Capsicum support for bhyve(8).

Adds Capsicum sandboxing to bhyve.

Submitted by:	Pawel Biernacki <pawel.biernacki@gmail.com>
Reviewed by:	grehan, oshogbo
Approved by:	emaste, grehan
Sponsored by:	Mysterious Code Ltd.
Differential Revision:	https://reviews.freebsd.org/D8290

lib/libvmmapi/vmmapi.c

@@ -1416,3 +1416,45 @@ vm_restart_instruction(void *arg, int vcpu)
 
 	return (ioctl(ctx->fd, VM_RESTART_INSTRUCTION, &vcpu));
 }
+
+int
+vm_get_device_fd(struct vmctx *ctx)
+{
+
+	return (ctx->fd);
+}
+
+const cap_ioctl_t *
+vm_get_ioctls(size_t *len)
+{
+	cap_ioctl_t *cmds;
+	/* keep in sync with machine/vmm_dev.h */
+	static const cap_ioctl_t vm_ioctl_cmds[] = { VM_RUN, VM_SUSPEND, VM_REINIT,
+	    VM_ALLOC_MEMSEG, VM_GET_MEMSEG, VM_MMAP_MEMSEG, VM_MMAP_MEMSEG,
+	    VM_MMAP_GETNEXT, VM_SET_REGISTER, VM_GET_REGISTER,
+	    VM_SET_SEGMENT_DESCRIPTOR, VM_GET_SEGMENT_DESCRIPTOR,
+	    VM_INJECT_EXCEPTION, VM_LAPIC_IRQ, VM_LAPIC_LOCAL_IRQ,
+	    VM_LAPIC_MSI, VM_IOAPIC_ASSERT_IRQ, VM_IOAPIC_DEASSERT_IRQ,
+	    VM_IOAPIC_PULSE_IRQ, VM_IOAPIC_PINCOUNT, VM_ISA_ASSERT_IRQ,
+	    VM_ISA_DEASSERT_IRQ, VM_ISA_PULSE_IRQ, VM_ISA_SET_IRQ_TRIGGER,
+	    VM_SET_CAPABILITY, VM_GET_CAPABILITY, VM_BIND_PPTDEV,
+	    VM_UNBIND_PPTDEV, VM_MAP_PPTDEV_MMIO, VM_PPTDEV_MSI,
+	    VM_PPTDEV_MSIX, VM_INJECT_NMI, VM_STATS, VM_STAT_DESC,
+	    VM_SET_X2APIC_STATE, VM_GET_X2APIC_STATE,
+	    VM_GET_HPET_CAPABILITIES, VM_GET_GPA_PMAP, VM_GLA2GPA,
+	    VM_ACTIVATE_CPU, VM_GET_CPUS, VM_SET_INTINFO, VM_GET_INTINFO,
+	    VM_RTC_WRITE, VM_RTC_READ, VM_RTC_SETTIME, VM_RTC_GETTIME,
+	    VM_RESTART_INSTRUCTION };
+
+	if (len == NULL) {
+		cmds = malloc(sizeof(vm_ioctl_cmds));
+		if (cmds == NULL)
+			return (NULL);
+		bcopy(vm_ioctl_cmds, cmds, sizeof(vm_ioctl_cmds));
+		return (cmds);
+	}
+
+	*len = nitems(vm_ioctl_cmds);
+	return (NULL);
+}
+

lib/libvmmapi/vmmapi.h

@@ -36,7 +36,7 @@
  * API version for out-of-tree consumers like grub-bhyve for making compile
  * time decisions.
  */
-#define	VMMAPI_VERSION	0102	/* 2 digit major followed by 2 digit minor */
+#define	VMMAPI_VERSION	0103	/* 2 digit major followed by 2 digit minor */
 
 struct iovec;
 struct vmctx;
@@ -102,6 +102,7 @@ int	vm_mmap_memseg(struct vmctx *ctx, vm_paddr_t gpa, int segid,
 	    vm_ooffset_t segoff, size_t len, int prot);
 
 int	vm_create(const char *name);
+int	vm_get_device_fd(struct vmctx *ctx);
 struct vmctx *vm_open(const char *name);
 void	vm_destroy(struct vmctx *ctx);
 int	vm_parse_memsize(const char *optarg, size_t *memsize);
@@ -162,6 +163,8 @@ int	vm_setup_pptdev_msix(struct vmctx *ctx, int vcpu, int bus, int slot,
 int	vm_get_intinfo(struct vmctx *ctx, int vcpu, uint64_t *i1, uint64_t *i2);
 int	vm_set_intinfo(struct vmctx *ctx, int vcpu, uint64_t exit_intinfo);
 
