bhyveload: use a dirfd to support -h
ClosedPublic
Actions

Authored by kevans on Jan 2 2024, 11:25 PM.

Details

Reviewers

markj
allanjude

Group Reviewers

bhyve
secteam

Commits

rG6779d44bd878: bhyveload: use a dirfd to support -h

Summary

Don't allow lookups from the loader scripts, which in rare cases may be
in guest control depending on the setup, to leave the specified host
root. Open the root dir and strictly do RESOLVE_BENEATH lookups from
there.

cb_open() has been restructured a bit to work nicely with this, using
fdopendir() in the directory case and just using the fd we already
opened in the regular file case.

hostbase_open() was split out to provide an obvious place to apply
rights(4) if that's something we care to do.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kevans created this revision.Jan 2 2024, 11:25 PM

Herald added subscribers: bcran, rgrimes, imp. · View Herald TranscriptJan 2 2024, 11:25 PM

kevans requested review of this revision.Jan 2 2024, 11:25 PM

Harbormaster completed remote builds in B55206: Diff 132164.Jan 2 2024, 11:25 PM

kevans added a child revision: D43285: bhyveload: hold /boot and do relative lookups for the loader.Jan 2 2024, 11:25 PM

reviewed-by: allanjude

This revision is now accepted and ready to land.Jan 2 2024, 11:29 PM

Looks good, just a couple of nits.

usr.sbin/bhyveload/bhyveload.c
205	Why not handle the error properly? fdopendir() could fail due to a malloc() failure, and we do try to handle that above.
783	Since the function is called `hostbase_open()`, it'd be a bit more logical to handle all of this there. Currently the function just opens a file, there is nothing specific to "hostbase" about it.

kevans added inline comments.Jan 3 2024, 5:23 PM

usr.sbin/bhyveload/bhyveload.c
205	Whoops- I had only glanced at the manpage and noted that the only possible errors were EBADF and ENOTDIR, it didn't occur to me that it naturally does need to allocate some memory.