Merge pull request #11554 from hashicorp/merge-release-1.2.1-branch

Merge release 1.2.1 branch
2021-11-22 10:58:03 -05:00 · 2021-11-22 10:58:03 -05:00 · d0f27f573f
parent 166d4c931f ed613ea485
commit d0f27f573f
9 changed files with 183188 additions and 7 deletions
--- a/.changelog/11542.txt
+++ b/.changelog/11542.txt
@ -0,0 +1,3 @@
+```release-note:security
+Allow limiting QEMU arguments to reduce access to host resources. [CVE-2021-43415](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43415)
+```
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,9 @@
+## 1.2.1 (November 19, 2021)
+
+SECURITY:
+
+* Allow limiting QEMU arguments to reduce access to host resources. [CVE-2021-43415](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43415) [[GH-11542](https://github.com/hashicorp/nomad/issues/11542)]
+
 ## 1.2.0 (November 15, 2021)

 FEATURES:
@ -66,6 +72,12 @@ BUG FIXES:
 * server: Fixed a panic on arm64 platform when dispatching a job with a payload [[GH-11396](https://github.com/hashicorp/nomad/issues/11396)]
 * server: Fixed a panic that may occur when preempting multiple allocations on the same node [[GH-11346](https://github.com/hashicorp/nomad/issues/11346)]

+## 1.1.8 (November 19, 2021)
+
+SECURITY:
+
+* Allow limiting QEMU arguments to reduce access to host resources. [CVE-2021-43415](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43415) [[GH-11542](https://github.com/hashicorp/nomad/issues/11542)]
+
 ## 1.1.7 (November 15, 2021)

 IMPROVEMENTS:
@ -319,6 +331,12 @@ BUG FIXES:
 * server: Fixed a panic that may arise on submission of jobs containing invalid service checks [[GH-10154](https://github.com/hashicorp/nomad/issues/10154)]
 * ui: Fixed the rendering of interstitial components shown after processing a dynamic application sizing recommendation. [[GH-10094](https://github.com/hashicorp/nomad/pull/10094)]

+## 1.0.14 (November 19, 2021)
+
+SECURITY:
+
+* Allow limiting QEMU arguments to reduce access to host resources. [CVE-2021-43415](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43415) [[GH-11542](https://github.com/hashicorp/nomad/issues/11542)]
+
 ## 1.0.13 (November 15, 2021)

 IMPROVEMENTS:
--- a/2
+++ b/2
@ -32,7 +32,7 @@ PROTO_COMPARE_TAG ?= v1.0.3$(if $(findstring ent,$(GO_TAGS)),+ent,)

 # LAST_RELEASE is the git sha of the latest release corresponding to this branch. main should have the latest
 # published release, but backport branches should point to the parent tag (e.g. 1.0.8 in release-1.0.9 after 1.1.0 is cut).
-LAST_RELEASE ?= v1.2.0
+LAST_RELEASE ?= v1.2.1

 default: help

--- a/client/structs/structs.generated.go
+++ b/client/structs/structs.generated.go
--- a/drivers/qemu/driver.go
+++ b/drivers/qemu/driver.go
@ -84,7 +84,8 @@ var (

 	// configSpec is the hcl specification returned by the ConfigSchema RPC
 	configSpec = hclspec.NewObject(map[string]*hclspec.Spec{
-		"image_paths": hclspec.NewAttr("image_paths", "list(string)", false),
+		"image_paths":    hclspec.NewAttr("image_paths", "list(string)", false),
+		"args_allowlist": hclspec.NewAttr("args_allowlist", "list(string)", false),
 	})

 	// taskConfigSpec is the hcl specification for the driver config section of
@ -136,6 +137,11 @@ type TaskState struct {
 type Config struct {
 	// ImagePaths is an allow-list of paths qemu is allowed to load an image from
 	ImagePaths []string `codec:"image_paths"`
+
+	// ArgsAllowList is an allow-list of arguments the jobspec can
+	// include in arguments to qemu, so that cluster operators can can
+	// prevent access to devices
+	ArgsAllowList []string `codec:"args_allowlist"`
 }

 // Driver is a driver for running images via Qemu
@ -338,6 +344,26 @@ func isAllowedImagePath(allowedPaths []string, allocDir, imagePath string) bool
 	return false
 }

+// validateArgs ensures that all QEMU command line params are in the
+// allowlist. This function must be called after all interpolation has
+// taken place.
+func validateArgs(pluginConfigAllowList, args []string) error {
+	if len(pluginConfigAllowList) > 0 {
+		allowed := map[string]struct{}{}
+		for _, arg := range pluginConfigAllowList {
+			allowed[arg] = struct{}{}
+		}
+		for _, arg := range args {
+			if strings.HasPrefix(strings.TrimSpace(arg), "-") {
+				if _, ok := allowed[arg]; !ok {
+					return fmt.Errorf("%q is not in args_allowlist", arg)
+				}
+			}
+		}
+	}
+	return nil
+}
+
 func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drivers.DriverNetwork, error) {
 	if _, ok := d.tasks.Get(cfg.ID); ok {
 		return nil, nil, fmt.Errorf("taskConfig with ID '%s' already started", cfg.ID)
@ -355,6 +381,10 @@ func (d *Driver) StartTask(cfg *drivers.TaskConfig) (*drivers.TaskHandle, *drive
 	handle := drivers.NewTaskHandle(taskHandleVersion)
 	handle.Config = cfg