+const cap_ioctl_t *vm_get_ioctls(size_t *len);
+
 /*
  * Return a pointer to the statistics buffer. Note that this is not MT-safe.
  */

usr.sbin/bhyve/bhyverun.c

@@ -30,16 +30,23 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/mman.h>
 #include <sys/time.h>
 
 #include <machine/atomic.h>
 #include <machine/segments.h>
 
+#ifndef WITHOUT_CAPSICUM
+#include <capsicum_helpers.h>
+#endif
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <err.h>
+#include <errno.h>
 #include <libgen.h>
 #include <unistd.h>
 #include <assert.h>
@@ -50,6 +57,9 @@ __FBSDID("$FreeBSD$");
 #include <stdbool.h>
 
 #include <machine/vmm.h>
+#ifndef WITHOUT_CAPSICUM
+#include <machine/vmm_dev.h>
+#endif
 #include <vmmapi.h>
 
 #include "bhyverun.h"
@@ -706,6 +716,11 @@ do_open(const char *vmname)
 	struct vmctx *ctx;
 	int error;
 	bool reinit, romboot;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+	const cap_ioctl_t *cmds;	
+	size_t ncmds;
+#endif
 
 	reinit = romboot = false;
 
@@ -744,6 +759,21 @@ do_open(const char *vmname)
 		exit(1);
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_IOCTL, CAP_MMAP_RW);
+	if (cap_rights_limit(vm_get_device_fd(ctx), &rights) == -1 &&
+	    errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+	vm_get_ioctls(&ncmds);
+	cmds = vm_get_ioctls(NULL);
+	if (cmds == NULL)
+		errx(EX_OSERR, "out of memory");
+	if (cap_ioctls_limit(vm_get_device_fd(ctx), cmds, ncmds) == -1 &&
+	    errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+	free((cap_ioctl_t *)cmds);
+#endif
+ 
 	if (reinit) {
 		error = vm_reinit(ctx);
 		if (error) {
@@ -952,6 +982,16 @@ main(int argc, char *argv[])
 	if (lpc_bootrom())
 		fwctl_init();
 
+#ifndef WITHOUT_CAPSICUM
+	caph_cache_catpages();
+
+	if (caph_limit_stdout() == -1 || caph_limit_stderr() == -1)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+
+	if (cap_enter() == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "cap_enter() failed");
+#endif
+
 	/*
 	 * Change the proc title to include the VM name.
 	 */

usr.sbin/bhyve/block_if.c

@@ -30,6 +30,9 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/queue.h>
 #include <sys/errno.h>
 #include <sys/stat.h>
@@ -45,6 +48,7 @@ __FBSDID("$FreeBSD$");
 #include <pthread.h>
 #include <pthread_np.h>
 #include <signal.h>
+#include <sysexits.h>
 #include <unistd.h>
 
 #include <machine/atomic.h>
@@ -400,6 +404,10 @@ blockif_open(const char *optstr, const char *ident)
 	off_t size, psectsz, psectoff;
 	int extra, fd, i, sectsz;
 	int nocache, sync, ro, candelete, geom, ssopt, pssopt;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+	cap_ioctl_t cmds[] = { DIOCGFLUSH, DIOCGDELETE };
+#endif
 
 	pthread_once(&blockif_once, blockif_init);
 
@@ -457,6 +465,16 @@ blockif_open(const char *optstr, const char *ident)
 		goto err;
         }
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_FSYNC, CAP_IOCTL, CAP_READ, CAP_SEEK,
+	    CAP_WRITE);
+	if (ro)
+		cap_rights_clear(&rights, CAP_FSYNC, CAP_WRITE);
+
+	if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
         /*
 	 * Deal with raw devices
 	 */
@@ -483,6 +501,11 @@ blockif_open(const char *optstr, const char *ident)
 	} else
 		psectsz = sbuf.st_blksize;
 
