Add "vmm" pledge to allow restricted ioctl access to /dev/vmm.

This will allow to pledge vmd(8)'s vmm and vm processes, so that VMs
themselves run "sandboxed", including their host-side virtio layer.
It will remain disabled for now (in userland) to not get into the way
of ongoing development and upcoming changes in vmd and the ioctl
interface.

OK mlarkin@ deraadt@ "kernel side in, but not the callers in userland"

1 files changed, 21 insertions, 1 deletions

diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index 1deadd0ac3d..315b2c15074 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_pledge.c,v 1.144 2016/01/06 18:43:10 tedu Exp $	*/
+/*	$OpenBSD: kern_pledge.c,v 1.145 2016/01/08 11:20:58 reyk Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -67,6 +67,13 @@
 #include "audio.h"
 #include "pty.h"
 
+#if defined(__amd64__)
+#include "vmm.h"
+#if NVMM > 0
+#include <machine/conf.h>
+#endif
+#endif
+
 #if defined(__amd64__) || defined(__i386__) || \
     defined(__macppc__) || defined(__sparc64__)
 #include "drm.h"
@@ -366,6 +373,7 @@ static const struct {
 	{ "tty",		PLEDGE_TTY },
 	{ "unix",		PLEDGE_UNIX },
 	{ "vminfo",		PLEDGE_VMINFO },
+	{ "vmm",		PLEDGE_VMM },
 	{ "wpath",		PLEDGE_WPATH },
 };
 
@@ -1328,6 +1336,18 @@ pledge_ioctl(struct proc *p, long com, struct file *fp)
 		}
 	}
 
+	if ((p->p_p->ps_pledge & PLEDGE_VMM)) {
+#if NVMM > 0
+		if ((fp->f_type == DTYPE_VNODE) &&
+		    (vp->v_type == VCHR) &&
+		    (cdevsw[major(vp->v_rdev)].d_open == vmmopen)) {
+			error = pledge_ioctl_vmm(p, com);
+			if (error == 0)
+				return 0;
+		}
+#endif
+	}
+
 	return pledge_fail(p, error, PLEDGE_IOCTL);
 }