Split the fully privileged parent into two processes "parent" and

"vmm" with reduced privileges:
- the "parent" opens fds (disks, ifs, etc.) but runs as root but pledged as
  "stdio rpath wpath proc tty sendfd".
- the "vmm" process handles the creation and supervision of vm processes,
  and the primary communication with the vmm(4) subsystem.  It runs as _vmd
  in the chroot but does not use pledge, as the vmm ioctls are not allowed
  by any pledge model yet.
With this change, vmd starts to track the configuration state of VMs
in vmd and will allow other things later (like terminating a vm by
name, moving the configuration parser to vmd, ...).  More incremental
changes will follow.

1 files changed, 251 insertions, 0 deletions

diff --git a/usr.sbin/vmd/config.c b/usr.sbin/vmd/config.c
new file mode 100644
index 00000000000..d18fd21ea2e
--- /dev/null
+++ b/usr.sbin/vmd/config.c
@@ -0,0 +1,251 @@
+/*	$OpenBSD: config.c,v 1.1 2015/12/02 22:19:11 reyk Exp $	*/
+
+/*
+ * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+#include <sys/time.h>
+#include <sys/uio.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <termios.h>
+#include <unistd.h>
+#include <limits.h>
+#include <string.h>
+#include <fcntl.h>
+#include <util.h>
+#include <imsg.h>
+
+#include "proc.h"
+#include "vmd.h"
+
+int
+config_init(struct vmd *env)
+{
+	struct privsep	*ps = &env->vmd_ps;
+	u_int		 what;
+
+	/* Global configuration */
+	if (privsep_process == PROC_PARENT) {
+		ps->ps_what[PROC_PARENT] = CONFIG_ALL;
+		ps->ps_what[PROC_VMM] = CONFIG_VMS;
+	}
+
+	/* Other configuration */
+	what = ps->ps_what[privsep_process];
+	if (what & CONFIG_VMS) {
+		if ((env->vmd_vms = calloc(1, sizeof(*env->vmd_vms))) == NULL)
+			return (-1);
+		TAILQ_INIT(env->vmd_vms);
+	}
+
+	return (0);
+}
+
+void
+config_purge(struct vmd *env, u_int reset)
+{
+	struct privsep		*ps = &env->vmd_ps;
+	struct vmd_vm		*vm;
+	u_int			 what;
+
+	what = ps->ps_what[privsep_process] & reset;
+
+	if (what & CONFIG_VMS && env->vmd_vms != NULL) {
+		while ((vm = TAILQ_FIRST(env->vmd_vms)) != NULL)
+			vm_remove(vm);
+		env->vmd_vmcount = 0;
+	}
+}
+
+int
+config_setreset(struct vmd *env, u_int reset)
+{
+	struct privsep	*ps = &env->vmd_ps;
+	unsigned int	 id;
+
+	for (id = 0; id < PROC_MAX; id++) {
+		if ((reset & ps->ps_what[id]) == 0 ||
+		    id == privsep_process)
+			continue;
+		proc_compose(ps, id, IMSG_CTL_RESET, &reset, sizeof(reset));
+	}
+
+	return (0);
+}
+
+int
+config_getreset(struct vmd *env, struct imsg *imsg)
+{
+	unsigned int	 mode;
+
+	IMSG_SIZE_CHECK(imsg, &mode);
+	memcpy(&mode, imsg->data, sizeof(mode));
+
+	config_purge(env, mode);
+
+	return (0);
+}
+
+int
+config_getvm(struct privsep *ps, struct imsg *imsg)
+{
+	struct vmd		*env = ps->ps_env;
+	struct vmd_vm		*vm;
+	struct vm_create_params	 vcp;
+	unsigned int		 i;
+	int			 fd, ttys_fd;
+
+	IMSG_SIZE_CHECK(imsg, &vcp);
+	memcpy(&vcp, imsg->data, sizeof(vcp));
+
+	if (vcp.vcp_ncpus > VMM_MAX_VCPUS_PER_VM) {
+		log_debug("invalid number of CPUs");
+		return (-1);
+	} else if (vcp.vcp_ndisks > VMM_MAX_DISKS_PER_VM) {
