Index: head/sys/amd64/vmm/vmm_dev.c =================================================================== --- head/sys/amd64/vmm/vmm_dev.c +++ head/sys/amd64/vmm/vmm_dev.c @@ -33,6 +33,7 @@ #include #include +#include #include #include #include @@ -43,6 +44,7 @@ #include #include #include +#include #include #include @@ -82,16 +84,29 @@ static SLIST_HEAD(, vmmdev_softc) head; +static unsigned pr_allow_flag; static struct mtx vmmdev_mtx; static MALLOC_DEFINE(M_VMMDEV, "vmmdev", "vmmdev"); SYSCTL_DECL(_hw_vmm); +static int vmm_priv_check(struct ucred *ucred); static int devmem_create_cdev(const char *vmname, int id, char *devmem); static void devmem_destroy(void *arg); static int +vmm_priv_check(struct ucred *ucred) +{ + + if (jailed(ucred) && + !(ucred->cr_prison->pr_allow & pr_allow_flag)) + return (EPERM); + + return (0); +} + +static int vcpu_lock_one(struct vmmdev_softc *sc, int vcpu) { int error; @@ -177,6 +192,10 @@ void *hpa, *cookie; struct vmmdev_softc *sc; + error = vmm_priv_check(curthread->td_ucred); + if (error) + return (error); + sc = vmmdev_lookup2(cdev); if (sc == NULL) return (ENXIO); @@ -351,11 +370,14 @@ uint64_t *regvals; int *regnums; + error = vmm_priv_check(curthread->td_ucred); + if (error) + return (error); + sc = vmmdev_lookup2(cdev); if (sc == NULL) return (ENXIO); - error = 0; vcpu = -1; state_changed = 0; @@ -777,6 +799,10 @@ int error, found, segid; bool sysmem; + error = vmm_priv_check(curthread->td_ucred); + if (error) + return (error); + first = *offset; last = first + mapsize; if ((nprot & PROT_EXEC) || first < 0 || first >= last) @@ -865,6 +891,10 @@ struct vmmdev_softc *sc; struct cdev *cdev; + error = vmm_priv_check(req->td->td_ucred); + if (error) + return (error); + strlcpy(buf, "beavis", sizeof(buf)); error = sysctl_handle_string(oidp, buf, sizeof(buf), req); if (error != 0 || req->newptr == NULL) @@ -906,7 +936,8 @@ destroy_dev_sched_cb(cdev, vmmdev_destroy, sc); return (0); } -SYSCTL_PROC(_hw_vmm, OID_AUTO, destroy, CTLTYPE_STRING | CTLFLAG_RW, +SYSCTL_PROC(_hw_vmm, OID_AUTO, destroy, + CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_PRISON, NULL, 0, sysctl_vmm_destroy, "A", NULL); static struct cdevsw vmmdevsw = { @@ -927,6 +958,10 @@ struct vmmdev_softc *sc, *sc2; char buf[VM_MAX_NAMELEN]; + error = vmm_priv_check(req->td->td_ucred); + if (error) + return (error); + strlcpy(buf, "beavis", sizeof(buf)); error = sysctl_handle_string(oidp, buf, sizeof(buf), req); if (error != 0 || req->newptr == NULL) @@ -977,13 +1012,16 @@ return (0); } -SYSCTL_PROC(_hw_vmm, OID_AUTO, create, CTLTYPE_STRING | CTLFLAG_RW, +SYSCTL_PROC(_hw_vmm, OID_AUTO, create, + CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_PRISON, NULL, 0, sysctl_vmm_create, "A", NULL); void vmmdev_init(void) { mtx_init(&vmmdev_mtx, "vmm device mutex", NULL, MTX_DEF); + pr_allow_flag = prison_add_allow(NULL, "vmm", NULL, + "Allow use of vmm in a jail."); } int Index: head/usr.sbin/jail/jail.8 =================================================================== --- head/usr.sbin/jail/jail.8 +++ head/usr.sbin/jail/jail.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 29, 2018 +.Dd July 30, 2018 .Dt JAIL 8 .Os .Sh NAME @@ -650,6 +650,12 @@ .Xr zfs 8 for information on how to configure the ZFS filesystem to operate from within a jail. +.It Va allow.vmm +The jail may access +.Xr vmm 4 . +This flag is only available when the +.Xr vmm 4 +kernel module is loaded. .It Va linux Determine how a jail's Linux emulation environment appears. A value of @@ -1294,6 +1300,7 @@ .Xr ps 1 , .Xr quota 1 , .Xr jail_set 2 , +.Xr vmm 4 , .Xr devfs 5 , .Xr fdescfs 5 , .Xr jail.conf 5 ,