From owner-svn-src-all@freebsd.org Mon Jul 10 06:28:52 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DC39BD9F07A; Mon, 10 Jul 2017 06:28:52 +0000 (UTC) (envelope-from grehan@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9D4487DC8B; Mon, 10 Jul 2017 06:28:52 +0000 (UTC) (envelope-from grehan@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v6A6Sp9P029724; Mon, 10 Jul 2017 06:28:51 GMT (envelope-from grehan@FreeBSD.org) Received: (from grehan@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v6A6So8e029710; Mon, 10 Jul 2017 06:28:50 GMT (envelope-from grehan@FreeBSD.org) Message-Id: <201707100628.v6A6So8e029710@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: grehan set sender to grehan@FreeBSD.org using -f From: Peter Grehan Date: Mon, 10 Jul 2017 06:28:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r320866 - in stable/11: lib/libvmmapi usr.sbin/bhyve X-SVN-Group: stable-11 X-SVN-Commit-Author: grehan X-SVN-Commit-Paths: in stable/11: lib/libvmmapi usr.sbin/bhyve X-SVN-Commit-Revision: 320866 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jul 2017 06:28:53 -0000 Author: grehan Date: Mon Jul 10 06:28:50 2017 New Revision: 320866 URL: https://svnweb.freebsd.org/changeset/base/320866 Log: MFC 313727, 317483 In addition, replace the missing caph routines with small helper functions (bhyverun.c) or an open-coded replacement (uart_emul.c) 313727 Capsicumize bhyve 317483 Allow CAP_MMAP_RW on memfd for PCI passthru Modified: stable/11/lib/libvmmapi/vmmapi.c stable/11/lib/libvmmapi/vmmapi.h stable/11/usr.sbin/bhyve/bhyverun.c stable/11/usr.sbin/bhyve/block_if.c stable/11/usr.sbin/bhyve/consport.c stable/11/usr.sbin/bhyve/dbgport.c stable/11/usr.sbin/bhyve/mevent.c stable/11/usr.sbin/bhyve/pci_e82545.c stable/11/usr.sbin/bhyve/pci_passthru.c stable/11/usr.sbin/bhyve/pci_virtio_net.c stable/11/usr.sbin/bhyve/pci_virtio_rnd.c stable/11/usr.sbin/bhyve/rfb.c stable/11/usr.sbin/bhyve/uart_emul.c Directory Properties: stable/11/ (props changed) Modified: stable/11/lib/libvmmapi/vmmapi.c ============================================================================== --- stable/11/lib/libvmmapi/vmmapi.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/lib/libvmmapi/vmmapi.c Mon Jul 10 06:28:50 2017 (r320866) @@ -1416,3 +1416,45 @@ vm_restart_instruction(void *arg, int vcpu) return (ioctl(ctx->fd, VM_RESTART_INSTRUCTION, &vcpu)); } + +int +vm_get_device_fd(struct vmctx *ctx) +{ + + return (ctx->fd); +} + +const cap_ioctl_t * +vm_get_ioctls(size_t *len) +{ + cap_ioctl_t *cmds; + /* keep in sync with machine/vmm_dev.h */ + static const cap_ioctl_t vm_ioctl_cmds[] = { VM_RUN, VM_SUSPEND, VM_REINIT, + VM_ALLOC_MEMSEG, VM_GET_MEMSEG, VM_MMAP_MEMSEG, VM_MMAP_MEMSEG, + VM_MMAP_GETNEXT, VM_SET_REGISTER, VM_GET_REGISTER, + VM_SET_SEGMENT_DESCRIPTOR, VM_GET_SEGMENT_DESCRIPTOR, + VM_INJECT_EXCEPTION, VM_LAPIC_IRQ, VM_LAPIC_LOCAL_IRQ, + VM_LAPIC_MSI, VM_IOAPIC_ASSERT_IRQ, VM_IOAPIC_DEASSERT_IRQ, + VM_IOAPIC_PULSE_IRQ, VM_IOAPIC_PINCOUNT, VM_ISA_ASSERT_IRQ, + VM_ISA_DEASSERT_IRQ, VM_ISA_PULSE_IRQ, VM_ISA_SET_IRQ_TRIGGER, + VM_SET_CAPABILITY, VM_GET_CAPABILITY, VM_BIND_PPTDEV, + VM_UNBIND_PPTDEV, VM_MAP_PPTDEV_MMIO, VM_PPTDEV_MSI, + VM_PPTDEV_MSIX, VM_INJECT_NMI, VM_STATS, VM_STAT_DESC, + VM_SET_X2APIC_STATE, VM_GET_X2APIC_STATE, + VM_GET_HPET_CAPABILITIES, VM_GET_GPA_PMAP, VM_GLA2GPA, + VM_ACTIVATE_CPU, VM_GET_CPUS, VM_SET_INTINFO, VM_GET_INTINFO, + VM_RTC_WRITE, VM_RTC_READ, VM_RTC_SETTIME, VM_RTC_GETTIME, + VM_RESTART_INSTRUCTION }; + + if (len == NULL) { + cmds = malloc(sizeof(vm_ioctl_cmds)); + if (cmds == NULL) + return (NULL); + bcopy(vm_ioctl_cmds, cmds, sizeof(vm_ioctl_cmds)); + return (cmds); + } + + *len = nitems(vm_ioctl_cmds); + return (NULL); +} + Modified: stable/11/lib/libvmmapi/vmmapi.h ============================================================================== --- stable/11/lib/libvmmapi/vmmapi.h Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/lib/libvmmapi/vmmapi.h Mon Jul 10 06:28:50 2017 (r320866) @@ -36,7 +36,7 @@ * API version for out-of-tree consumers like grub-bhyve for making compile * time decisions. */ -#define VMMAPI_VERSION 0102 /* 2 digit major followed by 2 digit minor */ +#define VMMAPI_VERSION 0103 /* 2 digit major followed by 2 digit minor */ struct iovec; struct vmctx; @@ -102,6 +102,7 @@ int vm_mmap_memseg(struct vmctx *ctx, vm_paddr_t gpa, vm_ooffset_t segoff, size_t len, int prot); int vm_create(const char *name); +int vm_get_device_fd(struct vmctx *ctx); struct vmctx *vm_open(const char *name); void vm_destroy(struct vmctx *ctx); int vm_parse_memsize(const char *optarg, size_t *memsize); @@ -161,6 +162,8 @@ int vm_setup_pptdev_msix(struct vmctx *ctx, int vcpu, int vm_get_intinfo(struct vmctx *ctx, int vcpu, uint64_t *i1, uint64_t *i2); int vm_set_intinfo(struct vmctx *ctx, int vcpu, uint64_t exit_intinfo); + +const cap_ioctl_t *vm_get_ioctls(size_t *len); /* * Return a pointer to the statistics buffer. Note that this is not MT-safe. Modified: stable/11/usr.sbin/bhyve/bhyverun.c ============================================================================== --- stable/11/usr.sbin/bhyve/bhyverun.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/bhyverun.c Mon Jul 10 06:28:50 2017 (r320866) @@ -30,6 +30,9 @@ __FBSDID("$FreeBSD$"); #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include @@ -40,6 +43,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -48,8 +52,15 @@ __FBSDID("$FreeBSD$"); #include #include #include +#ifndef WITHOUT_CAPSICUM +#include +#include +#endif #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include "bhyverun.h" @@ -152,7 +163,44 @@ usage(int code) exit(code); } +#ifndef WITHOUT_CAPSICUM +/* + * 11-stable capsicum helpers + */ +static void +bhyve_caph_cache_catpages(void) +{ + + (void)catopen("libc", NL_CAT_LOCALE); +} + static int +bhyve_caph_limit_stdoe(void) +{ + cap_rights_t rights; + unsigned long cmds[] = { TIOCGETA, TIOCGWINSZ }; + int i, fds[] = { STDOUT_FILENO, STDERR_FILENO }; + + cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT, CAP_IOCTL); + cap_rights_set(&rights, CAP_WRITE); + + for (i = 0; i < nitems(fds); i++) { + if (cap_rights_limit(fds[i], &rights) < 0 && errno != ENOSYS) + return (-1); + + if (cap_ioctls_limit(fds[i], cmds, nitems(cmds)) < 0 && errno != ENOSYS) + return (-1); + + if (cap_fcntls_limit(fds[i], CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) + return (-1); + } + + return (0); +} + +#endif + +static int pincpu_parse(const char *opt) { int vcpu, pcpu; @@ -706,6 +754,11 @@ do_open(const char *vmname) struct vmctx *ctx; int error; bool reinit, romboot; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; + const cap_ioctl_t *cmds; + size_t ncmds; +#endif reinit = romboot = false; @@ -744,6 +797,21 @@ do_open(const char *vmname) exit(1); } +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_IOCTL, CAP_MMAP_RW); + if (cap_rights_limit(vm_get_device_fd(ctx), &rights) == -1 && + errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + vm_get_ioctls(&ncmds); + cmds = vm_get_ioctls(NULL); + if (cmds == NULL) + errx(EX_OSERR, "out of memory"); + if (cap_ioctls_limit(vm_get_device_fd(ctx), cmds, ncmds) == -1 && + errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + free((cap_ioctl_t *)cmds); +#endif + if (reinit) { error = vm_reinit(ctx); if (error) { @@ -951,6 +1019,16 @@ main(int argc, char *argv[]) if (lpc_bootrom()) fwctl_init(); + +#ifndef WITHOUT_CAPSICUM + + + if (bhyve_caph_limit_stdoe() == -1) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + + if (cap_enter() == -1 && errno != ENOSYS) + errx(EX_OSERR, "cap_enter() failed"); +#endif /* * Change the proc title to include the VM name. Modified: stable/11/usr.sbin/bhyve/block_if.c ============================================================================== --- stable/11/usr.sbin/bhyve/block_if.