Add "socket owner" to allow changing the owner of the vmd control socket.

This allows to open vmctl control or console access to other users
that are not in group wheel.  Access for non-root users still defaults
to read-only actions unless you change the owner (user/group) of each
individual VM.

Requested by Mischa Peters

OK mlarkin@

6 files changed, 49 insertions, 9 deletions

diff --git a/usr.sbin/vmd/control.c b/usr.sbin/vmd/control.c
index 82693d6adc6..a111d182d05 100644
--- a/usr.sbin/vmd/control.c
+++ b/usr.sbin/vmd/control.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: control.c,v 1.23 2018/05/13 22:48:11 pd Exp $	*/
+/*	$OpenBSD: control.c,v 1.24 2018/06/26 10:00:08 reyk Exp $	*/
 
 /*
  * Copyright (c) 2010-2015 Reyk Floeter <reyk@openbsd.org>
@@ -103,6 +103,7 @@ control_dispatch_vmd(int fd, struct privsep_proc *p, struct imsg *imsg)
 		break;
 	case IMSG_VMDOP_CONFIG:
 		config_getconfig(ps->ps_env, imsg);
+		proc_compose(ps, PROC_PARENT, IMSG_VMDOP_DONE, NULL, 0);
 		break;
 	case IMSG_CTL_RESET:
 		config_getreset(ps->ps_env, imsg);
@@ -170,6 +171,18 @@ control_init(struct privsep *ps, struct control_sock *cs)
 	cs->cs_fd = fd;
 	cs->cs_env = ps;
 
+	proc_compose(ps, PROC_PARENT, IMSG_VMDOP_DONE, NULL, 0);
+
+	return (0);
+}
+
+int
+control_reset(struct control_sock *cs)
+{
+	/* Updating owner of the control socket */
+	if (chown(cs->cs_name, cs->cs_uid, cs->cs_gid) == -1)
+		return (-1);
+
 	return (0);
 }
 
diff --git a/usr.sbin/vmd/parse.y b/usr.sbin/vmd/parse.y
index 61763d6693f..52759a7ae4f 100644
--- a/usr.sbin/vmd/parse.y
+++ b/usr.sbin/vmd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.35 2018/06/19 17:12:34 reyk Exp $	*/
+/*	$OpenBSD: parse.y,v 1.36 2018/06/26 10:00:08 reyk Exp $	*/
 
 /*
  * Copyright (c) 2007-2016 Reyk Floeter <reyk@openbsd.org>
@@ -119,7 +119,8 @@ typedef struct {
 
 %token	INCLUDE ERROR
 %token	ADD BOOT CDROM DISABLE DISK DOWN ENABLE GROUP INTERFACE LLADDR LOCAL
-%token	LOCKED MEMORY NIFS OWNER PATH PREFIX RDOMAIN SIZE SWITCH UP VM VMID
+%token	LOCKED MEMORY NIFS OWNER PATH PREFIX RDOMAIN SIZE SOCKET SWITCH UP
+%token	VM VMID
 %token	<v.number>	NUMBER
 %token	<v.string>	STRING
 %type	<v.lladdr>	lladdr
@@ -190,6 +191,10 @@ main		: LOCAL PREFIX STRING {
 
 			memcpy(&env->vmd_cfg.cfg_localprefix, &h, sizeof(h));
 		}
+		| SOCKET OWNER owner_id {
+			env->vmd_ps.ps_csock.cs_uid = $3.uid;
+			env->vmd_ps.ps_csock.cs_gid = $3.gid == -1 ? 0 : $3.gid;
+		}
 		;
 
 switch		: SWITCH string			{
@@ -678,6 +683,7 @@ lookup(char *s)
 		{ "prefix",		PREFIX },
 		{ "rdomain",		RDOMAIN },
 		{ "size",		SIZE },
+		{ "socket",		SOCKET },
 		{ "switch",		SWITCH },
 		{ "up",			UP },
 		{ "vm",			VM }
diff --git a/usr.sbin/vmd/proc.h b/usr.sbin/vmd/proc.h
index b91f3a5fecb..323b57acbc8 100644
--- a/usr.sbin/vmd/proc.h
+++ b/usr.sbin/vmd/proc.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: proc.h,v 1.12 2017/03/27 00:28:04 deraadt Exp $	*/
+/*	$OpenBSD: proc.h,v 1.13 2018/06/26 10:00:08 reyk Exp $	*/
 