+#ifndef WITHOUT_CAPSICUM
+	if (cap_ioctls_limit(fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	if (ssopt != 0) {
 		if (!powerof2(ssopt) || !powerof2(pssopt) || ssopt < 512 ||
 		    ssopt > pssopt) {

usr.sbin/bhyve/consport.c

@@ -30,13 +30,19 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/select.h>
 
+#include <err.h>
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <termios.h>
 #include <unistd.h>
 #include <stdbool.h>
+#include <sysexits.h>
 
 #include "inout.h"
 #include "pci_lpc.h"
@@ -104,6 +110,10 @@ console_handler(struct vmctx *ctx, int vcpu, int in, int port, int bytes,
 		uint32_t *eax, void *arg)
 {
 	static int opened;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+	cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ };
+#endif
 
 	if (bytes == 2 && in) {
 		*eax = BVM_CONS_SIG;
@@ -123,6 +133,13 @@ console_handler(struct vmctx *ctx, int vcpu, int in, int port, int bytes,
 		return (-1);
 
 	if (!opened) {
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(STDIN_FILENO, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+	if (cap_ioctls_limit(STDIN_FILENO, cmds, nitems(cmds)) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
 		ttyopen();
 		opened = 1;
 	}

usr.sbin/bhyve/dbgport.c

@@ -30,13 +30,18 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 #include <sys/uio.h>
 
+#include <err.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <sysexits.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
@@ -125,6 +130,9 @@ void
 init_dbgport(int sport)
 {
 	int reuse;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+#endif
 
 	conn_fd = -1;
 
@@ -155,5 +163,11 @@ init_dbgport(int sport)
 		exit(1);
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(listen_fd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	register_inout(&dbgport);
 }

usr.sbin/bhyve/mevent.c

@@ -35,13 +35,18 @@
 __FBSDID("$FreeBSD$");
 
 #include <assert.h>
+#include <err.h>
 #include <errno.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <sysexits.h>
 #include <unistd.h>
 
 #include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/event.h>
 #include <sys/time.h>
 
@@ -401,6 +406,9 @@ mevent_dispatch(void)
 	int mfd;
 	int numev;
 	int ret;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+#endif
 
 	mevent_tid = pthread_self();
 	mevent_set_name();
@@ -408,6 +416,12 @@ mevent_dispatch(void)
 	mfd = kqueue();
 	assert(mfd > 0);
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_KQUEUE);
+	if (cap_rights_limit(mfd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	/*
 	 * Open the pipe that will be used for other threads to force
 	 * the blocking kqueue call to exit by writing to it. Set the
@@ -419,6 +433,14 @@ mevent_dispatch(void)
 		exit(0);
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(mevent_pipefd[0], &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+	if (cap_rights_limit(mevent_pipefd[1], &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	/*
 	 * Add internal event handler for the pipe write fd
 	 */

usr.sbin/bhyve/pci_e82545.c

@@ -31,6 +31,9 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/limits.h>
 #include <sys/ioctl.h>
 #include <sys/uio.h>
@@ -38,12 +41,14 @@ __FBSDID("$FreeBSD$");
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <md5.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sysexits.h>
 #include <unistd.h>
 #include <pthread.h>
 #include <pthread_np.h>
@@ -2202,6 +2207,9 @@ static void
 e82545_open_tap(struct e82545_softc *sc, char *opts)
 {
 	char tbuf[80];
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+#endif
 	
 	if (opts == NULL) {
 		sc->esc_tapfd = -1;
@@ -2228,6 +2236,12 @@ e82545_open_tap(struct e82545_softc *sc, char *opts)
 		sc->esc_tapfd = -1;
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(sc->esc_tapfd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+	
 	sc->esc_mevp = mevent_add(sc->esc_tapfd,
 				  EVF_READ,
 				  e82545_tap_callback,

usr.sbin/bhyve/pci_passthru.c

@@ -30,6 +30,9 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/types.h>
 #include <sys/mman.h>
 #include <sys/pciio.h>
@@ -44,7 +47,9 @@ __FBSDID("$FreeBSD$");
 #include <stdlib.h>
 #include <string.h>
 #include <err.h>
+#include <errno.h>
 #include <fcntl.h>
+#include <sysexits.h>
 #include <unistd.h>
 
