svn commit: r320866 - in stable/11: lib/libvmmapi usr.sbin/bhyve
Peter Grehan
grehan at FreeBSD.org
Mon Jul 10 06:28:53 UTC 2017
Author: grehan
Date: Mon Jul 10 06:28:50 2017
New Revision: 320866
URL: https://svnweb.freebsd.org/changeset/base/320866
Log:
MFC 313727, 317483
In addition, replace the missing caph routines with
small helper functions (bhyverun.c) or an open-coded
replacement (uart_emul.c)
313727 Capsicumize bhyve
317483 Allow CAP_MMAP_RW on memfd for PCI passthru
Modified:
stable/11/lib/libvmmapi/vmmapi.c
stable/11/lib/libvmmapi/vmmapi.h
stable/11/usr.sbin/bhyve/bhyverun.c
stable/11/usr.sbin/bhyve/block_if.c
stable/11/usr.sbin/bhyve/consport.c
stable/11/usr.sbin/bhyve/dbgport.c
stable/11/usr.sbin/bhyve/mevent.c
stable/11/usr.sbin/bhyve/pci_e82545.c
stable/11/usr.sbin/bhyve/pci_passthru.c
stable/11/usr.sbin/bhyve/pci_virtio_net.c
stable/11/usr.sbin/bhyve/pci_virtio_rnd.c
stable/11/usr.sbin/bhyve/rfb.c
stable/11/usr.sbin/bhyve/uart_emul.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/lib/libvmmapi/vmmapi.c
==============================================================================
--- stable/11/lib/libvmmapi/vmmapi.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/lib/libvmmapi/vmmapi.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -1416,3 +1416,45 @@ vm_restart_instruction(void *arg, int vcpu)
return (ioctl(ctx->fd, VM_RESTART_INSTRUCTION, &vcpu));
}
+
+int
+vm_get_device_fd(struct vmctx *ctx)
+{
+
+ return (ctx->fd);
+}
+
+const cap_ioctl_t *
+vm_get_ioctls(size_t *len)
+{
+ cap_ioctl_t *cmds;
+ /* keep in sync with machine/vmm_dev.h */
+ static const cap_ioctl_t vm_ioctl_cmds[] = { VM_RUN, VM_SUSPEND, VM_REINIT,
+ VM_ALLOC_MEMSEG, VM_GET_MEMSEG, VM_MMAP_MEMSEG, VM_MMAP_MEMSEG,
+ VM_MMAP_GETNEXT, VM_SET_REGISTER, VM_GET_REGISTER,
+ VM_SET_SEGMENT_DESCRIPTOR, VM_GET_SEGMENT_DESCRIPTOR,
+ VM_INJECT_EXCEPTION, VM_LAPIC_IRQ, VM_LAPIC_LOCAL_IRQ,
+ VM_LAPIC_MSI, VM_IOAPIC_ASSERT_IRQ, VM_IOAPIC_DEASSERT_IRQ,
+ VM_IOAPIC_PULSE_IRQ, VM_IOAPIC_PINCOUNT, VM_ISA_ASSERT_IRQ,
+ VM_ISA_DEASSERT_IRQ, VM_ISA_PULSE_IRQ, VM_ISA_SET_IRQ_TRIGGER,
+ VM_SET_CAPABILITY, VM_GET_CAPABILITY, VM_BIND_PPTDEV,
+ VM_UNBIND_PPTDEV, VM_MAP_PPTDEV_MMIO, VM_PPTDEV_MSI,
+ VM_PPTDEV_MSIX, VM_INJECT_NMI, VM_STATS, VM_STAT_DESC,
+ VM_SET_X2APIC_STATE, VM_GET_X2APIC_STATE,
+ VM_GET_HPET_CAPABILITIES, VM_GET_GPA_PMAP, VM_GLA2GPA,
+ VM_ACTIVATE_CPU, VM_GET_CPUS, VM_SET_INTINFO, VM_GET_INTINFO,
+ VM_RTC_WRITE, VM_RTC_READ, VM_RTC_SETTIME, VM_RTC_GETTIME,
+ VM_RESTART_INSTRUCTION };
+
+ if (len == NULL) {
+ cmds = malloc(sizeof(vm_ioctl_cmds));
+ if (cmds == NULL)
+ return (NULL);
+ bcopy(vm_ioctl_cmds, cmds, sizeof(vm_ioctl_cmds));
+ return (cmds);
+ }
+
+ *len = nitems(vm_ioctl_cmds);
+ return (NULL);
+}
+
Modified: stable/11/lib/libvmmapi/vmmapi.h
==============================================================================
--- stable/11/lib/libvmmapi/vmmapi.h Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/lib/libvmmapi/vmmapi.h Mon Jul 10 06:28:50 2017 (r320866)
@@ -36,7 +36,7 @@
* API version for out-of-tree consumers like grub-bhyve for making compile
* time decisions.
