The situation is improved now that we're running in a sandbox, but there
is still some host machine access that could be concerning depending on
the context. These concerns may be somewhat mitigated by the fact that
the host machine usually provides the loader binary, even when the guest
image is providing the loader scripts -- they only bring the lua
scripts, and they have to be able to execute arbitrary syscalls rather
than the interfaces provided by libsa(3).
Details
Details
- Reviewers
markj jhb - Group Reviewers
bhyve - Commits
- rG5df041c4bbf7: bhyveload(8): document some SECURITY CONSIDERATIONS
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Skipped - Unit
Tests Skipped - Build Status
Buildable 55244 Build 52133: arc lint + arc unit
Event Timeline
Comment Actions
Address review commentary; access to the currently opened directories isn't
currently restricted to read-only, but restricting the rights(4) a bit will get
us where we want to be.. we'll land that before this.
usr.sbin/bhyveload/bhyveload.8 | ||
---|---|---|
192 | I suspect this might be confusing to some non-native readers. |
usr.sbin/bhyveload/bhyveload.8 | ||
---|---|---|
192 | I'll fold that in, thanks. Do you think it'd be worth drawing the connection more explicitly with the -c option? ... and the chosen .Fl c console. Or perhaps a more concise ... and the chosen .Ar cons-dev . |