Date: Wed, 19 Sep 2018 14:55:41 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 231480] sysutils/grub2-bhyve: "(host)" filesystem is a potential security issue Message-ID: <bug-231480-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231480 Bug ID: 231480 Summary: sysutils/grub2-bhyve: "(host)" filesystem is a potential security issue Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: noah.bergbauer@tum.de Grub-bhyve has access to the host filesystem through the '(host)' pseudofs. Considering that the typical Linux guest would have its grub configuration = on its boot partition (as the handbook suggests: https://www.freebsd.org/doc/handbook/virtualization-host-bhyve.html) this m= eans that having root permissions on the guest allows you to access the host filesystem on the next VM boot, for example: * Add "source (host)/root/secret.txt" to the head of grub.cfg * Add "myvalue=3D$password" to the kernel command line * Shut down VM * On the host: "echo password=3Dverysecret12345 > /root/secret.txt" * Launch VM $ cat /proc/cmdline=20 console=3DttyS0 BOOT_IMAGE=3D/boot/vmlinuz-4.4.0-75-generic root=3DUUID=3De757cf85-936a-4fe8-b099-54046961756d ro myvalue=3Dverysecret1= 2345 $=20 As you can see this might be a critical information leak in certain circumstances, especially because you have to (?) run grub-bhyve as root on= the host system. Perhaps an option could be added to chroot the bootloader once it is done loading libraries and opening image/disk files? Module loading is disabled = so the filesystem appears to be the only remaining attack surface. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231480-7788>