diff --git a/Makefile b/Makefile index 05f5632e97..7969d51b9c 100644 --- a/Makefile +++ b/Makefile @@ -128,16 +128,22 @@ DEFAULT_HYPERVISOR ?= $(HYPERVISOR_QEMU) HYPERVISORS := $(HYPERVISOR_ACRN) $(HYPERVISOR_FC) $(HYPERVISOR_QEMU) $(HYPERVISOR_QEMU_VIRTIOFS) $(HYPERVISOR_CLH) QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD) +QEMUPATHLIST := [\"$(QEMUPATH)\"] QEMUVIRTIOFSPATH := $(QEMUBINDIR)/$(QEMUVIRTIOFSCMD) CLHPATH := $(CLHBINDIR)/$(CLHCMD) +CLHPATHLIST := [\"$(CLHBINDIR)/$(CLHCMD)\"] FCPATH = $(FCBINDIR)/$(FCCMD) +FCPATHLIST = [\"$(FCPATH)\"] FCJAILERPATH = $(FCBINDIR)/$(FCJAILERCMD) +FCJAILERPATHLIST = [\"$(FCJAILERPATH)\"] ACRNPATH := $(ACRNBINDIR)/$(ACRNCMD) +ACRNPATHLIST := [\"$(ACRNPATH)\"] ACRNCTLPATH := $(ACRNBINDIR)/$(ACRNCTLCMD) +ACRNCTLPATHLIST := [\"$(ACRNCTLPATH)\"] SHIMCMD := $(BIN_PREFIX)-shim SHIMPATH := $(PKGLIBEXECDIR)/$(SHIMCMD) @@ -174,6 +180,7 @@ DEFDISABLEBLOCK := false DEFSHAREDFS := virtio-9p DEFSHAREDFS_QEMU_VIRTIOFS := virtio-fs DEFVIRTIOFSDAEMON := $(VIRTIOFSDBINDIR)/virtiofsd +DEFVIRTIOFSDAEMONLIST := [\"$(DEFVIRTIOFSDAEMON)\"] # Default DAX mapping cache size in MiB #if value is 0, DAX is not enabled DEFVIRTIOFSCACHESIZE := 0 @@ -184,6 +191,9 @@ DEFENABLEMEMPREALLOC := false DEFENABLEHUGEPAGES := false DEFENABLEVHOSTUSERSTORE := false DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user +DEFVHOSTUSERSTOREPATHLIST := [\"$(DEFVHOSTUSERSTOREPATH)\"] +DEFFILEMEMBACKEND := "" +DEFFILEMEMBACKENDLIST := [\"$(DEFFILEMEMBACKEND)\"] DEFENABLESWAP := false DEFENABLEDEBUG := false DEFDISABLENESTINGCHECKS := false @@ -382,10 +392,16 @@ USER_VARS += DEFAULT_HYPERVISOR USER_VARS += ACRNCMD USER_VARS += ACRNCTLCMD USER_VARS += ACRNPATH +USER_VARS += ACRNPATHLIST USER_VARS += ACRNCTLPATH +USER_VARS += ACRNCTLPATHLIST +USER_VARS += CLHPATH +USER_VARS += CLHPATHLIST USER_VARS += FCCMD USER_VARS += FCPATH +USER_VARS += FCPATHLIST USER_VARS += FCJAILERPATH +USER_VARS += FCJAILERPATHLIST USER_VARS += SYSCONFIG USER_VARS += IMAGENAME USER_VARS += IMAGEPATH @@ -416,8 +432,10 @@ USER_VARS += NETMONPATH USER_VARS += QEMUBINDIR USER_VARS += QEMUCMD USER_VARS += QEMUPATH +USER_VARS += QEMUPATHLIST USER_VARS += QEMUVIRTIOFSCMD USER_VARS += QEMUVIRTIOFSPATH +USER_VARS += QEMUVIRTIOFSPATHLIST USER_VARS += SHAREDIR USER_VARS += SHIMPATH USER_VARS += SYSCONFDIR @@ -440,6 +458,7 @@ USER_VARS += DEFBLOCKSTORAGEDRIVER_QEMU_VIRTIOFS USER_VARS += DEFSHAREDFS USER_VARS += DEFSHAREDFS_QEMU_VIRTIOFS USER_VARS += DEFVIRTIOFSDAEMON +USER_VARS += DEFVIRTIOFSDAEMONLIST USER_VARS += DEFVIRTIOFSCACHESIZE USER_VARS += DEFVIRTIOFSCACHE USER_VARS += DEFVIRTIOFSEXTRAARGS @@ -448,6 +467,9 @@ USER_VARS += DEFENABLEMEMPREALLOC USER_VARS += DEFENABLEHUGEPAGES USER_VARS += DEFENABLEVHOSTUSERSTORE USER_VARS += DEFVHOSTUSERSTOREPATH +USER_VARS += DEFVHOSTUSERSTOREPATHLIST +USER_VARS += DEFFILEMEMBACKEND +USER_VARS += DEFFILEMEMBACKENDLIST USER_VARS += DEFENABLESWAP USER_VARS += DEFENABLEDEBUG USER_VARS += DEFDISABLENESTINGCHECKS @@ -593,10 +615,15 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit -e "s|@CONFIG_FC_IN@|$(CONFIG_FC_IN)|g" \ -e "s|@CONFIG_PATH@|$(CONFIG_PATH)|g" \ -e "s|@FCPATH@|$(FCPATH)|g" \ + -e "s|@FCPATHLIST@|$(FCPATHLIST)|g" \ -e "s|@FCJAILERPATH@|$(FCJAILERPATH)|g" \ + -e "s|@FCJAILERPATHLIST@|$(FCJAILERPATHLIST)|g" \ -e "s|@ACRNPATH@|$(ACRNPATH)|g" \ + -e "s|@ACRNPATHLIST@|$(ACRNPATHLIST)|g" \ -e "s|@ACRNCTLPATH@|$(ACRNCTLPATH)|g" \ + -e "s|@ACRNCTLPATHLIST@|$(ACRNCTLPATHLIST)|g" \ -e "s|@CLHPATH@|$(CLHPATH)|g" \ + -e "s|@CLHPATHLIST@|$(CLHPATHLIST)|g" \ -e "s|@SYSCONFIG@|$(SYSCONFIG)|g" \ -e "s|@IMAGEPATH@|$(IMAGEPATH)|g" \ -e "s|@KERNELPATH_ACRN@|$(KERNELPATH_ACRN)|g" \ @@ -621,7 +648,9 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit -e "s|@PROJECT_TAG@|$(PROJECT_TAG)|g" \ -e "s|@PROJECT_TYPE@|$(PROJECT_TYPE)|g" \ -e "s|@QEMUPATH@|$(QEMUPATH)|g" \ + -e "s|@QEMUPATHLIST@|$(QEMUPATHLIST)|g" \ -e "s|@QEMUVIRTIOFSPATH@|$(QEMUVIRTIOFSPATH)|g" \ + -e "s|@QEMUVIRTIOFSPATHLIST@|$(QEMUVIRTIOFSPATHLIST)|g" \ -e "s|@RUNTIME_NAME@|$(TARGET)|g" \ -e "s|@MACHINETYPE@|$(MACHINETYPE)|g" \ -e "s|@SHIMPATH@|$(SHIMPATH)|g" \ @@ -645,6 +674,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit -e "s|@DEFSHAREDFS@|$(DEFSHAREDFS)|g" \ -e "s|@DEFSHAREDFS_QEMU_VIRTIOFS@|$(DEFSHAREDFS_QEMU_VIRTIOFS)|g" \ -e "s|@DEFVIRTIOFSDAEMON@|$(DEFVIRTIOFSDAEMON)|g" \ + -e "s|@DEFVIRTIOFSDAEMONLIST@|$(DEFVIRTIOFSDAEMONLIST)|g" \ -e "s|@DEFVIRTIOFSCACHESIZE@|$(DEFVIRTIOFSCACHESIZE)|g" \ -e "s|@DEFVIRTIOFSCACHE@|$(DEFVIRTIOFSCACHE)|g" \ -e "s|@DEFVIRTIOFSEXTRAARGS@|$(DEFVIRTIOFSEXTRAARGS)|g" \ @@ -653,6 +683,9 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit -e "s|@DEFENABLEHUGEPAGES@|$(DEFENABLEHUGEPAGES)|g" \ -e "s|@DEFENABLEVHOSTUSERSTORE@|$(DEFENABLEVHOSTUSERSTORE)|g" \ -e "s|@DEFVHOSTUSERSTOREPATH@|$(DEFVHOSTUSERSTOREPATH)|g" \ + -e "s|@DEFVHOSTUSERSTOREPATHLIST@|$(DEFVHOSTUSERSTOREPATHLIST)|g" \ + -e "s|@DEFFILEMEMBACKEND@|$(DEFFILEMEMBACKEND)|g" \ + -e "s|@DEFFILEMEMBACKENDLIST@|$(DEFFILEMEMBACKENDLIST)|g" \ -e "s|@DEFENABLEMSWAP@|$(DEFENABLESWAP)|g" \ -e "s|@DEFENABLEDEBUG@|$(DEFENABLEDEBUG)|g" \ -e "s|@DEFDISABLENESTINGCHECKS@|$(DEFDISABLENESTINGCHECKS)|g" \ diff --git a/cli/config/configuration-acrn.toml.in b/cli/config/configuration-acrn.toml.in index 1d22a92c6f..c7deb4ee19 100644 --- a/cli/config/configuration-acrn.toml.in +++ b/cli/config/configuration-acrn.toml.in @@ -17,17 +17,11 @@ kernel = "@KERNELPATH_ACRN@" image = "@IMAGEPATH@" # List of valid annotations values for the hypervisor (default: empty) -# Each member of the list can be a regular expression, but prefer names. -# Otherwise, please read and understand the following carefully. -# SECURITY WARNING: If you use regular expressions, be mindful that -# an attacker could craft an annotation that uses .. to escape the paths -# you gave. For example, if your regexp is /bin/qemu.* then if there is -# a directory named /bin/qemu.d/, then an attacker can pass an annotation -# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. -# path_list = [ "@ACRNPATH@.*" ] +# Each member of the list is a path pattern as described by glob(3). +path_list = @ACRNPATHLIST@ # List of valid annotations values for ctlpath (default: empty) -# ctlpath_list = [ "@ACRNCTLPATH@.*" ] +ctlpath_list = @ACRNCTLPATHLIST@ # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having diff --git a/cli/config/configuration-clh.toml.in b/cli/config/configuration-clh.toml.in index ba0d320f0b..820dd29718 100644 --- a/cli/config/configuration-clh.toml.in +++ b/cli/config/configuration-clh.toml.in @@ -16,14 +16,8 @@ kernel = "@KERNELPATH_CLH@" image = "@IMAGEPATH@" # List of valid annotations values for the hypervisor (default: empty) -# Each member of the list can be a regular expression, but prefer names. -# Otherwise, please read and understand the following carefully. -# SECURITY WARNING: If you use regular expressions, be mindful that -# an attacker could craft an annotation that uses .. to escape the paths -# you gave. For example, if your regexp is /bin/qemu.* then if there is -# a directory named /bin/qemu.d/, then an attacker can pass an annotation -# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. -# path_list = [ "@CLHPATH@.