 /*
  * Copyright (c) 2010-2015 Reyk Floeter <reyk@openbsd.org>
@@ -62,6 +62,8 @@ struct control_sock {
 	int		 cs_fd;
 	int		 cs_restricted;
 	void		*cs_env;
+	uid_t		 cs_uid;
+	gid_t		 cs_gid;
 
 	TAILQ_ENTRY(control_sock) cs_entry;
 };
@@ -192,6 +194,7 @@ int	 proc_flush_imsg(struct privsep *, enum privsep_procid, int);
 /* control.c */
 void	 control(struct privsep *, struct privsep_proc *);
 int	 control_init(struct privsep *, struct control_sock *);
+int	 control_reset(struct control_sock *);
 int	 control_listen(struct control_sock *);
 void	 control_cleanup(struct control_sock *);
 
diff --git a/usr.sbin/vmd/vm.conf.5 b/usr.sbin/vmd/vm.conf.5
index 902081542eb..2daf022c69e 100644
--- a/usr.sbin/vmd/vm.conf.5
+++ b/usr.sbin/vmd/vm.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: vm.conf.5,v 1.29 2018/06/18 06:04:25 jmc Exp $
+.\" $OpenBSD: vm.conf.5,v 1.30 2018/06/26 10:00:08 reyk Exp $
 .\"
 .\" Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
 .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 18 2018 $
+.Dd $Mdocdate: June 26 2018 $
 .Dt VM.CONF 5
 .Os
 .Sh NAME
@@ -100,6 +100,16 @@ in the
 section below.
 The default is
 .Ar 100.64.0.0/10 .
+.It Cm socket owner Ar user Ns Op : Ns Ar group
+Set the control socket owner to the specified user or group.
+Users with access to the control socket will be allowed to use
+.Nm vmctl
+for restricted access to
+.Nm vmd.
+The default is
+.Ar root:wheel .
+.It Cm socket owner Pf : Ar group
+Set the control socket owner to the specified group.
 .El
 .Sh VM CONFIGURATION
 Each
diff --git a/usr.sbin/vmd/vmd.c b/usr.sbin/vmd/vmd.c
index cc2af555a16..9b1c66e2a52 100644
--- a/usr.sbin/vmd/vmd.c
+++ b/usr.sbin/vmd/vmd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmd.c,v 1.86 2018/06/19 17:12:34 reyk Exp $	*/
+/*	$OpenBSD: vmd.c,v 1.87 2018/06/26 10:00:08 reyk Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -85,6 +85,7 @@ vmd_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg)
 	struct vmd_vm			*vm = NULL;
 	char				*str = NULL;
 	uint32_t			 id = 0;
+	struct control_sock		*rcs;
 
 	switch (imsg->hdr.type) {
 	case IMSG_VMDOP_START_VM_REQUEST:
@@ -275,6 +276,12 @@ vmd_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg)
 			    NULL, 0);
 		}
 		break;
+	case IMSG_VMDOP_DONE:
+		control_reset(&ps->ps_csock);
+		TAILQ_FOREACH(rcs, &ps->ps_rcsocks, cs_entry)
+			control_reset(rcs);
+		cmd = 0;
+		break;
 	default:
 		return (-1);
 	}
diff --git a/usr.sbin/vmd/vmd.h b/usr.sbin/vmd/vmd.h
index d0260c35929..27c17edb187 100644
--- a/usr.sbin/vmd/vmd.h
+++ b/usr.sbin/vmd/vmd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmd.h,v 1.68 2018/04/27 12:15:10 mlarkin Exp $	*/
+/*	$OpenBSD: vmd.h,v 1.69 2018/06/26 10:00:08 reyk Exp $	*/
 
 /*
  * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
@@ -105,7 +105,8 @@ enum imsg_type {
 	IMSG_VMDOP_PRIV_IFRDOMAIN,
 	IMSG_VMDOP_VM_SHUTDOWN,
 	IMSG_VMDOP_VM_REBOOT,
-	IMSG_VMDOP_CONFIG
+	IMSG_VMDOP_CONFIG,
+	IMSG_VMDOP_DONE
 };
 
 struct vmop_result {