diff --git a/src/runtime/cli/config/configuration-acrn.toml.in b/src/runtime/cli/config/configuration-acrn.toml.in index f6e9b7849e..d56b2ec9bb 100644 --- a/src/runtime/cli/config/configuration-acrn.toml.in +++ b/src/runtime/cli/config/configuration-acrn.toml.in @@ -17,7 +17,13 @@ kernel = "@KERNELPATH_ACRN@" image = "@IMAGEPATH@" # List of valid annotations values for the hypervisor (default: empty) -# Each member of the list can be a regular expression +# Each member of the list can be a regular expression, but prefer names. +# Otherwise, please read and understand the following carefully. +# SECURITY WARNING: If you use regular expressions, be mindful that +# an attacker could craft an annotation that uses .. to escape the paths +# you gave. For example, if your regexp is /bin/qemu.* then if there is +# a directory named /bin/qemu.d/, then an attacker can pass an annotation +# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. # path_list = [ "@ACRNPATH@.*" ] # List of valid annotations values for ctlpath (default: empty) diff --git a/src/runtime/cli/config/configuration-clh.toml.in b/src/runtime/cli/config/configuration-clh.toml.in index 2b9f1b6b58..8e2419f62e 100644 --- a/src/runtime/cli/config/configuration-clh.toml.in +++ b/src/runtime/cli/config/configuration-clh.toml.in @@ -12,12 +12,19 @@ [hypervisor.clh] path = "@CLHPATH@" -# List of valid annotations values for the hypervisor (default: empty) -# Each member of the list can be a regular expression -# path_list = [ "@CLHPATH@.*" ] kernel = "@KERNELPATH_CLH@" image = "@IMAGEPATH@" +# List of valid annotations values for the hypervisor (default: empty) +# Each member of the list can be a regular expression, but prefer names. +# Otherwise, please read and understand the following carefully. +# SECURITY WARNING: If you use regular expressions, be mindful that +# an attacker could craft an annotation that uses .. to escape the paths +# you gave. For example, if your regexp is /bin/qemu.* then if there is +# a directory named /bin/qemu.d/, then an attacker can pass an annotation +# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. +# path_list = [ "@CLHPATH@.*" ] + # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. diff --git a/src/runtime/cli/config/configuration-fc.toml.in b/src/runtime/cli/config/configuration-fc.toml.in index f54b7ba4ae..2c239cd4e7 100644 --- a/src/runtime/cli/config/configuration-fc.toml.in +++ b/src/runtime/cli/config/configuration-fc.toml.in @@ -16,7 +16,13 @@ kernel = "@KERNELPATH_FC@" image = "@IMAGEPATH@" # List of valid annotations values for the hypervisor (default: empty) -# Each member of the list can be a regular expression +# Each member of the list can be a regular expression, but prefer names. +# Otherwise, please read and understand the following carefully. +# SECURITY WARNING: If you use regular expressions, be mindful that +# an attacker could craft an annotation that uses .. to escape the paths +# you gave. For example, if your regexp is /bin/qemu.* then if there is +# a directory named /bin/qemu.d/, then an attacker can pass an annotation +# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. # path_list = [ "@FCPATH@.*" ] # Path for the jailer specific to firecracker diff --git a/src/runtime/cli/config/configuration-qemu-virtiofs.toml.in b/src/runtime/cli/config/configuration-qemu-virtiofs.toml.in index cc0c63e483..ee27f6e62a 100644 --- a/src/runtime/cli/config/configuration-qemu-virtiofs.toml.in +++ b/src/runtime/cli/config/configuration-qemu-virtiofs.toml.in @@ -17,7 +17,13 @@ image = "@IMAGEPATH@" machine_type = "@MACHINETYPE@" # List of valid annotations values for the hypervisor (default: empty) -# Each member of the list can be a regular expression +# Each member of the list can be a regular expression, but prefer names. +# Otherwise, please read and understand the following carefully. +# SECURITY WARNING: If you use regular expressions, be mindful that +# an attacker could craft an annotation that uses .. to escape the paths +# you gave. For example, if your regexp is /bin/qemu.* then if there is +# a directory named /bin/qemu.d/, then an attacker can pass an annotation +# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. # path_list = [ "@QEMUPATH@.*" ] # Optional space-separated list of options to pass to the guest kernel. diff --git a/src/runtime/cli/config/configuration-qemu.toml.in b/src/runtime/cli/config/configuration-qemu.toml.in index 22054c0374..21c2a2b426 100644 --- a/src/runtime/cli/config/configuration-qemu.toml.in +++ b/src/runtime/cli/config/configuration-qemu.toml.in @@ -12,6 +12,15 @@ [hypervisor.qemu] path = "@QEMUPATH@" +# List of valid annotations values for the hypervisor (default: empty) +# Each member of the list can be a regular expression, but prefer names. +# Otherwise, please read and understand the following carefully. +# SECURITY WARNING: If you use regular expressions, be mindful that +# an attacker could craft an annotation that uses .. to escape the paths +# you gave. For example, if your regexp is /bin/qemu.* then if there is +# a directory named /bin/qemu.d/, then an attacker can pass an annotation +# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. +# path_list = [ "@QEMUPATH@.*" ] kernel = "@KERNELPATH@" image = "@IMAGEPATH@" machine_type = "@MACHINETYPE@" @@ -220,17 +229,17 @@ vhost_user_store_path = "@DEFVHOSTUSERSTOREPATH@" # This option changes the default hypervisor and kernel parameters # to enable debug output where available. -# +# # Default false #enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. -# +# #disable_nesting_checks = true -# This is the msize used for 9p shares. It is the number of bytes +# This is the msize used for 9p shares. It is the number of bytes # used for 9p packet payload. #msize_9p = @DEFMSIZE9P@