Merge pull request #1049 from c3d/feature/1043-entropy-source-annotation

Entropy source annotation
2025-09-14 13:29:31 +00:00 · 2021-04-23 20:16:11 +02:00
parent a4fffa1f22 dcb9f40394
commit 5eaf7a9982
10 changed files with 40 additions and 8 deletions
--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
@@ -310,6 +310,9 @@ type HypervisorConfig struct {
 	// entropy (/dev/random, /dev/urandom or real hardware RNG device)
 	EntropySource string

+	// EntropySourceList is the list of valid entropy sources
+	EntropySourceList []string
+
 	// Shared file system type:
 	//   - virtio-9p (default)
 	//   - virtio-fs
--- a/src/runtime/virtcontainers/persist.go
+++ b/src/runtime/virtcontainers/persist.go
@@ -222,6 +222,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		MemoryPath:              sconfig.HypervisorConfig.MemoryPath,
 		DevicesStatePath:        sconfig.HypervisorConfig.DevicesStatePath,
 		EntropySource:           sconfig.HypervisorConfig.EntropySource,
+		EntropySourceList:       sconfig.HypervisorConfig.EntropySourceList,
 		SharedFS:                sconfig.HypervisorConfig.SharedFS,
 		VirtioFSDaemon:          sconfig.HypervisorConfig.VirtioFSDaemon,
 		VirtioFSDaemonList:      sconfig.HypervisorConfig.VirtioFSDaemonList,
@@ -491,6 +492,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		MemoryPath:              hconf.MemoryPath,
 		DevicesStatePath:        hconf.DevicesStatePath,
 		EntropySource:           hconf.EntropySource,
+		EntropySourceList:       hconf.EntropySourceList,
 		SharedFS:                hconf.SharedFS,
 		VirtioFSDaemon:          hconf.VirtioFSDaemon,
 		VirtioFSDaemonList:      hconf.VirtioFSDaemonList,
--- a/src/runtime/virtcontainers/persist/api/config.go
+++ b/src/runtime/virtcontainers/persist/api/config.go
@@ -96,6 +96,9 @@ type HypervisorConfig struct {
 	// entropy (/dev/random, /dev/urandom or real hardware RNG device)
 	EntropySource string

+	// EntropySourceList is the list of valid entropy sources
+	EntropySourceList []string
+
 	// Shared file system type:
 	//   - virtio-9p (default)
 	//   - virtio-fs
--- a/src/runtime/virtcontainers/pkg/oci/utils.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils.go
@@ -489,6 +489,9 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 	}

 	if value, ok := ocispec.Annotations[vcAnnotations.EntropySource]; ok {
+		if !checkPathIsInGlobs(runtime.HypervisorConfig.EntropySourceList, value) {
+			return fmt.Errorf("entropy source %v required from annotation is not valid", value)
+		}
 		if value != "" {
 			config.HypervisorConfig.EntropySource = value
 		}
--- a/src/runtime/virtcontainers/pkg/oci/utils_test.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils_test.go
@@ -858,7 +858,6 @@ func TestAddHypervisorAnnotations(t *testing.T) {
 	ocispec.Annotations[vcAnnotations.DisableImageNvdimm] = "true"
 	ocispec.Annotations[vcAnnotations.HotplugVFIOOnRootBus] = "true"
 	ocispec.Annotations[vcAnnotations.PCIeRootPort] = "2"
-	ocispec.Annotations[vcAnnotations.EntropySource] = "/dev/urandom"
 	ocispec.Annotations[vcAnnotations.IOMMUPlatform] = "true"
 	ocispec.Annotations[vcAnnotations.SGXEPC] = "64Mi"
 	// 10Mbit
@@ -895,7 +894,6 @@ func TestAddHypervisorAnnotations(t *testing.T) {
 	assert.Equal(config.HypervisorConfig.DisableImageNvdimm, true)
 	assert.Equal(config.HypervisorConfig.HotplugVFIOOnRootBus, true)
 	assert.Equal(config.HypervisorConfig.PCIeRootPort, uint32(2))
-	assert.Equal(config.HypervisorConfig.EntropySource, "/dev/urandom")
 	assert.Equal(config.HypervisorConfig.IOMMUPlatform, true)
 	assert.Equal(config.HypervisorConfig.SGXEPCSize, int64(67108864))
 	assert.Equal(config.HypervisorConfig.RxRateLimiterMaxRate, uint64(10000000))
@@ -945,22 +943,27 @@ func TestAddProtectedHypervisorAnnotations(t *testing.T) {

 	ocispec.Annotations[vcAnnotations.FileBackedMemRootDir] = "/dev/shm"
 	ocispec.Annotations[vcAnnotations.VirtioFSDaemon] = "/bin/false"
+	ocispec.Annotations[vcAnnotations.EntropySource] = "/dev/urandom"

 	config.HypervisorConfig.FileBackedMemRootDir = "do-not-touch"
 	config.HypervisorConfig.VirtioFSDaemon = "dangerous-daemon"
+	config.HypervisorConfig.EntropySource = "truly-random"

 	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.Error(err)
 	assert.Equal(config.HypervisorConfig.FileBackedMemRootDir, "do-not-touch")
 	assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "dangerous-daemon")
+	assert.Equal(config.HypervisorConfig.EntropySource, "truly-random")

 	// Now enable them and check again
 	runtimeConfig.HypervisorConfig.FileBackedMemRootList = []string{"/dev/*m"}
 	runtimeConfig.HypervisorConfig.VirtioFSDaemonList = []string{"/bin/*ls*"}
+	runtimeConfig.HypervisorConfig.EntropySourceList = []string{"/dev/*random*"}
 	err = addAnnotations(ocispec, &config, runtimeConfig)
 	assert.NoError(err)
 	assert.Equal(config.HypervisorConfig.FileBackedMemRootDir, "/dev/shm")
 	assert.Equal(config.HypervisorConfig.VirtioFSDaemon, "/bin/false")
+	assert.Equal(config.HypervisorConfig.EntropySource, "/dev/urandom")

 	// In case an absurd large value is provided, the config value if not over-ridden
 	ocispec.Annotations[vcAnnotations.DefaultVCPUs] = "655536"