svn commit: r349959 - stable/11/usr.sbin/bhyve

John Baldwin jhb at FreeBSD.org
Sat Jul 13 00:12:36 UTC 2019 

Author: jhb
Date: Sat Jul 13 00:12:35 2019
New Revision: 349959
URL: https://svnweb.freebsd.org/changeset/base/349959

Log:
  Add Capsicumification of the virtio_console device model.
  
  This is a direct commit to stable/11.  This change was missed when
  merging virtio_console to 11 because the capsicum change and
  virtio_console changes were merged in the opposite order of the
  changes in head.

Modified:
  stable/11/usr.sbin/bhyve/pci_virtio_console.c

Modified: stable/11/usr.sbin/bhyve/pci_virtio_console.c
==============================================================================
--- stable/11/usr.sbin/bhyve/pci_virtio_console.c	Fri Jul 12 22:31:12 2019	(r349958)
+++ stable/11/usr.sbin/bhyve/pci_virtio_console.c	Sat Jul 13 00:12:35 2019	(r349959)
@@ -34,12 +34,16 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/linker_set.h>
 #include <sys/uio.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
@@ -50,6 +54,7 @@ __FBSDID("$FreeBSD$");
 #include <assert.h>
 #include <pthread.h>
 #include <libgen.h>
+#include <sysexits.h>
 
 #include "bhyverun.h"
 #include "pci_emul.h"
@@ -270,6 +275,9 @@ pci_vtcon_sock_add(struct pci_vtcon_softc *sc, const c
 	struct pci_vtcon_sock *sock;
 	struct sockaddr_un sun;
 	int s = -1, fd = -1, error = 0;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+#endif
 
 	sock = calloc(1, sizeof(struct pci_vtcon_sock));
 	if (sock == NULL) {
@@ -308,6 +316,11 @@ pci_vtcon_sock_add(struct pci_vtcon_softc *sc, const c
 		goto out;
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(s, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
 
 	sock->vss_port = pci_vtcon_port_add(sc, name, pci_vtcon_sock_tx, sock);
 	if (sock->vss_port == NULL) {

More information about the svn-src-all mailing list