*/
-#define VMMAPI_VERSION 0102 /* 2 digit major followed by 2 digit minor */
+#define VMMAPI_VERSION 0103 /* 2 digit major followed by 2 digit minor */
struct iovec;
struct vmctx;
@@ -102,6 +102,7 @@ int vm_mmap_memseg(struct vmctx *ctx, vm_paddr_t gpa,
vm_ooffset_t segoff, size_t len, int prot);
int vm_create(const char *name);
+int vm_get_device_fd(struct vmctx *ctx);
struct vmctx *vm_open(const char *name);
void vm_destroy(struct vmctx *ctx);
int vm_parse_memsize(const char *optarg, size_t *memsize);
@@ -161,6 +162,8 @@ int vm_setup_pptdev_msix(struct vmctx *ctx, int vcpu,
int vm_get_intinfo(struct vmctx *ctx, int vcpu, uint64_t *i1, uint64_t *i2);
int vm_set_intinfo(struct vmctx *ctx, int vcpu, uint64_t exit_intinfo);
+
+const cap_ioctl_t *vm_get_ioctls(size_t *len);
/*
* Return a pointer to the statistics buffer. Note that this is not MT-safe.
Modified: stable/11/usr.sbin/bhyve/bhyverun.c
==============================================================================
--- stable/11/usr.sbin/bhyve/bhyverun.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/bhyverun.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -30,6 +30,9 @@
__FBSDID("$FreeBSD$");
#include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/mman.h>
#include <sys/time.h>
@@ -40,6 +43,7 @@ __FBSDID("$FreeBSD$");
#include <stdlib.h>
#include <string.h>
#include <err.h>
+#include <errno.h>
#include <libgen.h>
#include <unistd.h>
#include <assert.h>
@@ -48,8 +52,15 @@ __FBSDID("$FreeBSD$");
#include <pthread_np.h>
#include <sysexits.h>
#include <stdbool.h>
+#ifndef WITHOUT_CAPSICUM
+#include <nl_types.h>
+#include <termios.h>
+#endif
#include <machine/vmm.h>
+#ifndef WITHOUT_CAPSICUM
+#include <machine/vmm_dev.h>
+#endif
#include <vmmapi.h>
#include "bhyverun.h"
@@ -152,7 +163,44 @@ usage(int code)
exit(code);
}
+#ifndef WITHOUT_CAPSICUM
+/*
+ * 11-stable capsicum helpers
+ */
+static void
+bhyve_caph_cache_catpages(void)
+{
+
+ (void)catopen("libc", NL_CAT_LOCALE);
+}
+
static int
+bhyve_caph_limit_stdoe(void)
+{
+ cap_rights_t rights;
+ unsigned long cmds[] = { TIOCGETA, TIOCGWINSZ };
+ int i, fds[] = { STDOUT_FILENO, STDERR_FILENO };
+
+ cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT, CAP_IOCTL);
+ cap_rights_set(&rights, CAP_WRITE);
+
+ for (i = 0; i < nitems(fds); i++) {
+ if (cap_rights_limit(fds[i], &rights) < 0 && errno != ENOSYS)
+ return (-1);
+
+ if (cap_ioctls_limit(fds[i], cmds, nitems(cmds)) < 0 && errno != ENOSYS)
+ return (-1);
+
+ if (cap_fcntls_limit(fds[i], CAP_FCNTL_GETFL) < 0 && errno != ENOSYS)
+ return (-1);
+ }
+
+ return (0);
+}
+
+#endif
+
+static int
pincpu_parse(const char *opt)
{
int vcpu, pcpu;
@@ -706,6 +754,11 @@ do_open(const char *vmname)
struct vmctx *ctx;
int error;
bool reinit, romboot;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+ const cap_ioctl_t *cmds;
+ size_t ncmds;
+#endif
reinit = romboot = false;
@@ -744,6 +797,21 @@ do_open(const char *vmname)
exit(1);
}
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_IOCTL, CAP_MMAP_RW);
+ if (cap_rights_limit(vm_get_device_fd(ctx), &rights) == -1 &&
+ errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ vm_get_ioctls(&ncmds);
+ cmds = vm_get_ioctls(NULL);
+ if (cmds == NULL)
+ errx(EX_OSERR, "out of memory");
+ if (cap_ioctls_limit(vm_get_device_fd(ctx), cmds, ncmds) == -1 &&
+ errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ free((cap_ioctl_t *)cmds);
+#endif
+
if (reinit) {
error = vm_reinit(ctx);
if (error) {
@@ -951,6 +1019,16 @@ main(int argc, char *argv[])
if (lpc_bootrom())
fwctl_init();
+
+#ifndef WITHOUT_CAPSICUM
+
+
+ if (bhyve_caph_limit_stdoe() == -1)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+
