[Bug 231480] sysutils/grub2-bhyve: "(host)" filesystem is a potential security issue

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231480

            Bug ID: 231480
           Summary: sysutils/grub2-bhyve: "(host)" filesystem is a
                    potential security issue
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs at FreeBSD.org
          Reporter: noah.bergbauer at tum.de

Grub-bhyve has access to the host filesystem through the '(host)' pseudofs.
Considering that the typical Linux guest would have its grub configuration on
its boot partition (as the handbook suggests:
https://www.freebsd.org/doc/handbook/virtualization-host-bhyve.html) this means
that having root permissions on the guest allows you to access the host
filesystem on the next VM boot, for example:

* Add "source (host)/root/secret.txt" to the head of grub.cfg
* Add "myvalue=$password" to the kernel command line
* Shut down VM
* On the host: "echo password=verysecret12345 > /root/secret.txt"
* Launch VM

$ cat /proc/cmdline 
console=ttyS0 BOOT_IMAGE=/boot/vmlinuz-4.4.0-75-generic
root=UUID=e757cf85-936a-4fe8-b099-54046961756d ro myvalue=verysecret12345
$ 

As you can see this might be a critical information leak in certain
circumstances, especially because you have to (?) run grub-bhyve as root on the
host system.

Perhaps an option could be added to chroot the bootloader once it is done
loading libraries and opening image/disk files? Module loading is disabled so
the filesystem appears to be the only remaining attack surface.

-- 
You are receiving this mail because:
You are the assignee for the bug.