cvm: Only allow wihtelisted envs

kvinwang · kvinwang · commit b3a0bca46e6d · 2025-02-27T06:04:48.000Z
diff --git a/dstack-types/src/lib.rs b/dstack-types/src/lib.rs
@@ -25,6 +25,8 @@ pub struct AppCompose {
     pub local_key_provider_enabled: bool,
     #[serde(default)]
     pub key_provider: Option<KeyProviderKind>,
+    #[serde(default)]
+    pub allowed_envs: Vec<String>,
 }
 
 #[derive(Deserialize, Serialize, Debug, Clone, Copy)]
diff --git a/tdxctl/src/fde_setup.rs b/tdxctl/src/fde_setup.rs
@@ -1,5 +1,5 @@
 use std::{
-    collections::BTreeMap,
+    collections::{BTreeMap, BTreeSet},
     io::{Read, Write},
     path::{Path, PathBuf},
     process::{Command, Stdio},
@@ -318,7 +318,12 @@ impl SetupFdeArgs {
         deserialize_json_file(self.app_keys_file()).context("Failed to decode app keys")
     }
 
-    fn decrypt_env_vars(&self, key: &[u8], ciphertext: &[u8]) -> Result<BTreeMap<String, String>> {
+    fn decrypt_env_vars(
+        &self,
+        key: &[u8],
+        ciphertext: &[u8],
+        allowed: &BTreeSet<String>,
+    ) -> Result<BTreeMap<String, String>> {
         let vars = if !key.is_empty() && !ciphertext.is_empty() {
             info!("Processing encrypted env");
             let env_crypt_key: [u8; 32] = key
@@ -327,7 +332,7 @@ impl SetupFdeArgs {
                 .context("Invalid env crypt key length")?;
             let decrypted_json =
                 dh_decrypt(env_crypt_key, ciphertext).context("Failed to decrypt env file")?;
-            env_process::parse_env(&decrypted_json)?
+            env_process::parse_env(&decrypted_json, allowed)?
         } else {
             info!("No encrypted env, using default");
             Default::default()
@@ -545,9 +550,18 @@ impl SetupFdeArgs {
             bail!("Failed to get valid key phrase from KMS");
         }
         host.notify_q("boot.progress", "decrypting env").await;
+        let allowed_envs: BTreeSet<String> = host_shared
+            .app_compose
+            .allowed_envs
+            .iter()
+            .cloned()
+            .collect();
         // Decrypt env file
-        let decrypted_env =
-            self.decrypt_env_vars(&app_keys.env_crypt_key, &host_shared.encrypted_env)?;
+        let decrypted_env = self.decrypt_env_vars(
+            &app_keys.env_crypt_key,
+            &host_shared.encrypted_env,
+            &allowed_envs,
+        )?;
         let disk_key = hex::encode(&app_keys.disk_crypt_key);
         if is_bootstrapped {
             host.notify_q("boot.progress", "mounting rootfs").await;
diff --git a/tdxctl/src/fde_setup/env_process.rs b/tdxctl/src/fde_setup/env_process.rs
@@ -1,6 +1,7 @@
 use anyhow::{bail, Context, Result};
 use serde::Deserialize;
-use std::collections::BTreeMap;
+use std::collections::{BTreeMap, BTreeSet};
+use tracing::warn;
 
 fn escape_value(v: &str) -> String {
     let mut needs_quotes = false;
@@ -41,7 +42,10 @@ struct Data {
     env: Vec<Pair>,
 }
 
-pub fn parse_env(decrypted_json: &[u8]) -> Result<BTreeMap<String, String>> {
+pub fn parse_env(
+    decrypted_json: &[u8],
+    allowed: &BTreeSet<String>,
+) -> Result<BTreeMap<String, String>> {
     const MAX_ITEMS: usize = 1024;
     const MAX_TOTAL_SIZE: usize = 1024 * 1024;
 
@@ -59,6 +63,10 @@ pub fn parse_env(decrypted_json: &[u8]) -> Result<BTreeMap<String, String>> {
     let mut total_size = 0;
 
     for Pair { key, value } in data.env {
+        if !allowed.contains(&key) {
+            warn!("Skipping unauthorized environment variable: {key}");
+            continue;
+        }
         // Check key length (common Linux limit is 255)
         if key.len() > 255 {
             bail!("Environment variable name too long: {}", key);
diff --git a/teepod/src/console.html b/teepod/src/console.html
@@ -1103,7 +1103,8 @@ <h3>Derive VM</h3>
                         "tproxy_enabled": vmForm.value.tproxy_enabled,
                         "public_logs": vmForm.value.public_logs,
                         "public_sysinfo": vmForm.value.public_sysinfo,
-                        "local_key_provider_enabled": vmForm.value.local_key_provider_enabled
+                        "local_key_provider_enabled": vmForm.value.local_key_provider_enabled,
+                        "allowed_envs": vmForm.value.encrypted_envs.map(env => env.key),
                     };
 
                     if (vmForm.value.preLaunchScript?.trim()) {

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@ pub struct AppCompose {`
`25`	`25`	`pub local_key_provider_enabled: bool,`
`26`	`26`	`#[serde(default)]`
`27`	`27`	`pub key_provider: Option<KeyProviderKind>,`
	`28`	`+ #[serde(default)]`
	`29`	`+ pub allowed_envs: Vec<String>,`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`#[derive(Deserialize, Serialize, Debug, Clone, Copy)]`