mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-04-26 18:43:06 +00:00
639ff3578d
Allowing arbitrary symlinks in the shared directory is unsafe for confidential VM use cases. In order to make CopyFile safe both for the VM as well for the consuming containers, we implement the following rules for symlinks (in addition to the existing rules for other files): 1. Symlinks may not be placed directly into the shared directory. 2. Symlinks must not point 'upwards', i.e. contain `..` as a path element. 3. Symlinks must be relative. These rules ensure that all writes initiated by CopyFile are restricted to the shared directory (protecting the VM), and that symlinks can't point outside their mount points (protecting the container). These new restrictions mean that we can't support arbitrary mount sources (which might not follow these rules), but the usual k8s suspects (ConfigMap, Secret, ServiceAccountToken) should still pass. In order to aid writing the policy, we convert the CopyFileRequest to a structure that does not contain binary data, but well-defined strings and types. Signed-off-by: Markus Rudy <mr@edgeless.systems>
219 KiB
219 KiB