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/block_if.c Mon Jul 10 06:28:50 2017 (r320866) @@ -30,6 +30,9 @@ __FBSDID("$FreeBSD$"); #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include #include @@ -45,6 +48,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include @@ -400,6 +404,10 @@ blockif_open(const char *optstr, const char *ident) off_t size, psectsz, psectoff; int extra, fd, i, sectsz; int nocache, sync, ro, candelete, geom, ssopt, pssopt; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; + cap_ioctl_t cmds[] = { DIOCGFLUSH, DIOCGDELETE }; +#endif pthread_once(&blockif_once, blockif_init); @@ -457,6 +465,16 @@ blockif_open(const char *optstr, const char *ident) goto err; } +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_FSYNC, CAP_IOCTL, CAP_READ, CAP_SEEK, + CAP_WRITE); + if (ro) + cap_rights_clear(&rights, CAP_FSYNC, CAP_WRITE); + + if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif + /* * Deal with raw devices */ @@ -482,6 +500,11 @@ blockif_open(const char *optstr, const char *ident) geom = 1; } else psectsz = sbuf.st_blksize; + +#ifndef WITHOUT_CAPSICUM + if (cap_ioctls_limit(fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif if (ssopt != 0) { if (!powerof2(ssopt) || !powerof2(pssopt) || ssopt < 512 || Modified: stable/11/usr.sbin/bhyve/consport.c ============================================================================== --- stable/11/usr.sbin/bhyve/consport.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/consport.c Mon Jul 10 06:28:50 2017 (r320866) @@ -30,13 +30,19 @@ __FBSDID("$FreeBSD$"); #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include +#include +#include #include #include #include #include #include +#include #include "inout.h" #include "pci_lpc.h" @@ -104,6 +110,10 @@ console_handler(struct vmctx *ctx, int vcpu, int in, i uint32_t *eax, void *arg) { static int opened; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; + cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ }; +#endif if (bytes == 2 && in) { *eax = BVM_CONS_SIG; @@ -123,6 +133,13 @@ console_handler(struct vmctx *ctx, int vcpu, int in, i return (-1); if (!opened) { +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE); + if (cap_rights_limit(STDIN_FILENO, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + if (cap_ioctls_limit(STDIN_FILENO, cmds, nitems(cmds)) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif ttyopen(); opened = 1; } Modified: stable/11/usr.sbin/bhyve/dbgport.c ============================================================================== --- stable/11/usr.sbin/bhyve/dbgport.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/dbgport.c Mon Jul 10 06:28:50 2017 (r320866) @@ -30,13 +30,18 @@ __FBSDID("$FreeBSD$"); #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include #include #include +#include #include #include +#include #include #include #include @@ -125,6 +130,9 @@ void init_dbgport(int sport) { int reuse; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; +#endif conn_fd = -1; @@ -154,6 +162,12 @@ init_dbgport(int sport) perror("listen"); exit(1); } + +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_WRITE); + if (cap_rights_limit(listen_fd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif register_inout(&dbgport); } Modified: stable/11/usr.sbin/bhyve/mevent.c ============================================================================== --- stable/11/usr.sbin/bhyve/mevent.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/mevent.c Mon Jul 10 06:28:50 2017 (r320866) @@ -35,13 +35,18 @@ __FBSDID("$FreeBSD$"); #include +#include #include #include #include #include +#include #include #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include @@ -401,6 +406,9 @@ mevent_dispatch(void) int mfd; int numev; int ret; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; +#endif mevent_tid = pthread_self(); mevent_set_name(); @@ -408,6 +416,12 @@ mevent_dispatch(void) mfd = kqueue(); assert(mfd > 0); +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_KQUEUE); + if (cap_rights_limit(mfd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif + /* * Open the pipe that will be used for other threads to force * the blocking kqueue call to exit by writing to it. Set the @@ -418,6 +432,14 @@ mevent_dispatch(void) perror("pipe"); exit(0); } + +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE); + if (cap_rights_limit(mevent_pipefd[0], &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + if (cap_rights_limit(mevent_pipefd[1], &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif /* * Add internal event handler for the pipe write fd Modified: stable/11/usr.sbin/bhyve/pci_e82545.c ============================================================================== --- stable/11/usr.sbin/bhyve/pci_e82545.