Differential D46535
vmm: Remove an incorrect credential check in vmmdev_open() Authored by markj on Sep 4 2024, 8:14 PM. Tags None Referenced Files
Details
Checking pointer equality here is too strict and can lead to incorrect The check is new with commit 4008758105a6 and was added with the goal of Reported by: Alonso Cárdenas Márquez <acardenas@bsd-peru.org>
Diff Detail
Event TimelineComment Actions That's mostly implied already, by virtue passing the creating thread's credential to make_dev_s(). In the future, I think cr_cansee() would also be insufficient as we'd want to prevent an unprivileged user from opening a VM device file created by a different user, so a stronger check would be needed. Comment Actions Do you know what check you will want to do? The various cr_cansee helper routines compare cr_uid directly. Presumably you might want to require same prison and same uid? Not sure though if you want to allow root in "parent" prisons? Comment Actions Root (i.e., a user which satisfies priv_check(PRIV_VMM_ACCESS) or so) in a parent jail should be able to access VMs in a child jail, I believe, as we currently don't maintain per-jail VM namespaces. (I'm not sure yet whether it makes sense to have per-jail VM namespaces; it probably does, but I'm not sure how that works with resources that have an associated device file. devfs_prison_check() makes device files from a child jail visible in the parent.) Aside from that case, I think requiring the UID and prison to be the same is a sufficient check. I will start a thread on -virtualization about this at some point, but before that, the next set of patches will introduce a /dev/vmmctl to allow creation and destruction of VMs via a device file interface. |