CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2016/01/08 04:20:58
Modified files:
sys/arch/amd64/amd64: conf.c vmm.c
sys/arch/amd64/include: conf.h
sys/kern : kern_pledge.c
sys/sys : pledge.h
Log message:
Add "vmm" pledge to allow restricted ioctl access to /dev/vmm.
This will allow to pledge vmd(8)'s vmm and vm processes, so that VMs
themselves run "sandboxed", including their host-side virtio layer.
It will remain disabled for now (in userland) to not get into the way
of ongoing development and upcoming changes in vmd and the ioctl
interface.
OK mlarkin@ deraadt@ "kernel side in, but not the callers in userland"
