Merged PR 13627088: guest: Don't allow host to set mount options

[cherry-picked from 1dd0b7ea0b0f91d3698f6008fb0bd5b0de777da6]

Blocks mount option passing for 9p (which is accidental) and SCSI disks.

- guest: Restrict plan9 share names to digits only on Confidential mode
- hcsv2/uvm: Restrict SCSI mount options in confidential mode
   (The only one we allow is `ro`)

Related work items: #34370380
Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>

Author: micromaomao

internal/guest/runtime/hcsv2/uvm.go

@@ -1246,6 +1246,24 @@ func (h *Host) modifyMappedVirtualDisk(
 		mountCtx, cancel := context.WithTimeout(ctx, time.Second*5)
 		defer cancel()
 		if mvd.MountPath != "" {
+			if h.HasSecurityPolicy() {
+				// The only option we allow if there is policy enforcement is
+				// "ro", and it must match the readonly field in the request.
+				mountOptionHasRo := false
+				for _, opt := range mvd.Options {
+					if opt == "ro" {
+						mountOptionHasRo = true
+						continue
+					}
+					return errors.Errorf("mounting scsi device controller %d lun %d onto %s: mount option %q denied by policy", mvd.Controller, mvd.Lun, mvd.MountPath, opt)
+				}
+				if mvd.ReadOnly != mountOptionHasRo {
+					return errors.Errorf(
+						"mounting scsi device controller %d lun %d onto %s with mount option %q failed due to mount option mismatch: mvd.ReadOnly=%t but mountOptionHasRo=%t",
+						mvd.Controller, mvd.Lun, mvd.MountPath, strings.Join(mvd.Options, ","), mvd.ReadOnly, mountOptionHasRo,
+					)
+				}
+			}
 			if mvd.ReadOnly {
 				var deviceHash string
 				if verityInfo != nil {
@@ -1410,6 +1428,12 @@ func (h *Host) modifyMappedDirectory(
 			return errors.Wrapf(err, "mounting plan9 device at %s denied by policy", md.MountPath)
 		}
 
+		if h.HasSecurityPolicy() {
+			if err = plan9.ValidateShareName(md.ShareName); err != nil {
+				return err
+			}
+		}
+
 		// Similar to the reasoning in modifyMappedVirtualDisk, since we're
 		// rolling back the policy metadata, plan9.Mount here must clean up
 		// everything if it fails, which it does do.

internal/guest/storage/plan9/plan9.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"regexp"
 	"syscall"
 
 	"github.com/Microsoft/hcsshim/internal/guest/transport"
@@ -25,6 +26,19 @@ var (
 	unixMount   = unix.Mount
 )
 
+// c.f. v9fs_parse_options in linux/fs/9p/v9fs.c - technically anything other
+// than ',' is ok (quoting is not handled), however, this name is generated from
+// a counter in AddPlan9 (internal/uvm/plan9.go), and therefore we expect only
+// digits from a normal hcsshim host.
+var validShareNameRegex = regexp.MustCompile(`^[0-9]+$`)
+
+func ValidateShareName(name string) error {
+	if !validShareNameRegex.MatchString(name) {
+		return fmt.Errorf("invalid plan9 share name %q: must match regex %q", name, validShareNameRegex.String())
+	}
+	return nil
+}
+
 // Mount dials a connection from `vsock` and mounts a Plan9 share to `target`.
 //
 // `target` will be created. On mount failure the created `target` will be