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/pci_e82545.c Mon Jul 10 06:28:50 2017 (r320866) @@ -31,6 +31,9 @@ __FBSDID("$FreeBSD$"); #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include #include @@ -38,12 +41,14 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include #include #include #include +#include #include #include #include @@ -2202,6 +2207,9 @@ static void e82545_open_tap(struct e82545_softc *sc, char *opts) { char tbuf[80]; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; +#endif if (opts == NULL) { sc->esc_tapfd = -1; @@ -2228,6 +2236,12 @@ e82545_open_tap(struct e82545_softc *sc, char *opts) sc->esc_tapfd = -1; } +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE); + if (cap_rights_limit(sc->esc_tapfd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif + sc->esc_mevp = mevent_add(sc->esc_tapfd, EVF_READ, e82545_tap_callback, Modified: stable/11/usr.sbin/bhyve/pci_passthru.c ============================================================================== --- stable/11/usr.sbin/bhyve/pci_passthru.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/pci_passthru.c Mon Jul 10 06:28:50 2017 (r320866) @@ -30,6 +30,9 @@ __FBSDID("$FreeBSD$"); #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include #include @@ -44,7 +47,9 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include +#include #include #include @@ -639,10 +644,19 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *p { int bus, slot, func, error, memflags; struct passthru_softc *sc; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; + cap_ioctl_t pci_ioctls[] = { PCIOCREAD, PCIOCWRITE, PCIOCGETBAR }; + cap_ioctl_t io_ioctls[] = { IODEV_PIO }; +#endif sc = NULL; error = 1; +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_WRITE); +#endif + memflags = vm_get_memflags(ctx); if (!(memflags & VM_MEM_F_WIRED)) { warnx("passthru requires guest memory to be wired"); @@ -657,6 +671,13 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *p } } +#ifndef WITHOUT_CAPSICUM + if (cap_rights_limit(pcifd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + if (cap_ioctls_limit(pcifd, pci_ioctls, nitems(pci_ioctls)) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif + if (iofd < 0) { iofd = open(_PATH_DEVIO, O_RDWR, 0); if (iofd < 0) { @@ -665,6 +686,13 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *p } } +#ifndef WITHOUT_CAPSICUM + if (cap_rights_limit(iofd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + if (cap_ioctls_limit(iofd, io_ioctls, nitems(io_ioctls)) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif + if (memfd < 0) { memfd = open(_PATH_MEM, O_RDWR, 0); if (memfd < 0) { @@ -672,6 +700,13 @@ passthru_init(struct vmctx *ctx, struct pci_devinst *p goto done; } } + +#ifndef WITHOUT_CAPSICUM + cap_rights_clear(&rights, CAP_IOCTL); + cap_rights_set(&rights, CAP_MMAP_RW); + if (cap_rights_limit(memfd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif if (opts == NULL || sscanf(opts, "%d/%d/%d", &bus, &slot, &func) != 3) { Modified: stable/11/usr.sbin/bhyve/pci_virtio_net.c ============================================================================== --- stable/11/usr.sbin/bhyve/pci_virtio_net.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/pci_virtio_net.c Mon Jul 10 06:28:50 2017 (r320866) @@ -30,6 +30,9 @@ __FBSDID("$FreeBSD$"); #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include #include @@ -41,6 +44,7 @@ __FBSDID("$FreeBSD$"); #endif #include +#include #include #include #include @@ -53,6 +57,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include "bhyverun.h" #include "pci_emul.h" @@ -743,6 +748,9 @@ static void pci_vtnet_tap_setup(struct pci_vtnet_softc *sc, char *devname) { char tbuf[80]; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; +#endif strcpy(tbuf, "/dev/"); strlcat(tbuf, devname, sizeof(tbuf)); @@ -766,6 +774,12 @@ pci_vtnet_tap_setup(struct pci_vtnet_softc *sc, char * close(sc->vsc_tapfd); sc->vsc_tapfd = -1; } + +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE); + if (cap_rights_limit(sc->vsc_tapfd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif sc->vsc_mevp = mevent_add(sc->vsc_tapfd, EVF_READ, Modified: stable/11/usr.sbin/bhyve/pci_virtio_rnd.c ============================================================================== --- stable/11/usr.sbin/bhyve/pci_virtio_rnd.