HomeFreeBSD
Diffusion FreeBSD src repository f3c772361f3b

vmm: Restore the ability to create VMs as root in a jail
f3c772361f3b
Actions

Description

vmm: Restore the ability to create VMs as root in a jail

The new PRIV_VMM_CREATE and DESTROY permissions should be allowed by
jails, so need to be added to the list in prison_priv_check(). Then,
modify vmmdev_create() to verify that the jail was created with the
allow.vmm flag. This is already verified when opening /dev/vmmctl, but
checking again doesn't hurt and ensures that one can't pass the
allow.vmm policy by passing a vmmctl fd along a unix domain socket from
outside the jail.

Rename vmm_priv_check() to vmm_jail_priv_check() to make the function's
purpose more clear.

Reported by: novel
Reviewed by: bnovkov
Fixes: d4c05edd410e ("vmm: Add privilege checks to vmmctl operations")
Differential Revision: https://reviews.freebsd.org/D56119

Details

Provenance
markjAuthored on Apr 1 2026, 9:25 AM
Reviewer
rGd4c05edd410e: vmm: Add privilege checks to vmmctl operations
Differential Revision
D56119: vmm: Restore the ability to create VMs as root in a jail
Parents
rGc6a1c1260f02: pmap: Do not use PMAP_LOCK_INIT with kernel_pmap
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
sys/
dev/
vmm/
kern/

rGf3c772361f3b

View Options

sys/dev/vmm/vmm_dev.c

Loading...
View Options

sys/kern/kern_jail.c

Loading...