Date: Sun, 30 May 2021 12:38:53 +0000 From: bugzilla-noreply@freebsd.org To: virtualization@FreeBSD.org Subject: [Bug 251046] bhyve PCI passthrough does not work inside jail Message-ID: <bug-251046-27103-5SHVE63AgS@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-251046-27103@https.bugs.freebsd.org/bugzilla/> References: <bug-251046-27103@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251046 Anatoli <me@anatoli.ws> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |me@anatoli.ws --- Comment #7 from Anatoli <me@anatoli.ws> --- Hi All, > Even then I'm not sure why it's useful to jail the bhyve process - what does it buy you? The idea to run bhyve inside jail is to provide an additional layer of security for potential vm-escape vulnerabilities in bhyve. This is the way VMs are executed on Linux (protected by AppArmor and SEL) and Illumos. Currently it's possible to run bhyve in jail, but not with PCI passthrough. > A better solution would be to extend pci(4) so that bhyve can use it to do everything required for PCI passthrough. Mark, could you please give us a hint on what should be done to extend pci(4) so jail changes are not needed? We are willing to implement this, but need some guidance. One more security improvement that bhyve needs is to run it without root, but that's another story for another report. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-251046-27103-5SHVE63AgS>