+	if err := validateArgs(d.config.ArgsAllowList, driverConfig.Args); err != nil {
+		return nil, nil, err
+	}
+
 	// Get the image source
 	vmPath := driverConfig.ImagePath
 	if vmPath == "" {
--- a/drivers/qemu/driver_test.go
+++ b/drivers/qemu/driver_test.go
@ -453,3 +453,32 @@ func TestIsAllowedImagePath(t *testing.T) {
 		require.Falsef(t, isAllowedImagePath(allowedPaths, allocDir, p), "path should be not allowed: %v", p)
 	}
 }
+
+func TestArgsAllowList(t *testing.T) {
+
+	pluginConfigAllowList := []string{"-drive", "-net", "-snapshot"}
+
+	validArgs := [][]string{
+		{"-drive", "/path/to/wherever", "-snapshot"},
+		{"-net", "tap,vlan=0,ifname=tap0"},
+	}
+
+	invalidArgs := [][]string{
+		{"-usbdevice", "mouse"},
+		{"-singlestep"},
+		{"--singlestep"},
+		{" -singlestep"},
+		{"\t-singlestep"},
+	}
+
+	for _, args := range validArgs {
+		require.NoError(t, validateArgs(pluginConfigAllowList, args))
+		require.NoError(t, validateArgs([]string{}, args))
+
+	}
+	for _, args := range invalidArgs {
+		require.Error(t, validateArgs(pluginConfigAllowList, args))
+		require.NoError(t, validateArgs([]string{}, args))
+	}
+
+}
--- a/nomad/structs/structs.generated.go
+++ b/nomad/structs/structs.generated.go
--- a/version/version.go
+++ b/version/version.go
@ -16,7 +16,7 @@ var (
 	// A pre-release marker for the version. If this is "" (empty string)
 	// then it means that it is a final release. Otherwise, this is a pre-release
 	// such as "dev" (in development), "beta", "rc1", etc.
-	VersionPrerelease = "dev"
+	VersionPrerelease = ""

 	// VersionMetadata is metadata further describing the build type.
 	VersionMetadata = ""
--- a/website/content/docs/drivers/qemu.mdx
+++ b/website/content/docs/drivers/qemu.mdx
@ -54,7 +54,7 @@ The `qemu` driver supports the following configuration in the job spec:
  forcefully terminated. (Note that
  [prior to qemu 2.10.1](https://github.com/qemu/qemu/commit/ad9579aaa16d5b385922d49edac2c96c79bcfb6),
  the monitor socket path is limited to 108 characters. Graceful shutdown will
-  be disabled if qemu is < 2.10.1 and the generated monitor path exceeds this
+  be disabled if QEMU is < 2.10.1 and the generated monitor path exceeds this
  length. You may encounter this issue if you set long
  [data_dir](/docs/configuration#data_dir)
  or
@ -72,7 +72,7 @@ The `qemu` driver supports the following configuration in the job spec:
  }
  ```

- `args` - (Optional) A list of strings that is passed to qemu as command line
+- `args` - (Optional) A list of strings that is passed to QEMU as command line
  options.

 ## Examples
@ -145,12 +145,19 @@ job "docs" {
 plugin "qemu" {
  config {
    image_paths = ["/mnt/image/paths"]
+    args_allowlist = ["-drive", "-usbdevice"]
  }
 }
 ```

- `image_paths` (`[]string`: `[]`) - Specifies the host paths the QEMU driver is
-  allowed to load images from.
+- `image_paths` (`[]string`: `[]`) - Specifies the host paths the QEMU
+  driver is allowed to load images from.
+- `args_allowlist` (`[]string`: `[]`) - Specifies the command line
+  flags that the [`args`] option is permitted to pass to QEMU. If
+  unset, a job submitter can pass any command line flag into QEMU,
+  including flags that provide the VM with access to host devices such
+  as USB drives. Refer to the [QEMU documentation] for the available
+  flags.

 ## Resource Isolation

@ -162,3 +169,11 @@ Virtualization provides the highest level of isolation for workloads that
 require additional security, and resource use is constrained by the QEMU
 hypervisor rather than the host kernel. VM network traffic still flows through
 the host's interface(s).
+
+Note that the strong isolation provided by virtualization only applies
+to the workload once the VM is started. Operators should use the
+`args_allowlist` option to prevent job submitters from accessing
+devices and resources they are not allowed to access.
+
+[`args`]: /docs/drivers/qemu#args
+[QEMU documentation]: https://www.qemu.org/docs/master/system/invocation.html