From owner-svn-src-head@freebsd.org  Wed Aug  1 00:39:23 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49CBE106AF28;
 Wed,  1 Aug 2018 00:39:23 +0000 (UTC)
 (envelope-from araujo@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id E8E418BE3E;
 Wed,  1 Aug 2018 00:39:22 +0000 (UTC)
 (envelope-from araujo@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A8E511B21D;
 Wed,  1 Aug 2018 00:39:22 +0000 (UTC)
 (envelope-from araujo@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w710dMgv060350;
 Wed, 1 Aug 2018 00:39:22 GMT (envelope-from araujo@FreeBSD.org)
Received: (from araujo@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w710dM9o060348;
 Wed, 1 Aug 2018 00:39:22 GMT (envelope-from araujo@FreeBSD.org)
Message-Id: <201808010039.w710dM9o060348@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: araujo set sender to
 araujo@FreeBSD.org using -f
From: Marcelo Araujo <araujo@FreeBSD.org>
Date: Wed, 1 Aug 2018 00:39:22 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r337023 - in head: sys/amd64/vmm usr.sbin/jail
X-SVN-Group: head
X-SVN-Commit-Author: araujo
X-SVN-Commit-Paths: in head: sys/amd64/vmm usr.sbin/jail
X-SVN-Commit-Revision: 337023
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Aug 2018 00:39:23 -0000

Author: araujo
Date: Wed Aug  1 00:39:21 2018
New Revision: 337023
URL: https://svnweb.freebsd.org/changeset/base/337023

Log:
  - Add the ability to run bhyve(8) within a jail(8).
  
  This patch adds a new sysctl(8) knob "security.jail.vmm_allowed",
  by default this option is disable.
  
  Submitted by:	Shawn Webb <shawn.webb____hardenedbsd.org>
  Reviewed by:	jamie@ and myself.
  Relnotes:	Yes.
  Sponsored by:	HardenedBSD and G2, Inc.
  Differential Revision:	https://reviews.freebsd.org/D16057

Modified:
  head/sys/amd64/vmm/vmm_dev.c
  head/usr.sbin/jail/jail.8

Modified: head/sys/amd64/vmm/vmm_dev.c
==============================================================================
--- head/sys/amd64/vmm/vmm_dev.c	Tue Jul 31 23:44:13 2018	(r337022)
+++ head/sys/amd64/vmm/vmm_dev.c	Wed Aug  1 00:39:21 2018	(r337023)
@@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
+#include <sys/jail.h>
 #include <sys/queue.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
@@ -43,6 +44,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/ioccom.h>
 #include <sys/mman.h>
 #include <sys/uio.h>
+#include <sys/proc.h>
 
 #include <vm/vm.h>
 #include <vm/pmap.h>
@@ -82,16 +84,29 @@ struct vmmdev_softc {
 
 static SLIST_HEAD(, vmmdev_softc) head;
 
+static unsigned pr_allow_flag;
 static struct mtx vmmdev_mtx;
 
 static MALLOC_DEFINE(M_VMMDEV, "vmmdev", "vmmdev");
 
 SYSCTL_DECL(_hw_vmm);
 
+static int vmm_priv_check(struct ucred *ucred);
 static int devmem_create_cdev(const char *vmname, int id, char *devmem);
 static void devmem_destroy(void *arg);
 
 static int
+vmm_priv_check(struct ucred *ucred)
+{
+
+	if (jailed(ucred) &&
+	    !(ucred->cr_prison->pr_allow & pr_allow_flag))
+		return (EPERM);
+
+	return (0);
+}
+
+static int
 vcpu_lock_one(struct vmmdev_softc *sc, int vcpu)
 {
 	int error;
@@ -177,6 +192,10 @@ vmmdev_rw(struct cdev *cdev, struct uio *uio, int flag
 	void *hpa, *cookie;
 	struct vmmdev_softc *sc;
 
+	error = vmm_priv_check(curthread->td_ucred);
+	if (error)
+		return (error);
+
 	sc = vmmdev_lookup2(cdev);
 	if (sc == NULL)
 		return (ENXIO);
@@ -351,11 +370,14 @@ vmmdev_ioctl(struct cdev *cdev, u_long cmd, caddr_t da
 	uint64_t *regvals;
 	int *regnums;
 
