From nobody Wed Apr 1 11:16:38 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fm2Vt566Pz6WYC9 for ; Wed, 01 Apr 2026 11:16:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fm2Vt2JrQz3CyW for ; Wed, 01 Apr 2026 11:16:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1775042198; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=C3VsU3Tk4VmBljxXzAx0SwsGS1/EtaliJyad6UD9Db8=; b=QYOTC+Tqg6A5ug0b2WbyDF2P3dGGP4ibtoGpAi7d56sK5NTL4mS1J/ljPZY/RpYA2cDC7e ZC+hyjXjEi+a7AM7SmLoNwN1LBxgvCbEoXFFhHv30EZAQaenLfnf2B96cddTKB3CsICSF7 iLzyuuhrzezARHmUrQfkIJE7P5SShHdM7Or9AWDBVJYLPdf7RfV3Ckn7gVuJGQ1wCWw+CJ Yr5s+lwEzhQAt/dFE4lSYXDuzTB/oEJDJyQ5RgUrIw3invuHSqnMmY27TvXNYDe2+MW/vR kVupvjv/a50SlCcjUubAKInAHhFfN44AXwAVX/JvoHU1iFyrjaZld8mjNDbQ+w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1775042198; a=rsa-sha256; cv=none; b=bOywqS+oO6rB7LraAREm5jrbFGHCBFXt4Zx9GPEd9x6O6tRlFCDXLb0WE9u8ZQYH6WFr+o h9k4v87B5buFUF7hs4IMDNNeVIVMevKmefOFjxgo0t18M5nUuRpeBatTMe8fEH6VWN5Ocp +cHTpJYkGCBOKIcBlGt0IXek8/Ht9MeuqGXQOS6j+XJaZQ5Gc1FADSkx6tg1WXfdaKjWd8 YB0eUL+bZ9D/IMDReS82RMZ1ZhB7bn0B68zHqs2ZT0JeV3b1bjR/T+rJp/NOcGu+RJa2HD Rx/w7oN1mFp/1mRUEvgdWlNoIarUIuLywrMUwb6iv+B90++X1WQtMrFUCl25iw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1775042198; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=C3VsU3Tk4VmBljxXzAx0SwsGS1/EtaliJyad6UD9Db8=; b=WF9S7O2bCCXtcRETyEjKihBkCAWrp6FDb1BGnyytUh488mwD9m35zIZBSKGG3gXUnj3uaU UG3XuHIsM3pEd1wY8oQXd4Gf0laFWGP9ob/N9+O72eMqxfNccoyhXDyuefjk0uCU2Z42hK 3W+pfcbyJr5ZssY1JbRRJ4LLFUTlniODiMn/Just5NkQb7UWxw28auNKK4jTDnBdK/bjaG f+CvCCQWSuRKHGQpABWTiWfys8Mn3f32BRtsF2Ufe4+YLWNXlWwLkF3HN4ACUf3xhL3Wsb xMS59SIXS9eQjdQrwXI2Gl1tn2IvQEmMsldmo0+7RIjHzLRoNVo/+sWOmoPV0A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fm2Vt1C6fz1CXD for ; Wed, 01 Apr 2026 11:16:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 45285 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 01 Apr 2026 11:16:38 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: f3c772361f3b - main - vmm: Restore the ability to create VMs as root in a jail List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f3c772361f3b6213ec7ae7de993b6953357c7b48 Auto-Submitted: auto-generated Date: Wed, 01 Apr 2026 11:16:38 +0000 Message-Id: <69ccfe96.45285.612d5bc7@gitrepo.freebsd.org> The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f3c772361f3b6213ec7ae7de993b6953357c7b48 commit f3c772361f3b6213ec7ae7de993b6953357c7b48 Author: Mark Johnston AuthorDate: 2026-04-01 09:25:27 +0000 Commit: Mark Johnston CommitDate: 2026-04-01 11:16:14 +0000 vmm: Restore the ability to create VMs as root in a jail The new PRIV_VMM_CREATE and DESTROY permissions should be allowed by jails, so need to be added to the list in prison_priv_check(). Then, modify vmmdev_create() to verify that the jail was created with the allow.vmm flag. This is already verified when opening /dev/vmmctl, but checking again doesn't hurt and ensures that one can't pass the allow.vmm policy by passing a vmmctl fd along a unix domain socket from outside the jail. Rename vmm_priv_check() to vmm_jail_priv_check() to make the function's purpose more clear. Reported by: novel Reviewed by: bnovkov Fixes: d4c05edd410e ("vmm: Add privilege checks to vmmctl operations") Differential Revision: https://reviews.freebsd.org/D56119 --- sys/dev/vmm/vmm_dev.c | 16 +++++++++++----- sys/kern/kern_jail.c | 8 ++++++++ 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/sys/dev/vmm/vmm_dev.c b/sys/dev/vmm/vmm_dev.c index ed8e5b2e0777..a2775023838a 100644 --- a/sys/dev/vmm/vmm_dev.c +++ b/sys/dev/vmm/vmm_dev.c @@ -114,7 +114,7 @@ static int devmem_create_cdev(struct vmmdev_softc *sc, int id, char *devmem); static void vmmdev_destroy(struct vmmdev_softc *sc); static int -vmm_priv_check(struct ucred *ucred) +vmm_jail_priv_check(struct ucred *ucred) { if (jailed(ucred) && (ucred->cr_prison->pr_allow & pr_allow_vmm_flag) == 0) @@ -371,7 +371,7 @@ vmmdev_open(struct cdev *dev, int flags, int fmt, struct thread *td) * A jail without vmm access shouldn't be able to access vmm device * files at all, but check here just to be thorough. */ - error = vmm_priv_check(td->td_ucred); + error = vmm_jail_priv_check(td->td_ucred); if (error != 0) return (error); @@ -940,7 +940,7 @@ sysctl_vmm_destroy(SYSCTL_HANDLER_ARGS) char *buf; int error, buflen; - error = vmm_priv_check(req->td->td_ucred); + error = vmm_jail_priv_check(req->td->td_ucred); if (error) return (error); @@ -1016,6 +1016,12 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred) "An unprivileged user must run VMs in monitor mode")); } + if ((error = vmm_jail_priv_check(cred)) != 0) { + sx_xunlock(&vmmdev_mtx); + return (EXTERROR(error, + "VMs cannot be created in the current jail")); + } + if (!chgvmmcnt(cred->cr_ruidinfo, 1, vm_maxvmms)) { sx_xunlock(&vmmdev_mtx); return (ENOMEM); @@ -1061,7 +1067,7 @@ sysctl_vmm_create(SYSCTL_HANDLER_ARGS) if (!vmm_initialized) return (ENXIO); - error = vmm_priv_check(req->td->td_ucred); + error = vmm_jail_priv_check(req->td->td_ucred); if (error != 0) return (error); @@ -1126,7 +1132,7 @@ vmmctl_open(struct cdev *cdev, int flags, int fmt, struct thread *td) int error; struct vmmctl_priv *priv; - error = vmm_priv_check(td->td_ucred); + error = vmm_jail_priv_check(td->td_ucred); if (error != 0) return (error); diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 9f78cb42aeb1..384825b7f8ac 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -4736,6 +4736,14 @@ prison_priv_check(struct ucred *cred, int priv) else return (EPERM); + case PRIV_VMM_CREATE: + case PRIV_VMM_DESTROY: + /* + * Jailed root can create and destroy VMs; the vmm module + * additionally checks for the allow.vmm flag. + */ + return (0); + case PRIV_VMM_PPTDEV: /* * Allow jailed root to manage passthrough devices. vmm(4) also