- Add the ability to run bhyve(8) within a jail(8).

This patch adds a new sysctl(8) knob "security.jail.vmm_allowed", by default this option is disable. Submitted by: Shawn Webb <shawn.webb____hardenedbsd.org> Reviewed by: jamie@ and myself. Relnotes: Yes. Sponsored by: HardenedBSD and G2, Inc. Differential Revision: https://reviews.freebsd.org/D16057
svn path=/head/; revision=337023
2018-08-01 00:39:21 +00:00 · 2018-08-01 00:39:21 +00:00 · be963beee6 · 2020-12-20 02:59:44 +00:00
commit be963beee6
parent a5c4d9335b
2 changed files with 49 additions and 4 deletions
--- a/sys/amd64/vmm/vmm_dev.c
+++ b/sys/amd64/vmm/vmm_dev.c
@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");

 #include <sys/param.h>
 #include <sys/kernel.h>
+#include <sys/jail.h>
 #include <sys/queue.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
@ -43,6 +44,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/ioccom.h>
 #include <sys/mman.h>
 #include <sys/uio.h>
+#include <sys/proc.h>

 #include <vm/vm.h>
 #include <vm/pmap.h>
@ -82,15 +84,28 @@ struct vmmdev_softc {

 static SLIST_HEAD(, vmmdev_softc) head;

+static unsigned pr_allow_flag;
 static struct mtx vmmdev_mtx;

 static MALLOC_DEFINE(M_VMMDEV, "vmmdev", "vmmdev");

 SYSCTL_DECL(_hw_vmm);

+static int vmm_priv_check(struct ucred *ucred);
 static int devmem_create_cdev(const char *vmname, int id, char *devmem);
 static void devmem_destroy(void *arg);

+static int
+vmm_priv_check(struct ucred *ucred)
+{
+
+	if (jailed(ucred) &&
+	    !(ucred->cr_prison->pr_allow & pr_allow_flag))
+		return (EPERM);
+
+	return (0);
+}
+
 static int
 vcpu_lock_one(struct vmmdev_softc *sc, int vcpu)
 {
@ -177,6 +192,10 @@ vmmdev_rw(struct cdev *cdev, struct uio *uio, int flags)
 	void *hpa, *cookie;
 	struct vmmdev_softc *sc;

+	error = vmm_priv_check(curthread->td_ucred);
+	if (error)
+		return (error);
+
 	sc = vmmdev_lookup2(cdev);
 	if (sc == NULL)
 		return (ENXIO);
@ -351,11 +370,14 @@ vmmdev_ioctl(struct cdev *cdev, u_long cmd, caddr_t data, int fflag,
 	uint64_t *regvals;
 	int *regnums;

+	error = vmm_priv_check(curthread->td_ucred);
+	if (error)
+		return (error);
+
 	sc = vmmdev_lookup2(cdev);
 	if (sc == NULL)
 		return (ENXIO);

-	error = 0;
 	vcpu = -1;
 	state_changed = 0;

@ -777,6 +799,10 @@ vmmdev_mmap_single(struct cdev *cdev, vm_ooffset_t *offset, vm_size_t mapsize,
 	int error, found, segid;
 	bool sysmem;

+	error = vmm_priv_check(curthread->td_ucred);
+	if (error)
+		return (error);
+
 	first = *offset;
 	last = first + mapsize;
 	if ((nprot & PROT_EXEC) || first < 0 || first >= last)
@ -865,6 +891,10 @@ sysctl_vmm_destroy(SYSCTL_HANDLER_ARGS)
 	struct vmmdev_softc *sc;
 	struct cdev *cdev;

+	error = vmm_priv_check(req->td->td_ucred);
+	if (error)
+		return (error);
+
 	strlcpy(buf, "beavis", sizeof(buf));
 	error = sysctl_handle_string(oidp, buf, sizeof(buf), req);
 	if (error != 0 || req->newptr == NULL)
@ -906,7 +936,8 @@ sysctl_vmm_destroy(SYSCTL_HANDLER_ARGS)
 	destroy_dev_sched_cb(cdev, vmmdev_destroy, sc);
 	return (0);
 }
-SYSCTL_PROC(_hw_vmm, OID_AUTO, destroy, CTLTYPE_STRING | CTLFLAG_RW,
+SYSCTL_PROC(_hw_vmm, OID_AUTO, destroy,
+	    CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_PRISON,
 	    NULL, 0, sysctl_vmm_destroy, "A", NULL);

 static struct cdevsw vmmdevsw = {
@ -927,6 +958,10 @@ sysctl_vmm_create(SYSCTL_HANDLER_ARGS)
 	struct vmmdev_softc *sc, *sc2;
 	char buf[VM_MAX_NAMELEN];

+	error = vmm_priv_check(req->td->td_ucred);
+	if (error)
+		return (error);
+
 	strlcpy(buf, "beavis", sizeof(buf));
 	error = sysctl_handle_string(oidp, buf, sizeof(buf), req);
 	if (error != 0 || req->newptr == NULL)
@ -977,13 +1012,16 @@ sysctl_vmm_create(SYSCTL_HANDLER_ARGS)

 	return (0);
 }
-SYSCTL_PROC(_hw_vmm, OID_AUTO, create, CTLTYPE_STRING | CTLFLAG_RW,
+SYSCTL_PROC(_hw_vmm, OID_AUTO, create,
+	    CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_PRISON,
 	    NULL, 0, sysctl_vmm_create, "A", NULL);

 void
 vmmdev_init(void)
 {
 	mtx_init(&vmmdev_mtx, "vmm device mutex", NULL, MTX_DEF);
+	pr_allow_flag = prison_add_allow(NULL, "vmm", NULL,
+	    "Allow use of vmm in a jail.");
 }

 int
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 29, 2018
+.Dd July 30, 2018
 .Dt JAIL 8
 .Os
 .Sh NAME
@ -650,6 +650,12 @@ See
 .Xr zfs 8
 for information on how to configure the ZFS filesystem to operate from
 within a jail.
+.It Va allow.vmm
+The jail may access
+.Xr vmm 4 .
+This flag is only available when the
+.Xr vmm 4
+kernel module is loaded.
 .It Va linux
 Determine how a jail's Linux emulation environment appears.
 A value of
@ -1294,6 +1300,7 @@ environment of the first jail.
 .Xr ps 1 ,
 .Xr quota 1 ,
 .Xr jail_set 2 ,
+.Xr vmm 4 ,
 .Xr devfs 5 ,
 .Xr fdescfs 5 ,
 .Xr jail.conf 5 ,