From 76b1208e9c1a36a84ce1e34b5b494ff74cfccfbc Mon Sep 17 00:00:00 2001
From: Dawei Wei <wei.dawei.cn@gmail.com>
Date: Sun, 1 Mar 2026 09:23:33 -0800
Subject: [PATCH] shim: skip SandboxPlatform validation when platform is not
 explicitly set

When runtime options are non-empty (e.g., SandboxIsolation is set) but
SandboxPlatform is empty, skip the platform validation rather than
failing. The validation only needs to check that the spec and shim
options match when SandboxPlatform is explicitly configured.

containerd's default config (config_windows.go) sets SandboxIsolation=1
for the runhcs-wcow-hypervisor runtime handler but omits SandboxPlatform,
making options non-empty with an empty platform string. This causes
platforms.Parse("") to fail with 'invalid runtime sandbox platform'.

Signed-off-by: Dawei Wei <wei.dawei.cn@gmail.com>
---
 cmd/containerd-shim-runhcs-v1/service_internal.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/containerd-shim-runhcs-v1/service_internal.go b/cmd/containerd-shim-runhcs-v1/service_internal.go
index a50bb12224..b29a5c5a95 100644
--- a/cmd/containerd-shim-runhcs-v1/service_internal.go
+++ b/cmd/containerd-shim-runhcs-v1/service_internal.go
@@ -129,7 +129,7 @@ func (s *service) createInternal(ctx context.Context, req *task.CreateTaskReques
 		return nil, fmt.Errorf("invalid runtime sandbox isolation (%s) for hypervisor isolated OCI spec", isolation.String())
 	}
 
-	if !emptyShimOpts {
+	if !emptyShimOpts && shimOpts.GetSandboxPlatform() != "" {
 		// validate runtime platform
 		plat, err := platforms.Parse(shimOpts.GetSandboxPlatform())
 		if err != nil {