From nobody Mon Jan 22 17:30:09 2024 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TJcg601XWz57r6p; Mon, 22 Jan 2024 17:30:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TJcg54pXgz4fpb; Mon, 22 Jan 2024 17:30:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1705944609; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OKxhu5+RhO4C0Yj+NVPRa9DnqWF/LKu+tjHvS2n/H84=; b=bPXBbxjUpQk0sljTDDPMiMfJ4k6fKwbuUJnRKC+fyvy5a99qdsfTFpH3jJqB8Yo212gQtQ w1onjxLxk5OkYtmXjq/Y20WQCbEvDaJ05esA67rDJLFSGUhILE6352+hRAG9FY2Y4lGU4W fajDKU4SeI/6BpxSVBtc+8LAVOiTbKKYbvYyRnY4AeY+tG72tSYTF0eDnOkSVKaz+skZYK 04gwGBaRucipmDH3Ao0lRjGwUuGvGxX2nSDKnJUpKb+QzY0iflqMc1T3jXQ6peST9r3+YM 14yNJABDeS4gvcKNlmqyQ9J3fNjiXSwy0W+s5Sn7L8xg4Kl/dg41q5D7pzA1gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1705944609; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OKxhu5+RhO4C0Yj+NVPRa9DnqWF/LKu+tjHvS2n/H84=; b=gWQCPawQwTtu65Pi4Z9zIZcSzZtEIa+PIWuVA7p8fxpA7qtAHKevNMIECPL8jJKP6oY46e QLu4tLfw+BUuaR83l22dK6wTGHoa05zoiCOHtVmdN2Ds6KAwqoqysDAvdC9y29hEiiSDFe s6MAqlyTJt9dcbVMVa6MXT15B6mQWvxdBtxKou3ycXwAOPg4TZGiIRXmsHfdXHqTlLMN42 qhneRrG0UObdUlI1lL115p4tDjvwrP8VGCHNm5xxR7zxJmPKXk27V621cWP9LocJsr+Asc 0yWCUmIJH/KZHbG2zVKMa+ehD3M+/PQfg56BV/rJghv8AWkg3B66vqY2k8yLRg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1705944609; a=rsa-sha256; cv=none; b=nXM0m+mNRvkpLEKdRz4SZuiFXeazZp156n0SC3AIfk9rOdbKK8cdQ/XIvqLQZ7LqE876ni 31kdGKirc5wu0JzD9+6vCj+Td5jUCQ7/ymLLs8r2PE3sdRliNUBia0AN1viPnPYX1L/QvR eC9viKfmCPHlOHCrma7ytSaJoVUZsg9Utk7vqs5msXRc1VBx9fXXM+5KRsD59J+e+6C2hk YbwkH+JNttgCLO+8mHuDD4VrC4tG3sK1uNaHYu/lyQ+7OOhsoF8BkclvDKWeIjqruc/YQu 0YST/Svsj+MpCD4aKKlFp16XhFy1zuvyQn/WCu8BRyTtpodlo6J/1/IR3r7CzQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TJcg53wYxz19kR; Mon, 22 Jan 2024 17:30:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 40MHU9vN010615; Mon, 22 Jan 2024 17:30:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 40MHU9qq010606; Mon, 22 Jan 2024 17:30:09 GMT (envelope-from git) Date: Mon, 22 Jan 2024 17:30:09 GMT Message-Id: <202401221730.40MHU9qq010606@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 7b48fa60a578 - stable/13 - bhyveload(8): document some SECURITY CONSIDERATIONS List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 7b48fa60a578a97d5d945290ba09ccc505f6bc8c Auto-Submitted: auto-generated The branch stable/13 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=7b48fa60a578a97d5d945290ba09ccc505f6bc8c commit 7b48fa60a578a97d5d945290ba09ccc505f6bc8c Author: Kyle Evans AuthorDate: 2024-01-12 19:57:53 +0000 Commit: Kyle Evans CommitDate: 2024-01-22 17:17:53 +0000 bhyveload(8): document some SECURITY CONSIDERATIONS The situation is improved now that we're running in a sandbox, but there is still some host machine access that could be concerning depending on the context. These concerns may be somewhat mitigated by the fact that the host machine usually provides the loader binary, even when the guest image is providing the loader scripts -- they only bring the lua scripts, and they have to be able to execute arbitrary syscalls rather than the interfaces provided by libsa(3). Reviewed by: jhb, markj (cherry picked from commit 5df041c4bbf70d549b055f332630925295ad5aaf) --- usr.sbin/bhyveload/bhyveload.8 | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/usr.sbin/bhyveload/bhyveload.8 b/usr.sbin/bhyveload/bhyveload.8 index edeb8ee938f4..54e326e49c8c 100644 --- a/usr.sbin/bhyveload/bhyveload.8 +++ b/usr.sbin/bhyveload/bhyveload.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd June 24, 2016 +.Dd January 12, 2024 .Dt BHYVELOAD 8 .Os .Sh NAME @@ -171,3 +171,43 @@ at NetApp Inc with a lot of help from can only load .Fx as a guest. +.Sh SECURITY CONSIDERATIONS +Note that in some configurations, +.Nm +will execute guest loader scripts in the context of the host machine. +Note, however, that +.Nm +will enter a +.Xr capsicum 4 +sandbox before it loads the +.Ar os-loader +or executes any loader scripts. +On the host filesystem, the sandbox will only have access to the path specified +by the +.Fl h +flag, the contents of the +.Pa /boot +directory if +.Fl l +was not specified, and the chosen console device. +.Pp +Note that the guest loader scripts are already subject to some limitations that +are not relaxed simply because we are running in userland. +For instance, any I/O on the loader's +.Dq host +device that can be done in loader scripts is limited to the interface that +.Nm +provides, which itself will restrict paths that can be touched to those within +a specified +.Fl h +directory, if any. +Access to files within +.Pa /boot +inside the sandbox would require arbitrary code execution in userboot, and +userboot is usually provided by the host machine rather than anything that is +a part of the guest image. +All access to the +.Fl h +directory as well as +.Pa /boot +is strictly read-only in the sandbox.