+ if (cap_enter() == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "cap_enter() failed");
+#endif
/*
* Change the proc title to include the VM name.
Modified: stable/11/usr.sbin/bhyve/block_if.c
==============================================================================
--- stable/11/usr.sbin/bhyve/block_if.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/block_if.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -30,6 +30,9 @@
__FBSDID("$FreeBSD$");
#include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/queue.h>
#include <sys/errno.h>
#include <sys/stat.h>
@@ -45,6 +48,7 @@ __FBSDID("$FreeBSD$");
#include <pthread.h>
#include <pthread_np.h>
#include <signal.h>
+#include <sysexits.h>
#include <unistd.h>
#include <machine/atomic.h>
@@ -400,6 +404,10 @@ blockif_open(const char *optstr, const char *ident)
off_t size, psectsz, psectoff;
int extra, fd, i, sectsz;
int nocache, sync, ro, candelete, geom, ssopt, pssopt;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+ cap_ioctl_t cmds[] = { DIOCGFLUSH, DIOCGDELETE };
+#endif
pthread_once(&blockif_once, blockif_init);
@@ -457,6 +465,16 @@ blockif_open(const char *optstr, const char *ident)
goto err;
}
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_FSYNC, CAP_IOCTL, CAP_READ, CAP_SEEK,
+ CAP_WRITE);
+ if (ro)
+ cap_rights_clear(&rights, CAP_FSYNC, CAP_WRITE);
+
+ if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
/*
* Deal with raw devices
*/
@@ -482,6 +500,11 @@ blockif_open(const char *optstr, const char *ident)
geom = 1;
} else
psectsz = sbuf.st_blksize;
+
+#ifndef WITHOUT_CAPSICUM
+ if (cap_ioctls_limit(fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
if (ssopt != 0) {
if (!powerof2(ssopt) || !powerof2(pssopt) || ssopt < 512 ||
Modified: stable/11/usr.sbin/bhyve/consport.c
==============================================================================
--- stable/11/usr.sbin/bhyve/consport.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/consport.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -30,13 +30,19 @@
__FBSDID("$FreeBSD$");
#include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/select.h>
+#include <err.h>
+#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <termios.h>
#include <unistd.h>
#include <stdbool.h>
+#include <sysexits.h>
#include "inout.h"
#include "pci_lpc.h"
@@ -104,6 +110,10 @@ console_handler(struct vmctx *ctx, int vcpu, int in, i
uint32_t *eax, void *arg)
{
static int opened;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+ cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ };
+#endif
if (bytes == 2 && in) {
*eax = BVM_CONS_SIG;
@@ -123,6 +133,13 @@ console_handler(struct vmctx *ctx, int vcpu, int in, i
return (-1);
if (!opened) {
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE);
+ if (cap_rights_limit(STDIN_FILENO, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ if (cap_ioctls_limit(STDIN_FILENO, cmds, nitems(cmds)) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
ttyopen();
opened = 1;
}
Modified: stable/11/usr.sbin/bhyve/dbgport.c
==============================================================================
--- stable/11/usr.sbin/bhyve/dbgport.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/dbgport.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -30,13 +30,18 @@
__FBSDID("$FreeBSD$");
#include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <sys/uio.h>
+#include <err.h>
#include <stdio.h>
#include <stdlib.h>
+#include <sysexits.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
@@ -125,6 +130,9 @@ void
init_dbgport(int sport)
{
int reuse;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+#endif
conn_fd = -1;
