git: 20e06202f126 - stable/13 - bhyveload: limit rights on the dirfds we create

Mon, 22 Jan 2024 09:30:38 -0800 

The branch stable/13 has been updated by kevans:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=20e06202f126b52fd9718e611e4b42ea43908fb5

commit 20e06202f126b52fd9718e611e4b42ea43908fb5
Author:     Kyle Evans <kev...@freebsd.org>
AuthorDate: 2024-01-05 06:21:14 +0000
Commit:     Kyle Evans <kev...@freebsd.org>
CommitDate: 2024-01-22 17:17:52 +0000

    bhyveload: limit rights on the dirfds we create
    
    In neither case do we need write access to the directories we're working
    with; userboot doesn't support fo_write on the host device, and the
    bootfd is only ever needed for loader loading.
    
    This improves on 8bf0882e18 ("bhyveload: enter capability mode [...]")
    so that arbitrary code in the loader can't open writable fds to either
    of the directories we need to maintain access to.
    
    Reviewed by:    imp
    
    (cherry picked from commit c067be72e835e469518ec985b6cc4e475c378944)
    (cherry picked from commit f9b17005bf8f1a30e2a74a3e66c92e34aa87f9bf)
---
 usr.sbin/bhyveload/bhyveload.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/usr.sbin/bhyveload/bhyveload.c b/usr.sbin/bhyveload/bhyveload.c
index 86f046a0a0c9..d4f282bcc178 100644
--- a/usr.sbin/bhyveload/bhyveload.c
+++ b/usr.sbin/bhyveload/bhyveload.c
@@ -731,12 +731,17 @@ usage(void)
 static void
 hostbase_open(const char *base)
 {
+       cap_rights_t rights;
 
        if (hostbase_fd != -1)
                close(hostbase_fd);
        hostbase_fd = open(base, O_DIRECTORY | O_PATH);
        if (hostbase_fd == -1)
                err(EX_OSERR, "open");
+
+       if (caph_rights_limit(hostbase_fd, cap_rights_init(&rights, CAP_FSTATAT,
+           CAP_LOOKUP, CAP_READ)) < 0)
+               err(EX_OSERR, "caph_rights_limit");
 }
 
 static void
@@ -857,11 +862,24 @@ main(int argc, char** argv)
         * guest requesting a different one.
         */
        if (explicit_loader_fd == -1) {
+               cap_rights_t rights;
+
                bootfd = open("/boot", O_DIRECTORY | O_PATH);
                if (bootfd == -1) {
                        perror("open");
                        exit(1);
                }
+
+               /*
+                * bootfd will be used to do a lookup of our loader and do an
+                * fdlopen(3) on the loader; thus, we need mmap(2) in addition
+                * to the more usual lookup rights.
+                */
+               if (caph_rights_limit(bootfd, cap_rights_init(&rights,
+                   CAP_FSTATAT, CAP_LOOKUP, CAP_MMAP_RX, CAP_READ)) < 0) {
+                       perror("caph_rights_limit");
+                       exit(1);
+               }
        }
 
        caph_cache_catpages();

Reply via email to