From c067be72e835e469518ec985b6cc4e475c378944 Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Fri, 5 Jan 2024 00:21:14 -0600 Subject: [PATCH] bhyveload: limit rights on the dirfds we create In neither case do we need write access to the directories we're working with; userboot doesn't support fo_write on the host device, and the bootfd is only ever needed for loader loading. This improves on 8bf0882e18 ("bhyveload: enter capability mode [...]") so that arbitrary code in the loader can't open writable fds to either of the directories we need to maintain access to. Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D43315 --- usr.sbin/bhyveload/bhyveload.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/usr.sbin/bhyveload/bhyveload.c b/usr.sbin/bhyveload/bhyveload.c index d4f930e8cc7..f75ef27dd95 100644 --- a/usr.sbin/bhyveload/bhyveload.c +++ b/usr.sbin/bhyveload/bhyveload.c @@ -734,12 +734,17 @@ usage(void) static void hostbase_open(const char *base) { + cap_rights_t rights; if (hostbase_fd != -1) close(hostbase_fd); hostbase_fd = open(base, O_DIRECTORY | O_PATH); if (hostbase_fd == -1) err(EX_OSERR, "open"); + + if (caph_rights_limit(hostbase_fd, cap_rights_init(&rights, CAP_FSTATAT, + CAP_LOOKUP, CAP_READ)) < 0) + err(EX_OSERR, "caph_rights_limit"); } static void @@ -860,11 +865,24 @@ main(int argc, char** argv) * guest requesting a different one. */ if (explicit_loader_fd == -1) { + cap_rights_t rights; + bootfd = open("/boot", O_DIRECTORY | O_PATH); if (bootfd == -1) { perror("open"); exit(1); } + + /* + * bootfd will be used to do a lookup of our loader and do an + * fdlopen(3) on the loader; thus, we need mmap(2) in addition + * to the more usual lookup rights. + */ + if (caph_rights_limit(bootfd, cap_rights_init(&rights, + CAP_FSTATAT, CAP_LOOKUP, CAP_MMAP_RX, CAP_READ)) < 0) { + perror("caph_rights_limit"); + exit(1); + } } vcpu = vm_vcpu_open(ctx, BSP); -- 2.45.0