*" ] +# Each member of the list is a path pattern as described by glob(3). +path_list = @CLHPATHLIST@ # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having @@ -73,7 +67,7 @@ default_memory = @DEFMEMSZ@ virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@" # List of valid annotations values for the virtiofs daemon (default: empty) -# virtio_fs_daemon_list = [ "/opt/kata/bin/virtiofsd", "/usr/.*/virtiofsd" ] +virtio_fs_daemon_list = @DEFVIRTIOFSDAEMONLIST@ # Default size of DAX cache in MiB virtio_fs_cache_size = @DEFVIRTIOFSCACHESIZE@ diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in index 81d86d89f4..743cecdea1 100644 --- a/cli/config/configuration-fc.toml.in +++ b/cli/config/configuration-fc.toml.in @@ -16,14 +16,8 @@ kernel = "@KERNELPATH_FC@" image = "@IMAGEPATH@" # List of valid annotations values for the hypervisor (default: empty) -# Each member of the list can be a regular expression, but prefer names. -# Otherwise, please read and understand the following carefully. -# SECURITY WARNING: If you use regular expressions, be mindful that -# an attacker could craft an annotation that uses .. to escape the paths -# you gave. For example, if your regexp is /bin/qemu.* then if there is -# a directory named /bin/qemu.d/, then an attacker can pass an annotation -# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. -# path_list = [ "@FCPATH@.*" ] +# Each member of the list is a path pattern as described by glob(3). +path_list = @FCPATHLIST@ # Path for the jailer specific to firecracker # If the jailer path is not set kata will launch firecracker @@ -35,7 +29,7 @@ image = "@IMAGEPATH@" # List of valid jailer path values for the hypervisor (default: empty) # Each member of the list can be a regular expression -# jailer_path_list = [ "@FCJAILERPATH@.*" ] +# jailer_path_list = @FCJAILERPATHLIST@ # Optional space-separated list of options to pass to the guest kernel. diff --git a/cli/config/configuration-qemu-virtiofs.toml.in b/cli/config/configuration-qemu-virtiofs.toml.in index 314c459e96..c2773cdfaf 100644 --- a/cli/config/configuration-qemu-virtiofs.toml.in +++ b/cli/config/configuration-qemu-virtiofs.toml.in @@ -17,14 +17,8 @@ image = "@IMAGEPATH@" machine_type = "@MACHINETYPE@" # List of valid annotations values for the hypervisor (default: empty) -# Each member of the list can be a regular expression, but prefer names. -# Otherwise, please read and understand the following carefully. -# SECURITY WARNING: If you use regular expressions, be mindful that -# an attacker could craft an annotation that uses .. to escape the paths -# you gave. For example, if your regexp is /bin/qemu.* then if there is -# a directory named /bin/qemu.d/, then an attacker can pass an annotation -# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. -# path_list = [ "@QEMUPATH@.*" ] +# Each member of the list is a path pattern as described by glob(3). +path_list = @QEMUVIRTIOFSPATHLIST@ # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having @@ -115,7 +109,7 @@ shared_fs = "@DEFSHAREDFS_QEMU_VIRTIOFS@" virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@" # List of valid annotations values for the virtiofs daemon (default: empty) -# virtio_fs_daemon_list = [ "/opt/kata/bin/virtiofsd", "/usr/.