Page MenuHomeFreeBSD
Differential D43315

bhyveload: limit rights on the dirfds we create
ClosedPublic
Actions

Authored by kevans on Jan 4 2024, 3:54 PM.
Tags
None
Referenced Files
F102898771: D43315.diff
Mon, Nov 18, 11:49 AM
Unknown Object (File)
Sun, Nov 3, 9:12 PM
Unknown Object (File)
Sun, Nov 3, 9:11 PM
Unknown Object (File)
Sun, Nov 3, 8:55 PM
Unknown Object (File)
Sun, Nov 3, 8:47 PM
Unknown Object (File)
Wed, Oct 23, 7:16 PM
Unknown Object (File)
Wed, Oct 23, 7:16 PM
Unknown Object (File)
Wed, Oct 23, 7:16 PM
View All 35 Files
Subscribers
bcran
imp
jrtc27
markj
rgrimes

Details

Reviewers
imp
Group Reviewers
bhyve
Commits
rGc067be72e835: bhyveload: limit rights on the dirfds we create
Summary

In neither case do we need write access to the directories we're working
with; userboot doesn't support fo_write on the host device, and the
bootfd is only ever needed for loader loading.

This improves on 8bf0882e18 ("bhyveload: enter capability mode [...]")
so that arbitrary code in the loader can't open writable fds to either
of the directories we need to maintain access to.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 55243
Build 52132: arc lint + arc unit

Event Timeline

kevans created this revision.Jan 4 2024, 3:54 PM
Herald added subscribers: bcran, rgrimes, imp. · View Herald TranscriptJan 4 2024, 3:54 PM
kevans requested review of this revision.Jan 4 2024, 3:54 PM
Harbormaster completed remote builds in B55243: Diff 132278.Jan 4 2024, 3:54 PM
kevans added a child revision: D43299: bhyveload(8): document some SECURITY CONSIDERATIONS.Jan 4 2024, 3:55 PM
imp accepted this revision.Jan 4 2024, 5:43 PM

Only time we need to write is to nextboot.conf... Since we don't support that from the userboot boot loader... this should be fine. We can punch a hole for nextboot.conf if we ever add that support.

This revision is now accepted and ready to land.Jan 4 2024, 5:43 PM
markj added a subscriber: markj.Jan 4 2024, 5:54 PM
In D43315#987334, @imp wrote:

Only time we need to write is to nextboot.conf... Since we don't support that from the userboot boot loader... this should be fine. We can punch a hole for nextboot.conf if we ever add that support.

That's in the guest filesystem though, here we're dealing with the host filesystem. bhyveload+nextboot works fine today.

Closed by commit rGc067be72e835: bhyveload: limit rights on the dirfds we create (authored by kevans). · Explain WhyJan 5 2024, 6:22 AM
This revision was automatically updated to reflect the committed changes.
kevans added a commit: rGc067be72e835: bhyveload: limit rights on the dirfds we create.
jrtc27 added a subscriber: jrtc27.Jan 5 2024, 6:30 AM
jrtc27 added inline comments.
usr.sbin/bhyveload/bhyveload.c
894

Missed a space here

897–898

Isn't this just err(1, "...");? I guess copied from the existing open code?

kevans added inline comments.Jan 5 2024, 7:28 AM
usr.sbin/bhyveload/bhyveload.c
894

Will fix in the morning, thanks

897–898

Yeah, I tried to keep it consistent with the rest of the area... somewhere around just after the getopt loop it goes from err -> perror + exit (though I wouldn't be surprised if one could provide counterexamples), we should really make it all consistent.

markj added inline comments.Jan 8 2024, 9:39 PM
usr.sbin/bhyveload/bhyveload.c
758

CAP_SEEK is probably also worth having? (Can be added by changing CAP_READ to CAP_PREAD.)

896

Again, I'd suggest using CAP_PREAD to avoid surprises.

kevans added inline comments.Jan 8 2024, 10:52 PM
usr.sbin/bhyveload/bhyveload.c
758

Sure- I missed that we actually have an lseek() callback for host: fs; we don't seem to use it in my normal operation, but that doesn't mean it's unused.

re: /boot, it doesn't look like rtld will try to do any seeking on dlopen'd objects, but yeah- I don't see the harm in allowing it.

Revision Contents
Changeset List

PathSize
usr.sbin/
bhyveload/
18 lines

Diff 132278

View Options

usr.sbin/bhyveload/bhyveload.c

Loading...