Page MenuHomeFreeBSD

Summary:Allow PRIV_IO and PRIV_KMEM_WRITE to allow bhyve pci passthrough to work inside jails.
Needs ReviewPublic

Authored by cneirabustos_gmail.com on Nov 11 2020, 1:31 PM.
This revision needs review, but there are no reviewers specified.

Details

Reviewers
None
Test Plan

Create a bhyve vm that uses pci-passthrough inside a jail.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 34743
Build 31799: arc lint + arc unit

Event Timeline

cneirabustos_gmail.com retitled this revision from Summary: Allow PRIV_IO and PRIV_KMEM_WRITE to allow bhyve pci passthrough to work inside jails. to Summary:Allow PRIV_IO and PRIV_KMEM_WRITE to allow bhyve pci passthrough to work inside jails..Nov 11 2020, 1:58 PM
cneirabustos_gmail.com added a subscriber: jamie.

I don't think this will go anywhere. There was an attempt to do this a while ago, with a new jail parameter allow.kmem (default not allowed) to not let it happen accidentally. Even with that, it fell flat - see commits r261266 and r261326. While I'm not against it myself, I don't wear a security hat, and I defer to those that do.

Now maybe bhyve in a jail will be considered more important than an X server in a jail, especially given that it was a listed release feature. But it'll definitely take some security buy-in first.

Thanks jamie,

Do we need to include a security dev in this revision or they will pick
this up for review eventually ?
So we could get some insight on how to make this change better.

Bests

It looks like you can just include "security" which will get the security team's attention. But first, I suggest you need to at least put in what r216266 had (the allow.kmem privilege).

I was wrong about bhyve in jails being mentioned in a release - I was thinking of the mention of Linux emulation in jails noted in the 12.2 release (something that already existed before but presumably is brought up to date and/or improved). Turns out is was in your own bug report that I read it. I imagine you'll want to make a case for bhyve inside a jail being worth what has already been turned down as a security problem.

Also, you may want to reach out to Alexander Leidinger <netchild@>, who fought this battle last time around.