Validate runhcs sandbox isolation and platform

cmd/containerd-shim-runhcs-v1/service_internal.go

@@ -12,14 +12,18 @@ import (
 	task "github.com/containerd/containerd/api/runtime/task/v2"
 	containerd_v1_types "github.com/containerd/containerd/api/types/task"
 	"github.com/containerd/errdefs"
+	"github.com/containerd/platforms"
 	typeurl "github.com/containerd/typeurl/v2"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/emptypb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	runhcsopts "github.com/Microsoft/hcsshim/cmd/containerd-shim-runhcs-v1/options"
 	"github.com/Microsoft/hcsshim/internal/extendedtask"
+	"github.com/Microsoft/hcsshim/internal/log"
 	"github.com/Microsoft/hcsshim/internal/oci"
 	"github.com/Microsoft/hcsshim/internal/shimdiag"
 )
@@ -81,7 +85,14 @@ func (s *service) createInternal(ctx context.Context, req *task.CreateTaskReques
 			return nil, err
 		}
 		shimOpts = v.(*runhcsopts.Options)
+
+		if entry := log.G(ctx); entry.Logger.IsLevelEnabled(logrus.DebugLevel) {
+			entry.WithField("options", log.Format(ctx, shimOpts)).Debug("parsed runhcs runtime options")
+		}
 	}
+	// ideally the runtime options would be set appropriately, but cannot guarantee that
+	// instead, distinguish between empty and misconfigured options
+	emptyShimOpts := req.Options == nil || proto.Equal(shimOpts, &runhcsopts.Options{})
 
 	var spec specs.Spec
 	f, err := os.Open(filepath.Join(req.Bundle, "config.json"))
@@ -95,7 +106,7 @@ func (s *service) createInternal(ctx context.Context, req *task.CreateTaskReques
 	f.Close()
 
 	spec = oci.UpdateSpecFromOptions(spec, shimOpts)
-	//expand annotations after defaults have been loaded in from options
+	// expand annotations after defaults have been loaded in from options
 	err = oci.ProcessAnnotations(ctx, &spec)
 	// since annotation expansion is used to toggle security features
 	// raise it rather than suppress and move on
@@ -106,13 +117,36 @@ func (s *service) createInternal(ctx context.Context, req *task.CreateTaskReques
 	// If sandbox isolation is set to hypervisor, make sure the HyperV option
 	// is filled in. This lessens the burden on Containerd to parse our shims
 	// options if we can set this ourselves.
-	if shimOpts.SandboxIsolation == runhcsopts.Options_HYPERVISOR {
+	if isolation := shimOpts.GetSandboxIsolation(); isolation == runhcsopts.Options_HYPERVISOR {
 		if spec.Windows == nil {
 			spec.Windows = &specs.Windows{}
 		}
 		if spec.Windows.HyperV == nil {
 			spec.Windows.HyperV = &specs.WindowsHyperV{}
 		}
+	} else if !emptyShimOpts && oci.IsIsolated(&spec) {
+		// non-empty runtime options, but invalid isolation
+		return nil, fmt.Errorf("invalid runtime sandbox isolation (%s) for hypervisor isolated OCI spec", isolation.String())
+	}
+
+	if !emptyShimOpts {
+		// validate runtime platform
+		plat, err := platforms.Parse(shimOpts.GetSandboxPlatform())
+		if err != nil {
+			return nil, fmt.Errorf("invalid runtime sandbox platform: %w", err)
+		}
+		switch plat.OS {
+		case "windows":
+			if oci.IsLCOW(&spec) {
+				return nil, fmt.Errorf("non-empty Linux config in OCI spec for Windows sandbox platform: %s", platforms.Format(plat))
+			}
+		case "linux":
+			if oci.IsWCOW(&spec) {
+				return nil, fmt.Errorf("empty Linux config in OCI spec for Linux sandbox platform: %s", platforms.Format(plat))
+			}
+		default:
+			return nil, fmt.Errorf("unknown runtime sandbox platform OS: %s", platforms.Format(plat))
+		}
 	}
 
 	// This is a Windows Argon make sure that we have a Root filled in.

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/containerd/errdefs v1.0.0
 	github.com/containerd/errdefs/pkg v0.3.0
 	github.com/containerd/go-runc v1.1.0
+	github.com/containerd/platforms v1.0.0-rc.1
 	github.com/containerd/protobuild v0.3.0
 	github.com/containerd/ttrpc v1.2.7
 	github.com/containerd/typeurl/v2 v2.2.3

go.sum

@@ -51,6 +51,8 @@ github.com/containerd/go-runc v1.1.0 h1:OX4f+/i2y5sUT7LhmcJH7GYrjjhHa1QI4e8yO0gG
 github.com/containerd/go-runc v1.1.0/go.mod h1:xJv2hFF7GvHtTJd9JqTS2UVxMkULUYw4JN5XAUZqH5U=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsWaRoJX4C41E=
+github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
 github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y=
 github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8=
 github.com/containerd/protobuild v0.3.0 h1:RIyEIu+D+iIha6E1PREBPAXspSMFaDVam81JlolZWpg=

internal/oci/util.go

@@ -22,5 +22,5 @@ func IsIsolated(s *specs.Spec) bool {
 
 // IsJobContainer checks if `s` is asking for a Windows job container.
 func IsJobContainer(s *specs.Spec) bool {
-	return s.Annotations[annotations.HostProcessContainer] == "true"
+	return IsWCOW(s) && s.Annotations[annotations.HostProcessContainer] == "true"
 }