Run cu(1) in restricted mode

Users must not not be able to transfer files from the local hypervisor
filesystem to VMs/LDOMs, especially since the "vmctl/ldomctl console ..."
might be run as root.

Disable all relevant escape sequences and cause cu to run under "stdio tty"
pledge by using -r.

OK deraadt mlarkin

2 files changed, 6 insertions, 4 deletions

diff --git a/usr.sbin/ldomctl/ldomctl.c b/usr.sbin/ldomctl/ldomctl.c
index 7b568018cbf..e8060727b59 100644
--- a/usr.sbin/ldomctl/ldomctl.c
+++ b/usr.sbin/ldomctl/ldomctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ldomctl.c,v 1.30 2019/12/28 06:58:27 tb Exp $	*/
+/*	$OpenBSD: ldomctl.c,v 1.31 2019/12/28 18:36:02 kn Exp $	*/
 
 /*
  * Copyright (c) 2012 Mark Kettenis
@@ -643,7 +643,8 @@ guest_console(int argc, char **argv)
 		    "ttyV%llu", guest->gid - 1);
 
 		closefrom(STDERR_FILENO + 1);
-		execl(LDOMCTL_CU, LDOMCTL_CU, "-l", console_str, (char *)NULL);
+		execl(LDOMCTL_CU, LDOMCTL_CU, "-r", "-l", console_str,
+		    (char *)NULL);
 		err(1, "failed to open console");
 	}
 }
diff --git a/usr.sbin/vmctl/main.c b/usr.sbin/vmctl/main.c
index 59f0c3af5e4..2836284b882 100644
--- a/usr.sbin/vmctl/main.c
+++ b/usr.sbin/vmctl/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.60 2019/12/17 09:43:00 kn Exp $	*/
+/*	$OpenBSD: main.c,v 1.61 2019/12/28 18:36:01 kn Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -1047,6 +1047,7 @@ ctl_openconsole(const char *name)
 	closefrom(STDERR_FILENO + 1);
 	if (unveil(VMCTL_CU, "x") == -1)
 		err(1, "unveil");
-	execl(VMCTL_CU, VMCTL_CU, "-l", name, "-s", "115200", (char *)NULL);
+	execl(VMCTL_CU, VMCTL_CU, "-r", "-l", name, "-s", "115200",
+	    (char *)NULL);
 	err(1, "failed to open the console");
 }