@@ -154,6 +162,12 @@ init_dbgport(int sport)
perror("listen");
exit(1);
}
+
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_WRITE);
+ if (cap_rights_limit(listen_fd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
register_inout(&dbgport);
}
Modified: stable/11/usr.sbin/bhyve/mevent.c
==============================================================================
--- stable/11/usr.sbin/bhyve/mevent.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/mevent.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -35,13 +35,18 @@
__FBSDID("$FreeBSD$");
#include <assert.h>
+#include <err.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
+#include <sysexits.h>
#include <unistd.h>
#include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/event.h>
#include <sys/time.h>
@@ -401,6 +406,9 @@ mevent_dispatch(void)
int mfd;
int numev;
int ret;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+#endif
mevent_tid = pthread_self();
mevent_set_name();
@@ -408,6 +416,12 @@ mevent_dispatch(void)
mfd = kqueue();
assert(mfd > 0);
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_KQUEUE);
+ if (cap_rights_limit(mfd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
/*
* Open the pipe that will be used for other threads to force
* the blocking kqueue call to exit by writing to it. Set the
@@ -418,6 +432,14 @@ mevent_dispatch(void)
perror("pipe");
exit(0);
}
+
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
+ if (cap_rights_limit(mevent_pipefd[0], &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ if (cap_rights_limit(mevent_pipefd[1], &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
/*
* Add internal event handler for the pipe write fd
Modified: stable/11/usr.sbin/bhyve/pci_e82545.c
==============================================================================
--- stable/11/usr.sbin/bhyve/pci_e82545.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/pci_e82545.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -31,6 +31,9 @@
__FBSDID("$FreeBSD$");
#include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/limits.h>
#include <sys/ioctl.h>
#include <sys/uio.h>
@@ -38,12 +41,14 @@ __FBSDID("$FreeBSD$");
#include <netinet/in.h>
#include <netinet/tcp.h>
+#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <md5.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sysexits.h>
#include <unistd.h>
#include <pthread.h>
#include <pthread_np.h>
@@ -2202,6 +2207,9 @@ static void
e82545_open_tap(struct e82545_softc *sc, char *opts)
{
char tbuf[80];
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+#endif
if (opts == NULL) {
sc->esc_tapfd = -1;
@@ -2228,6 +2236,12 @@ e82545_open_tap(struct e82545_softc *sc, char *opts)
sc->esc_tapfd = -1;
}
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
+ if (cap_rights_limit(sc->esc_tapfd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
sc->esc_mevp = mevent_add(sc->esc_tapfd,
EVF_READ,
e82545_tap_callback,
Modified: stable/11/usr.sbin/bhyve/pci_passthru.c
==============================================================================
--- stable/11/usr.sbin/bhyve/pci_passthru.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/pci_passthru.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -30,6 +30,9 @@
__FBSDID("$FreeBSD$");
#include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/pciio.h>
@@ -44,7 +47,9 @@ __FBSDID("$FreeBSD$");
#include <stdlib.h>
#include <string.h>
#include <err.h>
+#include <errno.h>
#include <fcntl.h>
+#include <sysexits.h>
#include <unistd.h>
#include <machine/vmm.h>
@@ -639,10 +644,19 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *p
{
int bus, slot, func, error, memflags;
