IH-507: Do not allow guest kernels in /boot/

This location is for dom0's boot chain exclusively Signed-off-by: Pau Ruiz Safont <[email protected]>
xapi-project · Jul 23, 2024 · 5dc2900 · 5dc2900
1 parent d88017e
commit 5dc2900
Showing 1 changed file with 1 addition and 4 deletions.
diff --git a/ocaml/xapi/xapi_xenops.ml b/ocaml/xapi/xapi_xenops.ml
@@ -337,10 +337,7 @@ let rtc_timeoffset_of_vm ~__context (vm, vm_t) vbds =
            )
         )
 
-(* /boot/ contains potentially sensitive files like xen-initrd, only allow
-   directly booting guests from the subfolder /boot/guest/ *)
-let allowed_dom0_directories_for_boot_files =
-  ["/boot/guest/"; "/var/lib/xcp/guest/"]
+let allowed_dom0_directories_for_boot_files = ["/var/lib/xcp/guest/"]
 
 let kernel_path filename =
   let ( let* ) = Result.bind in