+		log_debug("invalid number of disks");
+		return (-1);
+	} else if (vcp.vcp_nnics > VMM_MAX_NICS_PER_VM) {
+		log_debug("invalid number of interfaces");
+		return (-1);
+	}
+
+	if ((vm = calloc(1, sizeof(*vm))) == NULL)
+		return (-1);
+
+	memcpy(&vm->vm_params, &vcp, sizeof(vm->vm_params));
+
+	for (i = 0; i < vcp.vcp_ndisks; i++)
+		vm->vm_disks[i] = -1;
+	for (i = 0; i < vcp.vcp_nnics; i++)
+		vm->vm_ifs[i] = -1;
+	vm->vm_kernel = -1;
+	vm->vm_vmid = ++env->vmd_nvm;
+
+	if (vm_getbyvmid(vm->vm_vmid) != NULL)
+		fatalx("too many vms");
+
+	TAILQ_INSERT_TAIL(env->vmd_vms, vm, vm_entry);
+
+	if (privsep_process != PROC_PARENT) {
+		if (imsg->fd == -1) {
+			log_debug("invalid kernel fd");
+			goto fail;
+		}
+		vm->vm_kernel = imsg->fd;
+	} else {
+		vm->vm_peerid = imsg->hdr.peerid;
+
+		/* Open kernel for child */
+		if ((fd = open(vcp.vcp_kernel, O_RDONLY)) == -1) {
+			log_warn("%s: can't open kernel %s", __func__,
+			    vcp.vcp_kernel);
+			goto fail;
+		}
+
+		proc_compose_imsg(ps, PROC_VMM, -1,
+		    IMSG_VMDOP_START_VM_REQUEST, vm->vm_vmid, fd,
+		    &vcp, sizeof(vcp));
+
+		/* Open disk images for child */
+		for (i = 0 ; i < vcp.vcp_ndisks; i++) {
+			if ((fd = open(vcp.vcp_disks[i], O_RDWR)) == -1) {
+				log_warn("%s: can't open %s", __func__,
+				    vcp.vcp_disks[i]);
+				goto fail;
+			}
+			proc_compose_imsg(ps, PROC_VMM, -1,
+			    IMSG_VMDOP_START_VM_DISK, vm->vm_vmid, fd,
+			    &i, sizeof(i));
+		}
+
+		/* Open disk network interfaces */
+		for (i = 0 ; i < vcp.vcp_nnics; i++) {
+			if ((fd = opentap()) == -1) {
+				log_warn("%s: can't open tap", __func__);
+				goto fail;
+			}
+			proc_compose_imsg(ps, PROC_VMM, -1,
+			    IMSG_VMDOP_START_VM_IF, vm->vm_vmid, fd,
+			    &i, sizeof(i));
+		}
+
+		/* Open TTY */
+		if (openpty(&fd, &ttys_fd,
+		    vm->vm_ttyname, NULL, NULL) == -1) {
+			log_warn("%s: can't open tty", __func__);
+			goto fail;
+		}
+		close(ttys_fd);
+
+		log_info("%s console: %s", vcp.vcp_name, vm->vm_ttyname);
+
+		proc_compose_imsg(ps, PROC_VMM, -1,
+		    IMSG_VMDOP_START_VM_END, vm->vm_vmid, fd,
+		    &vcp, sizeof(vcp));
+	}
+
+	return (0);
+
+ fail:
+	vm_remove(vm);
+	return (-1);
+}
+
+int
+config_getdisk(struct privsep *ps, struct imsg *imsg)
+{
+	struct vmd_vm	*vm;
+	unsigned int	 n;
+
+	if ((vm = vm_getbyvmid(imsg->hdr.peerid)) == NULL)
+		return (-1);
+
+	IMSG_SIZE_CHECK(imsg, &n);
+	memcpy(&n, imsg->data, sizeof(n));
+
+	if (n >= vm->vm_params.vcp_ndisks ||
+	    vm->vm_disks[n] != -1 || imsg->fd == -1) {
+		log_debug("invalid disk id");
+		return (-1);
+	}
+	vm->vm_disks[n] = imsg->fd;
+
+	return (0);
+}
+
+int
+config_getif(struct privsep *ps, struct imsg *imsg)
+{
+	struct vmd_vm	*vm;
+	unsigned int	 n;
+
+	if ((vm = vm_getbyvmid(imsg->hdr.peerid)) == NULL)
+		return (-1);
+
+	IMSG_SIZE_CHECK(imsg, &n);
+	memcpy(&n, imsg->data, sizeof(n));
+	if (n >= vm->vm_params.vcp_nnics ||
+	    vm->vm_ifs[n] != -1 || imsg->fd == -1) {
+		log_debug("invalid interface id");
+		return (-1);
+	}
+	vm->vm_ifs[n] = imsg->fd;
+
+	return (0);
+}