Date: Wed, 1 Aug 2018 00:39:22 +0000 (UTC) From: Marcelo Araujo <araujo@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r337023 - in head: sys/amd64/vmm usr.sbin/jail Message-ID: <201808010039.w710dM9o060348@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: araujo Date: Wed Aug 1 00:39:21 2018 New Revision: 337023 URL: https://svnweb.freebsd.org/changeset/base/337023 Log: - Add the ability to run bhyve(8) within a jail(8). This patch adds a new sysctl(8) knob "security.jail.vmm_allowed", by default this option is disable. Submitted by: Shawn Webb <shawn.webb____hardenedbsd.org> Reviewed by: jamie@ and myself. Relnotes: Yes. Sponsored by: HardenedBSD and G2, Inc. Differential Revision: https://reviews.freebsd.org/D16057 Modified: head/sys/amd64/vmm/vmm_dev.c head/usr.sbin/jail/jail.8 Modified: head/sys/amd64/vmm/vmm_dev.c ============================================================================== --- head/sys/amd64/vmm/vmm_dev.c Tue Jul 31 23:44:13 2018 (r337022) +++ head/sys/amd64/vmm/vmm_dev.c Wed Aug 1 00:39:21 2018 (r337023) @@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$"); #include <sys/param.h> #include <sys/kernel.h> +#include <sys/jail.h> #include <sys/queue.h> #include <sys/lock.h> #include <sys/mutex.h> @@ -43,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include <sys/ioccom.h> #include <sys/mman.h> #include <sys/uio.h> +#include <sys/proc.h> #include <vm/vm.h> #include <vm/pmap.h> @@ -82,16 +84,29 @@ struct vmmdev_softc { static SLIST_HEAD(, vmmdev_softc) head; +static unsigned pr_allow_flag; static struct mtx vmmdev_mtx; static MALLOC_DEFINE(M_VMMDEV, "vmmdev", "vmmdev"); SYSCTL_DECL(_hw_vmm); +static int vmm_priv_check(struct ucred *ucred); static int devmem_create_cdev(const char *vmname, int id, char *devmem); static void devmem_destroy(void *arg); static int +vmm_priv_check(struct ucred *ucred) +{ + + if (jailed(ucred) && + !(ucred->cr_prison->pr_allow & pr_allow_flag)) + return (EPERM); + + return (0); +} + +static int vcpu_lock_one(struct vmmdev_softc *sc, int vcpu) { int error; @@ -177,6 +192,10 @@ vmmdev_rw(struct cdev *cdev, struct uio *uio, int flag void *hpa, *cookie; struct vmmdev_softc *sc; + error = vmm_priv_check(curthread->td_ucred); + if (error) + return (error); + sc = vmmdev_lookup2(cdev); if (sc == NULL) return (ENXIO); @@ -351,11 +370,14 @@ vmmdev_ioctl(struct cdev *cdev, u_long cmd, caddr_t da uint64_t *regvals; int *regnums; + error = vmm_priv_check(curthread->td_ucred); + if (error) + return (error); + sc = vmmdev_lookup2(cdev); if (sc == NULL) return (ENXIO); - error = 0; vcpu = -1; state_changed = 0; @@ -777,6 +799,10 @@ vmmdev_mmap_single(struct cdev *cdev, vm_ooffset_t *of int error, found, segid; bool sysmem; + error = vmm_priv_check(curthread->td_ucred); + if (error) + return (error); + first = *offset; last = first + mapsize; if ((nprot & PROT_EXEC) || first < 0 || first >= last) @@ -865,6 +891,10 @@ sysctl_vmm_destroy(SYSCTL_HANDLER_ARGS) struct vmmdev_softc *sc; struct cdev *cdev; + error = vmm_priv_check(req->td->td_ucred); + if (error) + return (error); + strlcpy(buf, "beavis", sizeof(buf)); error = sysctl_handle_string(oidp, buf, sizeof(buf), req); if (error != 0 || req->newptr == NULL) @@ -906,7 +936,8 @@ sysctl_vmm_destroy(SYSCTL_HANDLER_ARGS) destroy_dev_sched_cb(cdev, vmmdev_destroy, sc); return (0); } -SYSCTL_PROC(_hw_vmm, OID_AUTO, destroy, CTLTYPE_STRING | CTLFLAG_RW, +SYSCTL_PROC(_hw_vmm, OID_AUTO, destroy, + CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_PRISON, NULL, 0, sysctl_vmm_destroy, "A", NULL); static struct cdevsw vmmdevsw = { @@ -927,6 +958,10 @@ sysctl_vmm_create(SYSCTL_HANDLER_ARGS) struct vmmdev_softc *sc, *sc2; char buf[VM_MAX_NAMELEN]; + error = vmm_priv_check(req->td->td_ucred); + if (error) + return (error); + strlcpy(buf, "beavis", sizeof(buf)); error = sysctl_handle_string(oidp, buf, sizeof(buf), req); if (error != 0 || req->newptr == NULL) @@ -977,13 +1012,16 @@ sysctl_vmm_create(SYSCTL_HANDLER_ARGS) return (0); } -SYSCTL_PROC(_hw_vmm, OID_AUTO, create, CTLTYPE_STRING | CTLFLAG_RW, +SYSCTL_PROC(_hw_vmm, OID_AUTO, create, + CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_PRISON, NULL, 0, sysctl_vmm_create, "A", NULL); void vmmdev_init(void) { mtx_init(&vmmdev_mtx, "vmm device mutex", NULL, MTX_DEF); + pr_allow_flag = prison_add_allow(NULL, "vmm", NULL, + "Allow use of vmm in a jail."); } int Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Tue Jul 31 23:44:13 2018 (r337022) +++ head/usr.sbin/jail/jail.8 Wed Aug 1 00:39:21 2018 (r337023) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 29, 2018 +.Dd July 30, 2018 .Dt JAIL 8 .Os .Sh NAME @@ -650,6 +650,12 @@ See .Xr zfs 8 for information on how to configure the ZFS filesystem to operate from within a jail. +.It Va allow.vmm +The jail may access +.Xr vmm 4 . +This flag is only available when the +.Xr vmm 4 +kernel module is loaded. .It Va linux Determine how a jail's Linux emulation environment appears. A value of @@ -1294,6 +1300,7 @@ environment of the first jail. .Xr ps 1 , .Xr quota 1 , .Xr jail_set 2 , +.Xr vmm 4 , .Xr devfs 5 , .Xr fdescfs 5 , .Xr jail.conf 5 ,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201808010039.w710dM9o060348>