M #-: Restricted dirs for CONTEXT/FILES (#2243)

* M #-: Restricted dirs for CONTEXT/FILES * M #-: Fix opennebula_configuration.xsd
2025-02-03 13:47:01 +03:00 · 2022-07-26 09:18:08 +02:00 · 2022-07-26 09:18:08 +02:00 · fecfd03a1a
commit fecfd03a1a
parent 78bae2762c
4 changed files with 67 additions and 0 deletions
--- a/share/doc/xsd/opennebula_configuration.xsd
+++ b/share/doc/xsd/opennebula_configuration.xsd
@ -28,6 +28,8 @@
        </xs:element>

        <xs:element name="CLUSTER_ENCRYPTED_ATTR" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+        <xs:element name="CONTEXT_RESTRICTED_DIRS" type="xs:string" minOccurs="0" maxOccurs="1"/>
+        <xs:element name="CONTEXT_SAFE_DIRS" type="xs:string" minOccurs="0" maxOccurs="1"/>
        <xs:element name="DATASTORE_CAPACITY_CHECK" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
        <xs:element name="DATASTORE_ENCRYPTED_ATTR" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
        <xs:element name="DATASTORE_LOCATION" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
--- a/src/template/OpenNebulaTemplate.cc
+++ b/src/template/OpenNebulaTemplate.cc
@ -399,6 +399,8 @@ void OpenNebulaTemplate::set_conf_default()
    set_conf_single("HOST_ENCRYPTED_ATTR", "NSX_PASSWORD");
    set_conf_single("HOST_ENCRYPTED_ATTR", "ONE_PASSWORD");
    set_conf_single("SHOWBACK_ONLY_RUNNING", "NO");
+    set_conf_single("CONTEXT_RESTRICTED_DIRS", "/etc");
+    set_conf_single("CONTEXT_SAFE_DIRS", "");

    //DB CONFIGURATION
    vvalue.insert(make_pair("BACKEND","sqlite"));
--- a/src/vm/VirtualMachineContext.cc
+++ b/src/vm/VirtualMachineContext.cc
@ -70,6 +70,39 @@ const std::vector<ContextVariable> NETWORK6_CONTEXT = {
    {"EXTERNAL", "EXTERNAL", "", false},
 };

+bool is_restricted(const string& path,
+                   const set<string>& restricted,
+                   const set<string>& safe)
+{
+    auto canonical_c = realpath(path.c_str(), nullptr);
+
+    if (canonical_c == nullptr)
+    {
+        return false;
+    }
+
+    string canonical_str(canonical_c);
+    free(canonical_c);
+
+    for (auto& s : safe)
+    {
+        if (canonical_str.find(s) == 0)
+        {
+            return false;
+        }
+    }
+
+    for (auto& r : restricted)
+    {
+        if (canonical_str.find(r) == 0)
+        {
+            return true;
+        }
+    }
+
+    return false;
+}
+
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 /*   CONTEXT - Public Interface                                               */
@ -129,6 +162,33 @@ int VirtualMachine::generate_context(string &files, int &disk_id,
    }

    files    = context->vector_value("FILES");
+
+    auto& nd = Nebula::instance();
+    string restricted_dirs, safe_dirs;
+    nd.get_configuration_attribute("CONTEXT_RESTRICTED_DIRS", restricted_dirs);
+    nd.get_configuration_attribute("CONTEXT_SAFE_DIRS", safe_dirs);
+
+    set<string> restricted, safe;
+
+    one_util::split_unique(restricted_dirs, ' ', restricted);
+    one_util::split_unique(safe_dirs, ' ', safe);
+
+    set<string> files_set;
+    one_util::split_unique(files, ' ', files_set);
+    for (auto& f : files_set)
+    {
+        if (is_restricted(f, restricted, safe))
+        {
+            string error = "CONTEXT/FILES cannot use " + f
+                           + ", it's in restricted directories";
+
+            log("VM", Log::ERROR, error);
+            set_template_error_message(error);
+
+            return -1;
+        }
+    }
+
    files_ds = context->vector_value("FILES_DS");

    if (!files_ds.empty())
--- a/src/vmm/VirtualMachineManager.cc
+++ b/src/vmm/VirtualMachineManager.cc
@ -333,6 +333,9 @@ static int do_context_command(VirtualMachine * vm, const string& password,

    if ( rc == -1 )
    {
+        auto vmpool = Nebula::instance().get_vmpool();
+        vmpool->update(vm);
+
        return -1;
    }
    else if ( rc == 1 )