diff options
| -rw-r--r-- | usr.sbin/vmd/control.c | 15 | ||||
| -rw-r--r-- | usr.sbin/vmd/parse.y | 10 | ||||
| -rw-r--r-- | usr.sbin/vmd/proc.h | 5 | ||||
| -rw-r--r-- | usr.sbin/vmd/vm.conf.5 | 14 | ||||
| -rw-r--r-- | usr.sbin/vmd/vmd.c | 9 | ||||
| -rw-r--r-- | usr.sbin/vmd/vmd.h | 5 |
6 files changed, 49 insertions, 9 deletions
diff --git a/usr.sbin/vmd/control.c b/usr.sbin/vmd/control.c index 82693d6adc6..a111d182d05 100644 --- a/usr.sbin/vmd/control.c +++ b/usr.sbin/vmd/control.c @@ -1,4 +1,4 @@ -/* $OpenBSD: control.c,v 1.23 2018/05/13 22:48:11 pd Exp $ */ +/* $OpenBSD: control.c,v 1.24 2018/06/26 10:00:08 reyk Exp $ */ /* * Copyright (c) 2010-2015 Reyk Floeter <reyk@openbsd.org> @@ -103,6 +103,7 @@ control_dispatch_vmd(int fd, struct privsep_proc *p, struct imsg *imsg) break; case IMSG_VMDOP_CONFIG: config_getconfig(ps->ps_env, imsg); + proc_compose(ps, PROC_PARENT, IMSG_VMDOP_DONE, NULL, 0); break; case IMSG_CTL_RESET: config_getreset(ps->ps_env, imsg); @@ -170,6 +171,18 @@ control_init(struct privsep *ps, struct control_sock *cs) cs->cs_fd = fd; cs->cs_env = ps; + proc_compose(ps, PROC_PARENT, IMSG_VMDOP_DONE, NULL, 0); + + return (0); +} + +int +control_reset(struct control_sock *cs) +{ + /* Updating owner of the control socket */ + if (chown(cs->cs_name, cs->cs_uid, cs->cs_gid) == -1) + return (-1); + return (0); } diff --git a/usr.sbin/vmd/parse.y b/usr.sbin/vmd/parse.y index 61763d6693f..52759a7ae4f 100644 --- a/usr.sbin/vmd/parse.y +++ b/usr.sbin/vmd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.35 2018/06/19 17:12:34 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.36 2018/06/26 10:00:08 reyk Exp $ */ /* * Copyright (c) 2007-2016 Reyk Floeter <reyk@openbsd.org> @@ -119,7 +119,8 @@ typedef struct { %token INCLUDE ERROR %token ADD BOOT CDROM DISABLE DISK DOWN ENABLE GROUP INTERFACE LLADDR LOCAL -%token LOCKED MEMORY NIFS OWNER PATH PREFIX RDOMAIN SIZE SWITCH UP VM VMID +%token LOCKED MEMORY NIFS OWNER PATH PREFIX RDOMAIN SIZE SOCKET SWITCH UP +%token VM VMID %token <v.number> NUMBER %token <v.string> STRING %type <v.lladdr> lladdr @@ -190,6 +191,10 @@ main : LOCAL PREFIX STRING { memcpy(&env->vmd_cfg.cfg_localprefix, &h, sizeof(h)); } + | SOCKET OWNER owner_id { + env->vmd_ps.ps_csock.cs_uid = $3.uid; + env->vmd_ps.ps_csock.cs_gid = $3.gid == -1 ? 0 : $3.gid; + } ; switch : SWITCH string { @@ -678,6 +683,7 @@ lookup(char *s) { "prefix", PREFIX }, { "rdomain", RDOMAIN }, { "size", SIZE }, + { "socket", SOCKET }, { "switch", SWITCH }, { "up", UP }, { "vm", VM } diff --git a/usr.sbin/vmd/proc.h b/usr.sbin/vmd/proc.h index b91f3a5fecb..323b57acbc8 100644 --- a/usr.sbin/vmd/proc.h +++ b/usr.sbin/vmd/proc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: proc.h,v 1.12 2017/03/27 00:28:04 deraadt Exp $ */ +/* $OpenBSD: proc.h,v 1.13 2018/06/26 10:00:08 reyk Exp $ */ /* * Copyright (c) 2010-2015 Reyk Floeter <reyk@openbsd.org> @@ -62,6 +62,8 @@ struct control_sock { int cs_fd; int cs_restricted; void *cs_env; + uid_t cs_uid; + gid_t cs_gid; TAILQ_ENTRY(control_sock) cs_entry; }; @@ -192,6 +194,7 @@ int proc_flush_imsg(struct privsep *, enum privsep_procid, int); /* control.c */ void control(struct privsep *, struct privsep_proc *); int control_init(struct privsep *, struct control_sock *); +int control_reset(struct control_sock *); int control_listen(struct control_sock *); void control_cleanup(struct control_sock *); diff --git a/usr.sbin/vmd/vm.conf.5 b/usr.sbin/vmd/vm.conf.5 index 902081542eb..2daf022c69e 100644 --- a/usr.sbin/vmd/vm.conf.5 +++ b/usr.sbin/vmd/vm.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: vm.conf.5,v 1.29 2018/06/18 06:04:25 jmc Exp $ +.\" $OpenBSD: vm.conf.5,v 1.30 2018/06/26 10:00:08 reyk Exp $ .\" .\" Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org> .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 18 2018 $ +.Dd $Mdocdate: June 26 2018 $ .Dt VM.CONF 5 .Os .Sh NAME @@ -100,6 +100,16 @@ in the section below. The default is .Ar 100.64.0.0/10 . +.It Cm socket owner Ar user Ns Op : Ns Ar group +Set the control socket owner to the specified user or group. +Users with access to the control socket will be allowed to use +.Nm vmctl +for restricted access to +.Nm vmd. +The default is +.Ar root:wheel . +.It Cm socket owner Pf : Ar group +Set the control socket owner to the specified group. .El .Sh VM CONFIGURATION Each diff --git a/usr.sbin/vmd/vmd.c b/usr.sbin/vmd/vmd.c index cc2af555a16..9b1c66e2a52 100644 --- a/usr.sbin/vmd/vmd.c +++ b/usr.sbin/vmd/vmd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vmd.c,v 1.86 2018/06/19 17:12:34 reyk Exp $ */ +/* $OpenBSD: vmd.c,v 1.87 2018/06/26 10:00:08 reyk Exp $ */ /* * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> @@ -85,6 +85,7 @@ vmd_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg) struct vmd_vm *vm = NULL; char *str = NULL; uint32_t id = 0; + struct control_sock *rcs; switch (imsg->hdr.type) { case IMSG_VMDOP_START_VM_REQUEST: @@ -275,6 +276,12 @@ vmd_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg) NULL, 0); } break; + case IMSG_VMDOP_DONE: + control_reset(&ps->ps_csock); + TAILQ_FOREACH(rcs, &ps->ps_rcsocks, cs_entry) + control_reset(rcs); + cmd = 0; + break; default: return (-1); } diff --git a/usr.sbin/vmd/vmd.h b/usr.sbin/vmd/vmd.h index d0260c35929..27c17edb187 100644 --- a/usr.sbin/vmd/vmd.h +++ b/usr.sbin/vmd/vmd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: vmd.h,v 1.68 2018/04/27 12:15:10 mlarkin Exp $ */ +/* $OpenBSD: vmd.h,v 1.69 2018/06/26 10:00:08 reyk Exp $ */ /* * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org> @@ -105,7 +105,8 @@ enum imsg_type { IMSG_VMDOP_PRIV_IFRDOMAIN, IMSG_VMDOP_VM_SHUTDOWN, IMSG_VMDOP_VM_REBOOT, - IMSG_VMDOP_CONFIG + IMSG_VMDOP_CONFIG, + IMSG_VMDOP_DONE }; struct vmop_result { |