 #include <machine/vmm.h>
@@ -639,10 +644,19 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *pi, char *opts)
 {
 	int bus, slot, func, error, memflags;
 	struct passthru_softc *sc;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+	cap_ioctl_t pci_ioctls[] = { PCIOCREAD, PCIOCWRITE, PCIOCGETBAR };
+	cap_ioctl_t io_ioctls[] = { IODEV_PIO };
+#endif
 
 	sc = NULL;
 	error = 1;
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_WRITE);
+#endif
+
 	memflags = vm_get_memflags(ctx);
 	if (!(memflags & VM_MEM_F_WIRED)) {
 		warnx("passthru requires guest memory to be wired");
@@ -657,6 +671,13 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *pi, char *opts)
 		}
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	if (cap_rights_limit(pcifd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+	if (cap_ioctls_limit(pcifd, pci_ioctls, nitems(pci_ioctls)) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	if (iofd < 0) {
 		iofd = open(_PATH_DEVIO, O_RDWR, 0);
 		if (iofd < 0) {
@@ -665,6 +686,13 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *pi, char *opts)
 		}
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	if (cap_rights_limit(iofd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+	if (cap_ioctls_limit(iofd, io_ioctls, nitems(io_ioctls)) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	if (memfd < 0) {
 		memfd = open(_PATH_MEM, O_RDWR, 0);
 		if (memfd < 0) {
@@ -673,6 +701,12 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *pi, char *opts)
 		}
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_clear(&rights, CAP_IOCTL);
+	if (cap_rights_limit(memfd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	if (opts == NULL ||
 	    sscanf(opts, "%d/%d/%d", &bus, &slot, &func) != 3) {
 		warnx("invalid passthru options");

usr.sbin/bhyve/pci_virtio_console.c

@@ -32,12 +32,16 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/linker_set.h>
 #include <sys/uio.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
@@ -48,6 +52,7 @@ __FBSDID("$FreeBSD$");
 #include <assert.h>
 #include <pthread.h>
 #include <libgen.h>
+#include <sysexits.h>
 
 #include "bhyverun.h"
 #include "pci_emul.h"
@@ -269,6 +274,9 @@ pci_vtcon_sock_add(struct pci_vtcon_softc *sc, const char *name,
 	struct sockaddr_un sun;
 	char *pathcopy;
 	int s = -1, fd = -1, error = 0;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+#endif
 
 	sock = calloc(1, sizeof(struct pci_vtcon_sock));
 	if (sock == NULL) {
@@ -316,6 +324,11 @@ pci_vtcon_sock_add(struct pci_vtcon_softc *sc, const char *name,
 		goto out;
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(s, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
 
 	sock->vss_port = pci_vtcon_port_add(sc, name, pci_vtcon_sock_tx, sock);
 	if (sock->vss_port == NULL) {

usr.sbin/bhyve/pci_virtio_net.c

@@ -30,6 +30,9 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/linker_set.h>
 #include <sys/select.h>
 #include <sys/uio.h>
@@ -41,6 +44,7 @@ __FBSDID("$FreeBSD$");
 #endif
 #include <net/netmap_user.h>
 
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
@@ -53,6 +57,7 @@ __FBSDID("$FreeBSD$");
 #include <md5.h>
 #include <pthread.h>
 #include <pthread_np.h>
+#include <sysexits.h>
 
 #include "bhyverun.h"
 #include "pci_emul.h"
@@ -743,6 +748,9 @@ static void
 pci_vtnet_tap_setup(struct pci_vtnet_softc *sc, char *devname)
 {
 	char tbuf[80];
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+#endif
 
 	strcpy(tbuf, "/dev/");
 	strlcat(tbuf, devname, sizeof(tbuf));
@@ -767,6 +775,12 @@ pci_vtnet_tap_setup(struct pci_vtnet_softc *sc, char *devname)
 		sc->vsc_tapfd = -1;
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(sc->vsc_tapfd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	sc->vsc_mevp = mevent_add(sc->vsc_tapfd,
 				  EVF_READ,
 				  pci_vtnet_rx_callback,

usr.sbin/bhyve/pci_virtio_rnd.c

@@ -35,9 +35,13 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/linker_set.h>
 #include <sys/uio.h>
 
