Enable pledge(2) in vmm and the VM processes: This way the VMs and

their monitor run in a very restricted environment.  VMs only pledge
"stdio vmm" which allows them to do most basic functions and a subset
of vmm ioctls (the other part of vmm ioctls are only permitted in the
parent).

This requires the previous change in the vmm kernel part.

OK mlarkin@

1 files changed, 3 insertions, 8 deletions

diff --git a/usr.sbin/vmd/vmm.c b/usr.sbin/vmd/vmm.c
index 90c81ef2866..b4ebbb70f38 100644
--- a/usr.sbin/vmd/vmm.c
+++ b/usr.sbin/vmd/vmm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmm.c,v 1.48 2016/10/06 18:48:41 reyk Exp $	*/
+/*	$OpenBSD: vmm.c,v 1.49 2016/10/06 20:41:28 reyk Exp $	*/
 
 /*
  * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
@@ -155,7 +155,6 @@ vmm_run(struct privsep *ps, struct privsep_proc *p, void *arg)
 	signal_set(&ps->ps_evsigchld, SIGCHLD, vmm_sighdlr, ps);
 	signal_add(&ps->ps_evsigchld, NULL);
 
-#if 0
 	/*
 	 * pledge in the vmm process:
  	 * stdio - for malloc and basic I/O including events.
@@ -163,10 +162,8 @@ vmm_run(struct privsep *ps, struct privsep_proc *p, void *arg)
 	 * proc - for forking and maitaining vms.
 	 * recvfd - for disks, interfaces and other fds.
 	 */
-	/* XXX'ed pledge to hide it from grep as long as it's disabled */
-	if (XXX("stdio vmm recvfd proc", NULL) == -1)
+	if (pledge("stdio vmm recvfd proc", NULL) == -1)
 		fatal("pledge");
-#endif
 
 	/* Get and terminate all running VMs */
 	get_info_vm(ps, NULL, 1);
@@ -540,15 +537,13 @@ start_vm(struct imsg *imsg, uint32_t *id)
 			fatal("create vmm ioctl failed - exiting");
 		}
 
-#if 0
 		/*
 		 * pledge in the vm processes:
 	 	 * stdio - for malloc and basic I/O including events.
 		 * vmm - for the vmm ioctls and operations.
 		 */
-		if (XXX("stdio vmm", NULL) == -1)
+		if (pledge("stdio vmm", NULL) == -1)
 			fatal("pledge");
-#endif
 
 		/*
 		 * Set up default "flat 32 bit" register state - RIP,