struct passthru_softc *sc;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+ cap_ioctl_t pci_ioctls[] = { PCIOCREAD, PCIOCWRITE, PCIOCGETBAR };
+ cap_ioctl_t io_ioctls[] = { IODEV_PIO };
+#endif
sc = NULL;
error = 1;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_WRITE);
+#endif
+
memflags = vm_get_memflags(ctx);
if (!(memflags & VM_MEM_F_WIRED)) {
warnx("passthru requires guest memory to be wired");
@@ -657,6 +671,13 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *p
}
}
+#ifndef WITHOUT_CAPSICUM
+ if (cap_rights_limit(pcifd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ if (cap_ioctls_limit(pcifd, pci_ioctls, nitems(pci_ioctls)) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
if (iofd < 0) {
iofd = open(_PATH_DEVIO, O_RDWR, 0);
if (iofd < 0) {
@@ -665,6 +686,13 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *p
}
}
+#ifndef WITHOUT_CAPSICUM
+ if (cap_rights_limit(iofd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ if (cap_ioctls_limit(iofd, io_ioctls, nitems(io_ioctls)) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
if (memfd < 0) {
memfd = open(_PATH_MEM, O_RDWR, 0);
if (memfd < 0) {
@@ -672,6 +700,13 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *p
goto done;
}
}
+
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_clear(&rights, CAP_IOCTL);
+ cap_rights_set(&rights, CAP_MMAP_RW);
+ if (cap_rights_limit(memfd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
if (opts == NULL ||
sscanf(opts, "%d/%d/%d", &bus, &slot, &func) != 3) {
Modified: stable/11/usr.sbin/bhyve/pci_virtio_net.c
==============================================================================
--- stable/11/usr.sbin/bhyve/pci_virtio_net.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/pci_virtio_net.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -30,6 +30,9 @@
__FBSDID("$FreeBSD$");
#include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/linker_set.h>
#include <sys/select.h>
#include <sys/uio.h>
@@ -41,6 +44,7 @@ __FBSDID("$FreeBSD$");
#endif
#include <net/netmap_user.h>
+#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
@@ -53,6 +57,7 @@ __FBSDID("$FreeBSD$");
#include <md5.h>
#include <pthread.h>
#include <pthread_np.h>
+#include <sysexits.h>
#include "bhyverun.h"
#include "pci_emul.h"
@@ -743,6 +748,9 @@ static void
pci_vtnet_tap_setup(struct pci_vtnet_softc *sc, char *devname)
{
char tbuf[80];
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+#endif
strcpy(tbuf, "/dev/");
strlcat(tbuf, devname, sizeof(tbuf));
@@ -766,6 +774,12 @@ pci_vtnet_tap_setup(struct pci_vtnet_softc *sc, char *
close(sc->vsc_tapfd);
sc->vsc_tapfd = -1;
}
+
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
+ if (cap_rights_limit(sc->vsc_tapfd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
sc->vsc_mevp = mevent_add(sc->vsc_tapfd,
EVF_READ,
Modified: stable/11/usr.sbin/bhyve/pci_virtio_rnd.c
==============================================================================
--- stable/11/usr.sbin/bhyve/pci_virtio_rnd.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/pci_virtio_rnd.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -35,9 +35,13 @@
__FBSDID("$FreeBSD$");
#include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/linker_set.h>
#include <sys/uio.h>
+#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
@@ -46,6 +50,7 @@ __FBSDID("$FreeBSD$");
#include <unistd.h>
#include <assert.h>
#include <pthread.h>
+#include <sysexits.h>
#include "bhyverun.h"
#include "pci_emul.h"
@@ -138,6 +143,9 @@ pci_vtrnd_init(struct vmctx *ctx, struct pci_devinst *
int fd;
int len;
uint8_t v;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+#endif
/*
* Should always be able to open /dev/random.