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/pci_virtio_rnd.c Mon Jul 10 06:28:50 2017 (r320866) @@ -35,9 +35,13 @@ __FBSDID("$FreeBSD$"); #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include +#include #include #include #include @@ -46,6 +50,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include "bhyverun.h" #include "pci_emul.h" @@ -138,6 +143,9 @@ pci_vtrnd_init(struct vmctx *ctx, struct pci_devinst * int fd; int len; uint8_t v; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; +#endif /* * Should always be able to open /dev/random. @@ -145,6 +153,12 @@ pci_vtrnd_init(struct vmctx *ctx, struct pci_devinst * fd = open("/dev/random", O_RDONLY | O_NONBLOCK); assert(fd >= 0); + +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_READ); + if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif /* * Check that device is seeded and non-blocking. Modified: stable/11/usr.sbin/bhyve/rfb.c ============================================================================== --- stable/11/usr.sbin/bhyve/rfb.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/rfb.c Mon Jul 10 06:28:50 2017 (r320866) @@ -30,6 +30,9 @@ __FBSDID("$FreeBSD$"); #include #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include #include @@ -39,6 +42,8 @@ __FBSDID("$FreeBSD$"); #include #include +#include +#include #include #include #include @@ -46,6 +51,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include @@ -972,6 +978,9 @@ rfb_init(char *hostname, int port, int wait, char *pas struct rfb_softc *rc; struct sockaddr_in sin; int on = 1; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; +#endif rc = calloc(1, sizeof(struct rfb_softc)); @@ -1009,6 +1018,12 @@ rfb_init(char *hostname, int port, int wait, char *pas perror("listen"); return (-1); } + +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE); + if (cap_rights_limit(rc->sfd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); +#endif rc->hw_crc = sse42_supported(); Modified: stable/11/usr.sbin/bhyve/uart_emul.c ============================================================================== --- stable/11/usr.sbin/bhyve/uart_emul.c Mon Jul 10 06:25:30 2017 (r320865) +++ stable/11/usr.sbin/bhyve/uart_emul.c Mon Jul 10 06:28:50 2017 (r320866) @@ -32,16 +32,22 @@ __FBSDID("$FreeBSD$"); #include #include +#ifndef WITHOUT_CAPSICUM +#include +#endif #include #include #include +#include +#include #include #include #include #include #include #include +#include #include "mevent.h" #include "uart_emul.h" @@ -638,7 +644,7 @@ uart_tty_backend(struct uart_softc *sc, const char *op sc->tty.opened = true; retval = 0; } - + return (retval); } @@ -646,6 +652,11 @@ int uart_set_backend(struct uart_softc *sc, const char *opts) { int retval; +#ifndef WITHOUT_CAPSICUM + cap_rights_t rights; + cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ }; + cap_ioctl_t sicmds[] = { TIOCGETA, TIOCGWINSZ }; +#endif retval = -1; @@ -666,6 +677,23 @@ uart_set_backend(struct uart_softc *sc, const char *op /* Make the backend file descriptor non-blocking */ if (retval == 0) retval = fcntl(sc->tty.fd, F_SETFL, O_NONBLOCK); + +#ifndef WITHOUT_CAPSICUM + cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ, CAP_WRITE); + if (cap_rights_limit(sc->tty.fd, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + if (!uart_stdio) { + cap_rights_init(&rights, CAP_FCNTL, CAP_FSTAT, CAP_IOCTL, CAP_READ); + if (cap_rights_limit(STDIN_FILENO, &rights) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + if (cap_ioctls_limit(STDIN_FILENO, sicmds, nitems(sicmds)) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + if (cap_fcntls_limit(STDIN_FILENO, CAP_FCNTL_GETFL) == -1 && errno != ENOSYS) + errx(EX_OSERR, "Unable to apply rights for sandbox"); + } +#endif if (retval == 0) uart_opentty(sc);