hcsv2/uvm: Restrict SCSI mount options in confidential mode

In C-LCOW, we do not want to host to be able to arbitrarily control mount
options.  Currently there are two possible ways mount options might be
specified by the host:

1. For read-only mounts (image layers), option "ro" is specified (see
   addLCOWLayer).
2. If the OCI spec passed by containerd contains physical/virtual disk mounts,
   it might contain mount options, and hcsshim would pass this through to GCS (see
   allocateLinuxResources).

We can allow 1 (and in fact, require it to be consistent with the readOnly field
in the request), and today C-LCOW does not support external disk mounts, and so
we can reject any other mount options passed via route 2.

Signed-off-by: Tingmao Wang <[email protected]>

Author: micromaomao

internal/guest/runtime/hcsv2/uvm.go

@@ -1225,6 +1225,24 @@ func (h *Host) modifyMappedVirtualDisk(
 		mountCtx, cancel := context.WithTimeout(ctx, time.Second*5)
 		defer cancel()
 		if mvd.MountPath != "" {
+			if h.HasSecurityPolicy() {
+				// The only option we allow if there is policy enforcement is
+				// "ro", and it must match the readonly field in the request.
+				mountOptionHasRo := false
+				for _, opt := range mvd.Options {
+					if opt == "ro" {
+						mountOptionHasRo = true
+						continue
+					}
+					return errors.Errorf("mounting scsi device controller %d lun %d onto %s: mount option %q denied by policy", mvd.Controller, mvd.Lun, mvd.MountPath, opt)
+				}
+				if mvd.ReadOnly != mountOptionHasRo {
+					return errors.Errorf(
+						"mounting scsi device controller %d lun %d onto %s with mount option %q failed due to mount option mismatch: mvd.ReadOnly=%t but mountOptionHasRo=%t",
+						mvd.Controller, mvd.Lun, mvd.MountPath, strings.Join(mvd.Options, ","), mvd.ReadOnly, mountOptionHasRo,
+					)
+				}
+			}
 			if mvd.ReadOnly {
 				var deviceHash string
 				if verityInfo != nil {