*/virtiofsd" ] +virtio_fs_daemon_list = @DEFVIRTIOFSDAEMONLIST@ # Default size of DAX cache in MiB virtio_fs_cache_size = @DEFVIRTIOFSCACHESIZE@ @@ -197,16 +191,16 @@ enable_vhost_user_store = @DEFENABLEVHOSTUSERSTORE@ vhost_user_store_path = "@DEFVHOSTUSERSTOREPATH@" # List of valid annotations values for the virtiofs daemon (default: empty) -# vhost_user_store_path_list = [ "/empty/space", "/multiverse/quantum-foam" ] +vhost_user_store_path_list = @DEFVHOSTUSERSTOREPATHLIST@ # Enable file based guest memory support. The default is an empty string which # will disable this feature. In the case of virtio-fs, this is enabled # automatically and '/dev/shm' is used as the backing folder. # This option will be ignored if VM templating is enabled. -#file_mem_backend = "" +#file_mem_backend = "@DEFFILEMEMBACKEND@" # List of valid annotations values for the file_mem_backend annotation (default: empty) -# file_mem_backend_list = [ "/dev/shm" ] +#file_mem_backend_list = @DEFFILEMEMBACKENDLIST@ # Enable swap of vm memory. Default false. # The behaviour is undefined if mem_prealloc is also set to true diff --git a/cli/config/configuration-qemu.toml.in b/cli/config/configuration-qemu.toml.in index 2f1ccf5ace..db591ecfc4 100644 --- a/cli/config/configuration-qemu.toml.in +++ b/cli/config/configuration-qemu.toml.in @@ -12,20 +12,15 @@ [hypervisor.qemu] path = "@QEMUPATH@" -# List of valid annotations values for the hypervisor (default: empty) -# Each member of the list can be a regular expression, but prefer names. -# Otherwise, please read and understand the following carefully. -# SECURITY WARNING: If you use regular expressions, be mindful that -# an attacker could craft an annotation that uses .. to escape the paths -# you gave. For example, if your regexp is /bin/qemu.* then if there is -# a directory named /bin/qemu.d/, then an attacker can pass an annotation -# containing /bin/qemu.d/../put-any-binary-name-here and attack your host. -# path_list = [ "@QEMUPATH@.*" ] kernel = "@KERNELPATH@" initrd = "@INITRDPATH@" image = "@IMAGEPATH@" machine_type = "@MACHINETYPE@" +# List of valid annotations values for the hypervisor (default: empty) +# Each member of the list is a path pattern as described by glob(3). +path_list = @QEMUPATHLIST@ + # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. @@ -121,7 +116,7 @@ shared_fs = "@DEFSHAREDFS@" virtio_fs_daemon = "@DEFVIRTIOFSDAEMON@" # List of valid annotations values for the virtiofs daemon (default: empty) -# virtio_fs_daemon_list = [ "/opt/kata/bin/virtiofsd", "/usr/.*/virtiofsd" ] +virtio_fs_daemon_list = @DEFVIRTIOFSDAEMONLIST@ # Default size of DAX cache in MiB virtio_fs_cache_size = @DEFVIRTIOFSCACHESIZE@ @@ -202,17 +197,17 @@ enable_vhost_user_store = @DEFENABLEVHOSTUSERSTORE@ # simulated block device nodes for vhost-user devices to live. vhost_user_store_path = "@DEFVHOSTUSERSTOREPATH@" -# List of valid annotations values for the virtiofs daemon (default: empty) -# vhost_user_store_path_list = [ "/empty/space", "/multiverse/quantum-foam" ] +# List of valid annotations values for the vhost user store path (default: empty) +vhost_user_store_path_list = @DEFVHOSTUSERSTOREPATHLIST@ # Enable file based guest memory support. The default is an empty string which # will disable this feature. In the case of virtio-fs, this is enabled # automatically and '/dev/shm' is used as the backing folder. # This option will be ignored if VM templating is enabled. -#file_mem_backend = "" +#file_mem_backend = "@DEFFILEMEMBACKEND@" # List of valid annotations values for the file_mem_backend annotation (default: empty) -# file_mem_backend_list = [ "/dev/shm" ] +#file_mem_backend_list = @DEFFILEMEMBACKENDLIST@ # Enable swap of vm memory. Default false. # The behaviour is undefined if mem_prealloc is also set to true