @@
 
 [hypervisor.clh]
 path = "@CLHPATH@"
-# List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
-# path_list = [ "@CLHPATH@.*" ]
 kernel = "@KERNELPATH_CLH@"
 image = "@IMAGEPATH@"
 
+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
+# path_list = [ "@CLHPATH@.*" ]
+
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.

src/runtime/cli/config/configuration-fc.toml.in

@@ -16,7 +16,13 @@ kernel = "@KERNELPATH_FC@"
 image = "@IMAGEPATH@"
 
 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@FCPATH@.*" ]
 
 # Path for the jailer specific to firecracker

src/runtime/cli/config/configuration-qemu-virtiofs.toml.in

@@ -17,7 +17,13 @@ image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 
 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@QEMUPATH@.*" ]
 
 # Optional space-separated list of options to pass to the guest kernel.

src/runtime/cli/config/configuration-qemu.toml.in

@@ -12,6 +12,15 @@
 
 [hypervisor.qemu]
 path = "@QEMUPATH@"
+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
+# path_list = [ "@QEMUPATH@.*" ]
 kernel = "@KERNELPATH@"
 image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
@@ -220,17 +229,17 @@ vhost_user_store_path = "@DEFVHOSTUSERSTOREPATH@"
 
 # This option changes the default hypervisor and kernel parameters
 # to enable debug output where available.
-# 
+#
 # Default false
 #enable_debug = true
 
 # Disable the customizations done in the runtime when it detects
 # that it is running on top a VMM. This will result in the runtime
 # behaving as it would when running on bare metal.
-# 
+#
 #disable_nesting_checks = true
 
-# This is the msize used for 9p shares. It is the number of bytes 
+# This is the msize used for 9p shares. It is the number of bytes
 # used for 9p packet payload.
 #msize_9p = @DEFMSIZE9P@