Comment 63 for bug 1878234

Attached is a revised series of patches.

0012-config-Add-makefile-variables-for-path-lists.patch is my attempt at addressing Fabiano's comments on distro build-time configuration. I am not entirely sure this is the right way to do it for arrays.

0014-config-Use-glob-instead-of-regexp-to-match-paths-in-.patch is the replacement of regexps with glob for paths. With that change, I believe that the security concerns are no longer there, so I removed the SECURITY WARNING.

0015-config-Whitelist-hypervisor-annotations-by-name.patch is my attempt at implementing Peng Tao's whitelisting idea. I have only implemented it for the hypervisor. Agent and runtime may follow, but I have several questions about this one, including:

1. If an annotation is not whitelisted, should we fail to start, or just ignore it? It's a bit harder to ignore it with the existing code structure, so for now it fails.

2. Should each section have its own "enable_annotations" configuration? Or does it make sense to add a global [anotations] section to configure all the annotation-related aspects?

But then, the top-level question is whether this a bug. I still believe it is better to not allow arbitrary execution so easily, so I still see that as a bug, although following Julio's comments, it may well fit in the "normal" security model.