+	error = vmm_priv_check(curthread->td_ucred);
+	if (error)
+		return (error);
+
 	sc = vmmdev_lookup2(cdev);
 	if (sc == NULL)
 		return (ENXIO);
 
-	error = 0;
 	vcpu = -1;
 	state_changed = 0;
 
@@ -777,6 +799,10 @@ vmmdev_mmap_single(struct cdev *cdev, vm_ooffset_t *of
 	int error, found, segid;
 	bool sysmem;
 
+	error = vmm_priv_check(curthread->td_ucred);
+	if (error)
+		return (error);
+
 	first = *offset;
 	last = first + mapsize;
 	if ((nprot & PROT_EXEC) || first < 0 || first >= last)
@@ -865,6 +891,10 @@ sysctl_vmm_destroy(SYSCTL_HANDLER_ARGS)
 	struct vmmdev_softc *sc;
 	struct cdev *cdev;
 
+	error = vmm_priv_check(req->td->td_ucred);
+	if (error)
+		return (error);
+
 	strlcpy(buf, "beavis", sizeof(buf));
 	error = sysctl_handle_string(oidp, buf, sizeof(buf), req);
 	if (error != 0 || req->newptr == NULL)
@@ -906,7 +936,8 @@ sysctl_vmm_destroy(SYSCTL_HANDLER_ARGS)
 	destroy_dev_sched_cb(cdev, vmmdev_destroy, sc);
 	return (0);
 }
-SYSCTL_PROC(_hw_vmm, OID_AUTO, destroy, CTLTYPE_STRING | CTLFLAG_RW,
+SYSCTL_PROC(_hw_vmm, OID_AUTO, destroy,
+	    CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_PRISON,
 	    NULL, 0, sysctl_vmm_destroy, "A", NULL);
 
 static struct cdevsw vmmdevsw = {
@@ -927,6 +958,10 @@ sysctl_vmm_create(SYSCTL_HANDLER_ARGS)
 	struct vmmdev_softc *sc, *sc2;
 	char buf[VM_MAX_NAMELEN];
 
+	error = vmm_priv_check(req->td->td_ucred);
+	if (error)
+		return (error);
+
 	strlcpy(buf, "beavis", sizeof(buf));
 	error = sysctl_handle_string(oidp, buf, sizeof(buf), req);
 	if (error != 0 || req->newptr == NULL)
@@ -977,13 +1012,16 @@ sysctl_vmm_create(SYSCTL_HANDLER_ARGS)
 
 	return (0);
 }
-SYSCTL_PROC(_hw_vmm, OID_AUTO, create, CTLTYPE_STRING | CTLFLAG_RW,
+SYSCTL_PROC(_hw_vmm, OID_AUTO, create,
+	    CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_PRISON,
 	    NULL, 0, sysctl_vmm_create, "A", NULL);
 
 void
 vmmdev_init(void)
 {
 	mtx_init(&vmmdev_mtx, "vmm device mutex", NULL, MTX_DEF);
+	pr_allow_flag = prison_add_allow(NULL, "vmm", NULL,
+	    "Allow use of vmm in a jail.");
 }
 
 int

Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8	Tue Jul 31 23:44:13 2018	(r337022)
+++ head/usr.sbin/jail/jail.8	Wed Aug  1 00:39:21 2018	(r337023)
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 29, 2018
+.Dd July 30, 2018
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -650,6 +650,12 @@ See
 .Xr zfs 8
 for information on how to configure the ZFS filesystem to operate from
 within a jail.
+.It Va allow.vmm
+The jail may access
+.Xr vmm 4 .
+This flag is only available when the
+.Xr vmm 4
+kernel module is loaded.
 .It Va linux
 Determine how a jail's Linux emulation environment appears.
 A value of
@@ -1294,6 +1300,7 @@ environment of the first jail.
 .Xr ps 1 ,
 .Xr quota 1 ,
 .Xr jail_set 2 ,
+.Xr vmm 4 ,
 .Xr devfs 5 ,
 .Xr fdescfs 5 ,
 .Xr jail.conf 5 ,