Add "vmm" pledge to allow restricted ioctl access to /dev/vmm.

This will allow to pledge vmd(8)'s vmm and vm processes, so that VMs
themselves run "sandboxed", including their host-side virtio layer.
It will remain disabled for now (in userland) to not get into the way
of ongoing development and upcoming changes in vmd and the ioctl
interface.

OK mlarkin@ deraadt@ "kernel side in, but not the callers in userland"

5 files changed, 60 insertions, 7 deletions

diff --git a/sys/arch/amd64/amd64/conf.c b/sys/arch/amd64/amd64/conf.c
index 2289de94790..bca710e7059 100644
--- a/sys/arch/amd64/amd64/conf.c
+++ b/sys/arch/amd64/amd64/conf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.53 2015/12/21 22:15:53 sf Exp $	*/
+/*	$OpenBSD: conf.c,v 1.54 2016/01/08 11:20:58 reyk Exp $	*/
 
 /*
  * Copyright (c) 1994, 1995 Charles M. Hannum.  All rights reserved.
@@ -163,8 +163,6 @@ cdev_decl(cztty);
 cdev_decl(nvram);
 #include "drm.h"
 cdev_decl(drm);
-#include "vmm.h"
-cdev_decl(vmm);
 #include "viocon.h"
 cdev_decl(viocon);
 
diff --git a/sys/arch/amd64/amd64/vmm.c b/sys/arch/amd64/amd64/vmm.c
index ed82dc62f96..c26945212e0 100644
--- a/sys/arch/amd64/amd64/vmm.c
+++ b/sys/arch/amd64/amd64/vmm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmm.c,v 1.29 2016/01/04 01:35:56 mlarkin Exp $	*/
+/*	$OpenBSD: vmm.c,v 1.30 2016/01/08 11:20:58 reyk Exp $	*/
 /*
  * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -26,6 +26,7 @@
 #include <sys/ioctl.h>
 #include <sys/queue.h>
 #include <sys/rwlock.h>
+#include <sys/pledge.h>
 
 #include <uvm/uvm_extern.h>
 
@@ -357,6 +358,34 @@ vmmioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
 }
 
 /*
+ * pledge_ioctl_vmm
+ *
+ * Restrict the allowed ioctls in a pledged process context.
+ * Is called from pledge_ioctl().
+ */
+int
+pledge_ioctl_vmm(struct proc *p, long com)
+{
+	switch (com) {
+	case VMM_IOC_CREATE:
+	case VMM_IOC_INFO:
+		/* The "parent" process in vmd forks and manages VMs */
+		if (p->p_p->ps_pledge & PLEDGE_PROC)
+			return (0);
+		break;
+	case VMM_IOC_TERM:
+		/* XXX VM processes should only terminate themselves */
+	case VMM_IOC_RUN:
+	case VMM_IOC_WRITEPAGE:
+	case VMM_IOC_READPAGE:
+	case VMM_IOC_RESETCPU:
+		return (0);
+	}
+
+	return (EPERM);
+}
+
+/*
  * vmmclose
  *
  * Called when /dev/vmm is closed. Presently unused.
diff --git a/sys/arch/amd64/include/conf.h b/sys/arch/amd64/include/conf.h
index 7b1357abf6e..64857e09bef 100644
--- a/sys/arch/amd64/include/conf.h
+++ b/sys/arch/amd64/include/conf.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.h,v 1.6 2011/07/04 16:52:41 nicm Exp $	*/
+/*	$OpenBSD: conf.h,v 1.7 2016/01/08 11:20:58 reyk Exp $	*/
 /*	$NetBSD: conf.h,v 1.2 1996/05/05 19:28:34 christos Exp $	*/
 
 /*
@@ -53,3 +53,6 @@ cdev_decl(acpi);
 
 #define pctrpoll seltrue
 cdev_decl(pctr);
+
+#include "vmm.h"
+cdev_decl(vmm);
diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index 1deadd0ac3d..315b2c15074 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.144 2016/01/06 18:43:10 tedu Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.145 2016/01/08 11:20:58 reyk Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -67,6 +67,13 @@
 #include "audio.h"
 #include "pty.h"
 
+#if defined(__amd64__)
+#include "vmm.h"
+#if NVMM > 0
+#include <machine/conf.h>
+#endif
+#endif
+
 #if defined(__amd64__) || defined(__i386__) || \
     defined(__macppc__) || defined(__sparc64__)
 #include "drm.h"
@@ -366,6 +373,7 @@ static const struct {
 	{ "tty",		PLEDGE_TTY },
 	{ "unix",		PLEDGE_UNIX },
 	{ "vminfo",		PLEDGE_VMINFO },
+	{ "vmm",		PLEDGE_VMM },
 	{ "wpath",		PLEDGE_WPATH },
 };
 
@@ -1328,6 +1336,18 @@ pledge_ioctl(struct proc *p, long com, struct file *fp)
 		}
 	}
 
+	if ((p->p_p->ps_pledge & PLEDGE_VMM)) {
+#if NVMM > 0
+		if ((fp->f_type == DTYPE_VNODE) &&
+		    (vp->v_type == VCHR) &&
+		    (cdevsw[major(vp->v_rdev)].d_open == vmmopen)) {
+			error = pledge_ioctl_vmm(p, com);
+			if (error == 0)
+				return 0;
+		}
+#endif
+	}
+
 	return pledge_fail(p, error, PLEDGE_IOCTL);
 }
 
diff --git a/sys/sys/pledge.h b/sys/sys/pledge.h
index cd261ec3929..0c3a50a70f3 100644
--- a/sys/sys/pledge.h
+++ b/sys/sys/pledge.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pledge.h,v 1.25 2016/01/06 09:09:16 kettenis Exp $	*/
+/*	$OpenBSD: pledge.h,v 1.26 2016/01/08 11:20:58 reyk Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -56,6 +56,7 @@
 #define PLEDGE_AUDIO	0x0000000008000000ULL	/* audio ioctls */
 #define PLEDGE_DPATH	0x0000000010000000ULL	/* mknod & mkfifo */
 #define PLEDGE_DRM	0x0000000020000000ULL	/* drm ioctls */
+#define PLEDGE_VMM	0x0000000040000000ULL	/* vmm ioctls */
 
 /*
  * Bits outside PLEDGE_USERSET are used by the kernel itself
@@ -100,6 +101,7 @@ static struct {
 	{ PLEDGE_AUDIO,		"audio" },
 	{ PLEDGE_DPATH,		"dpath" },
 	{ PLEDGE_DRM,		"drm" },
+	{ PLEDGE_VMM,		"vmm" },
 	{ 0, NULL },
 };
 #endif
@@ -122,6 +124,7 @@ int	pledge_sockopt(struct proc *p, int set, int level, int optname);
 int	pledge_socket(struct proc *p, int domain, int state);
 int	pledge_ioctl(struct proc *p, long com, struct file *);
 int	pledge_ioctl_drm(struct proc *p, long com, dev_t device);
+int	pledge_ioctl_vmm(struct proc *p, long com);
 int	pledge_flock(struct proc *p);
 int	pledge_fcntl(struct proc *p, int cmd);
 int	pledge_swapctl(struct proc *p);