config: Protect vhost_user_store_path against annotation attacks

This path could be used to overwrite data on the host. Fixes: #901 Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
2025-09-14 05:19:21 +00:00 · 2020-05-15 18:42:30 +02:00
parent 5588165399
commit aae9656d8b
7 changed files with 22 additions and 0 deletions
--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
@@ -412,6 +412,9 @@ type HypervisorConfig struct {
 	// related folders, sockets and device nodes should be.
 	VhostUserStorePath string

+	// VhostUserStorePathList is the list of valid values for vhost-user paths
+	VhostUserStorePathList []string
+
 	// GuestHookPath is the path within the VM that will be used for 'drop-in' hooks
 	GuestHookPath string

--- a/src/runtime/virtcontainers/persist.go
+++ b/src/runtime/virtcontainers/persist.go
@@ -247,6 +247,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) {
 		DisableVhostNet:         sconfig.HypervisorConfig.DisableVhostNet,
 		EnableVhostUserStore:    sconfig.HypervisorConfig.EnableVhostUserStore,
 		VhostUserStorePath:      sconfig.HypervisorConfig.VhostUserStorePath,
+		VhostUserStorePathList:  sconfig.HypervisorConfig.VhostUserStorePathList,
 		GuestHookPath:           sconfig.HypervisorConfig.GuestHookPath,
 		VMid:                    sconfig.HypervisorConfig.VMid,
 		RxRateLimiterMaxRate:    sconfig.HypervisorConfig.RxRateLimiterMaxRate,
@@ -513,6 +514,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) {
 		DisableVhostNet:         hconf.DisableVhostNet,
 		EnableVhostUserStore:    hconf.EnableVhostUserStore,
 		VhostUserStorePath:      hconf.VhostUserStorePath,
+		VhostUserStorePathList:  hconf.VhostUserStorePathList,
 		GuestHookPath:           hconf.GuestHookPath,
 		VMid:                    hconf.VMid,
 		RxRateLimiterMaxRate:    hconf.RxRateLimiterMaxRate,
--- a/src/runtime/virtcontainers/persist/api/config.go
+++ b/src/runtime/virtcontainers/persist/api/config.go
@@ -186,6 +186,9 @@ type HypervisorConfig struct {
 	// related folders, sockets and device nodes should be.
 	VhostUserStorePath string

+	// VhostUserStorePathList is the list of valid values for vhost-user paths
+	VhostUserStorePathList []string
+
 	// GuestHookPath is the path within the VM that will be used for 'drop-in' hooks
 	GuestHookPath string

--- a/src/runtime/virtcontainers/pkg/oci/utils.go
+++ b/src/runtime/virtcontainers/pkg/oci/utils.go
@@ -435,6 +435,13 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 		}
 	}

+	if value, ok := ocispec.Annotations[vcAnnotations.VhostUserStorePath]; ok {
+		if !regexpContains(runtime.HypervisorConfig.VhostUserStorePathList, value) {
+			return fmt.Errorf("vhost store path %v required from annotation is not valid", value)
+		}
+		config.HypervisorConfig.VhostUserStorePath = value
+	}
+
 	if value, ok := ocispec.Annotations[vcAnnotations.GuestHookPath]; ok {
 		if value != "" {
 			config.HypervisorConfig.GuestHookPath = value