On Thu, Oct 12, 2023 at 09:24:33AM -0600, Theo de Raadt wrote: > Manuel Giraud <man...@ledu-giraud.fr> wrote: > > > > Manuel Giraud <man...@ledu-giraud.fr> writes: > > > > > >> Hi, > > >> > > >> I can't find the information on this list (or elsewhere). Is it > > >> possible to have a vm that access a disk through its device? The > > >> following does not seem to work: > > >> > > >> # vmctl start -cL -m 1G -b /bsd.rd -d /dev/sd1c myvm > > >> vmctl: start vm command failed: Unknown error: -1 > > > > > > No, passing file descriptors to devices over ipc sockets isn't currently > > > allowed by the kernel. You'd need to use the raw character device, too, > > > afaik if passing them were allowed. > > > > Ok, noted. BTW I have the same error passing the raw character device. > > > > I made the decision to not allow passing of weird file descriptor types > very intentionally. I'm still very sure that is the right decision. > > Here's 1 program which wants to do it, but the other 1000 pledge'd programs > are being protected from being passed an incorrect fd and then doing system > calls upon it which behave "different". By that, I mean seek, read, and > write short-operation behaviours are subtly different outside of files and > sockets, and it would also expose some ioctl (which is MOSTLY limited by > pledge, but ioctl "request" values are just numbers, and they can overlap in > surprising ways). >
I would like to make clear that vmd does not "want to do it", and that I agree that the current design of not being able to pass these types of fds is correct. It may be slightly inconvient for certain niche use cases, but not worth weakening everything else or putting in hacks. Just dd the device you want to a .raw file and use that. -ml