@@ -145,6 +153,12 @@ pci_vtrnd_init(struct vmctx *ctx, struct pci_devinst *
fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
assert(fd >= 0);
+
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_READ);
+ if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
/*
* Check that device is seeded and non-blocking.
Modified: stable/11/usr.sbin/bhyve/rfb.c
==============================================================================
--- stable/11/usr.sbin/bhyve/rfb.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/rfb.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -30,6 +30,9 @@ __FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/endian.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <sys/socket.h>
#include <sys/select.h>
#include <sys/time.h>
@@ -39,6 +42,8 @@ __FBSDID("$FreeBSD$");
#include <netinet/in.h>
#include <assert.h>
+#include <err.h>
+#include <errno.h>
#include <pthread.h>
#include <pthread_np.h>
#include <signal.h>
@@ -46,6 +51,7 @@ __FBSDID("$FreeBSD$");
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
+#include <sysexits.h>
#include <unistd.h>
#include <zlib.h>
@@ -972,6 +978,9 @@ rfb_init(char *hostname, int port, int wait, char *pas
struct rfb_softc *rc;
struct sockaddr_in sin;
int on = 1;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+#endif
rc = calloc(1, sizeof(struct rfb_softc));
@@ -1009,6 +1018,12 @@ rfb_init(char *hostname, int port, int wait, char *pas
perror("listen");
return (-1);
}
+
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE);
+ if (cap_rights_limit(rc->sfd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
rc->hw_crc = sse42_supported();
Modified: stable/11/usr.sbin/bhyve/uart_emul.c
==============================================================================
--- stable/11/usr.sbin/bhyve/uart_emul.c Mon Jul 10 06:25:30 2017 (r320865)
+++ stable/11/usr.sbin/bhyve/uart_emul.c Mon Jul 10 06:28:50 2017 (r320866)
@@ -32,16 +32,22 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <dev/ic/ns16550.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
+#include <err.h>
+#include <errno.h>
#include <fcntl.h>
#include <termios.h>
#include <unistd.h>
#include <stdbool.h>
#include <string.h>
#include <pthread.h>
+#include <sysexits.h>
#include "mevent.h"
#include "uart_emul.h"
@@ -638,7 +644,7 @@ uart_tty_backend(struct uart_softc *sc, const char *op
sc->tty.opened = true;
retval = 0;
}
-
+
return (retval);
}
@@ -646,6 +652,11 @@ int
uart_set_backend(struct uart_softc *sc, const char *opts)
{
int retval;
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_t rights;
+ cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ };
+ cap_ioctl_t sicmds[] = { TIOCGETA, TIOCGWINSZ };
+#endif
retval = -1;
@@ -666,6 +677,23 @@ uart_set_backend(struct uart_softc *sc, const char *op
/* Make the backend file descriptor non-blocking */
if (retval == 0)
retval = fcntl(sc->tty.fd, F_SETFL, O_NONBLOCK);
+
+#ifndef WITHOUT_CAPSICUM
+ cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE);
+ if (cap_rights_limit(sc->tty.fd, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ if (!uart_stdio) {
+ cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT, CAP_IOCTL, CAP_READ);
+ if (cap_rights_limit(STDIN_FILENO, &rights) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ if (cap_ioctls_limit(STDIN_FILENO, sicmds, nitems(sicmds)) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ if (cap_fcntls_limit(STDIN_FILENO, CAP_FCNTL_GETFL) == -1 && errno != ENOSYS)
+ errx(EX_OSERR, "Unable to apply rights for sandbox");
+ }
+#endif
if (retval == 0)
uart_opentty(sc);
More information about the svn-src-all
mailing list