On Wed, Jan 25, 2017 at 12:41:26AM -0700, Theo de Raadt wrote:
> > On Wed, Jan 25, 2017 at 12:33:36AM -0700, Theo de Raadt wrote:
> > > > 2. vmd calls openpty() in the pledged parent whenever a new VM is
> > > > started - effectively doing ioctls on post-pledge fds. I will
> > > > probably solve t
> On Wed, Jan 25, 2017 at 12:33:36AM -0700, Theo de Raadt wrote:
> > > 2. vmd calls openpty() in the pledged parent whenever a new VM is
> > > started - effectively doing ioctls on post-pledge fds. I will
> > > probably solve this by opening the pty in the non-pledged "priv"
> > > process, and do
On Wed, Jan 25, 2017 at 12:33:36AM -0700, Theo de Raadt wrote:
> > 2. vmd calls openpty() in the pledged parent whenever a new VM is
> > started - effectively doing ioctls on post-pledge fds. I will
> > probably solve this by opening the pty in the non-pledged "priv"
> > process, and do some addit
> 2. vmd calls openpty() in the pledged parent whenever a new VM is
> started - effectively doing ioctls on post-pledge fds. I will
> probably solve this by opening the pty in the non-pledged "priv"
> process, and do some additional passing, but then I'll also have to
> give up its chroot to acces
Hi,
two notes about vmd with this diff:
1. "vmm" pledge can be !fdpledged as well as it already pre-opens the
/dev/vmm fd for ioctls. I added the following chunk on top of your
diff and it works as expected:
---snip---
if ((p->p_p->ps_pledge & PLEDGE_VMM)) {
#if NVMM > 0
-
Here is the proposed ioctl lock-down policy for file descriptors
allocated in a process before pledge(2).
The manual page diff is first, that explains the direction this is
going.
The other supporting code has been commited already, so feel free
to take this for a ride and let's see what programs