CVSROOT: /cvs
Module name: src
Changes by: r...@cvs.openbsd.org 2016/10/29 03:24:54
Modified files:
sys/arch/amd64/amd64: vmm.c
Log message:
Further improve vmm's security model by restricting pledged vmm
processes to only do VMM_IOC_ ioctls on their associated VM (these
ioctls are _RUN, _RESETCPU, _INTR, _READREGS, or _WRITEREGS at
present). The vmm monitor (parent) process or any non-pledged
processes can still do ioctls on any VM. For example, a VM can only
terminate itself but vmctl or the monitor can terminate any VM.
This prevents reachover into other VMs: while escaping from a VM to
the host side (eg. through a bug in virtio etc.) pledge already kept
the attacker in a pledged and privsep'ed process, but now it also
prevents vmm ioctls on "other VMs".
OK mlarkin@