+#include <err.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
@@ -46,6 +50,7 @@ __FBSDID("$FreeBSD$");
 #include <unistd.h>
 #include <assert.h>
 #include <pthread.h>
+#include <sysexits.h>
 
 #include "bhyverun.h"
 #include "pci_emul.h"
@@ -138,6 +143,9 @@ pci_vtrnd_init(struct vmctx *ctx, struct pci_devinst *pi, char *opts)
 	int fd;
 	int len;
 	uint8_t v;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+#endif
 
 	/*
 	 * Should always be able to open /dev/random.
@@ -146,6 +154,12 @@ pci_vtrnd_init(struct vmctx *ctx, struct pci_devinst *pi, char *opts)
 
 	assert(fd >= 0);
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_READ);
+	if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	/*
 	 * Check that device is seeded and non-blocking.
 	 */

usr.sbin/bhyve/rfb.c

@@ -29,6 +29,9 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#endif
 #include <sys/socket.h>
 #include <sys/select.h>
 #include <sys/time.h>
@@ -38,6 +41,8 @@ __FBSDID("$FreeBSD$");
 #include <netinet/in.h>
 
 #include <assert.h>
+#include <err.h>
+#include <errno.h>
 #include <pthread.h>
 #include <pthread_np.h>
 #include <signal.h>
@@ -45,6 +50,7 @@ __FBSDID("$FreeBSD$");
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <sysexits.h>
 #include <unistd.h>
 
 #include <zlib.h>
@@ -868,6 +874,9 @@ rfb_init(char *hostname, int port, int wait)
 	struct rfb_softc *rc;
 	struct sockaddr_in sin;
 	int on = 1;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+#endif
 
 	rc = calloc(1, sizeof(struct rfb_softc));
 
@@ -904,6 +913,12 @@ rfb_init(char *hostname, int port, int wait)
 		return (-1);
 	}
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(rc->sfd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+#endif
+
 	rc->hw_crc = sse42_supported();
 
 	rc->conn_wait = wait;

usr.sbin/bhyve/uart_emul.c

@@ -32,16 +32,23 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
 #include <dev/ic/ns16550.h>
+#ifndef WITHOUT_CAPSICUM
+#include <sys/capsicum.h>
+#include <capsicum_helpers.h>
+#endif
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <assert.h>
+#include <err.h>
+#include <errno.h>
 #include <fcntl.h>
 #include <termios.h>
 #include <unistd.h>
 #include <stdbool.h>
 #include <string.h>
 #include <pthread.h>
+#include <sysexits.h>
 
 #include "mevent.h"
 #include "uart_emul.h"
@@ -638,7 +645,7 @@ uart_tty_backend(struct uart_softc *sc, const char *opts)
 		sc->tty.opened = true;
 		retval = 0;
 	}
-	    
+
 	return (retval);
 }
 
@@ -646,6 +653,10 @@ int
 uart_set_backend(struct uart_softc *sc, const char *opts)
 {
 	int retval;
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_t rights;
+	cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ };
+#endif
 
 	retval = -1;
 
@@ -667,6 +678,18 @@ uart_set_backend(struct uart_softc *sc, const char *opts)
 	if (retval == 0)
 		retval = fcntl(sc->tty.fd, F_SETFL, O_NONBLOCK);
 
+#ifndef WITHOUT_CAPSICUM
+	cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE);
+	if (cap_rights_limit(sc->tty.fd, &rights) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+	if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS)
+		errx(EX_OSERR, "Unable to apply rights for sandbox");
+	if (!uart_stdio) {
+		if (caph_limit_stdin() == -1 && errno != ENOSYS)
+			errx(EX_OSERR, "Unable to apply rights for sandbox");
+	}
+#endif
+
 	if (retval == 0)
 		uart_opentty(sc);