From nobody Mon Jan 22 17:30:05 2024
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TJcg13dDgz57qsf;
	Mon, 22 Jan 2024 17:30:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TJcg12Jkzz4fRq;
	Mon, 22 Jan 2024 17:30:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1705944605;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EwTsK5POItYwynC+9ru1deM+Eb9lcbhi+gZD7IDk+Nc=;
	b=gEYOqBELTfHXbCMKYF0cBTCPvBlBpskIuNiRBpIiHICM3F+KYPUVxbP8rT2WZCmZT77Qxi
	iRxPGSmP5IMSPECqFJkfCl5K5oljw+iQLGCFWyFCMmp+kxNhgd4wLbPeNISB4s9KpTX8Nl
	BISRmObpv2d0xxUlT4lYGa/lkGxwmtQ4hGZ/NSzKqUVwBD09W2FTva14O5YftC+WzE84Uz
	iOGWinAWXgoUOLL8P7YZLwU9fnNfU2q22XC2dhBokXBgP/aXp7DaNv1DE/GXtElcdWHuy4
	BqBBpsc71/SU5hKdjJQmPhrDUNQShTKLddCyHqEUTVGuzHMjffpgUuuDTq9TLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1705944605;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EwTsK5POItYwynC+9ru1deM+Eb9lcbhi+gZD7IDk+Nc=;
	b=lg5FhKP3t2/my0gxGbZYt+KwabNXIiOQe+Z/6xLsEAdbWPYXy+cl3pKWf0NZNLMFVLIDxu
	u04Fndw7p0eczXfqK9DBNM8v4UkUoTVYWM/iaBi3rdrOSHfsdeLl6AsRXr79+kc4PkYXl/
	ZiLuEfOsaobCA7J4ictK5PyVyKJ+jmhJfW1d7GNALo9QIIEumnU9cHswB3VJIrcyDKBYin
	C73FAcRpw7xN6LOd/R0ophUyL2w0jLWW9tGDfUhFCOA7BFOGPQB4ljUPXSV9SoJ8yHN76u
	WGP+DOrvmBm73cVzhKB62NTbY+u0VcFwpltcgZBSkKrq0kSM3Z0U1l4QStm1TQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1705944605; a=rsa-sha256; cv=none;
	b=R4iajkpZMs22IjPgnsd1Cz9r8zFN8LZKHviN3a65IAZb49D1Y9XhJsrAnRuJPejcY9+ZPI
	0T+dnJNGhCUw9qDQFW93qZMNDnXSnPT7Xx3Tz0v/mAKSXiCNuxPtAdzxMNaNACW+oR88hO
	Sz079TyThEhfFv25P5E/GLvJITfTmkmuEMLKZklz7zOEYIosGvBrbA2BJ3faOi/+W0wn3X
	GZCWMajzN9CgYfZxzofKNi48IGyQthPkW2u2RzBZ4KY88+hz/db9Nq7r4Y+xmYlrWRyPoY
	H1CjphuUINrHWS8Oh3aYm2nbLW0XF6PQ9vLs2YA8d6B6rER4L3s4U5IEXYCNhg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TJcg11QRgz19Zj;
	Mon, 22 Jan 2024 17:30:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 40MHU502009156;
	Mon, 22 Jan 2024 17:30:05 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 40MHU5wR009150;
	Mon, 22 Jan 2024 17:30:05 GMT
	(envelope-from git)
Date: Mon, 22 Jan 2024 17:30:05 GMT
Message-Id: <202401221730.40MHU5wR009150@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kyle Evans <kevans@FreeBSD.org>
Subject: git: 20e06202f126 - stable/13 - bhyveload: limit rights
  on the dirfds we create
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kevans
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 20e06202f126b52fd9718e611e4b42ea43908fb5
Auto-Submitted: auto-generated

The branch stable/13 has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=20e06202f126b52fd9718e611e4b42ea43908fb5

commit 20e06202f126b52fd9718e611e4b42ea43908fb5
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2024-01-05 06:21:14 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2024-01-22 17:17:52 +0000

    bhyveload: limit rights on the dirfds we create
    
    In neither case do we need write access to the directories we're working
    with; userboot doesn't support fo_write on the host device, and the
    bootfd is only ever needed for loader loading.
    
    This improves on 8bf0882e18 ("bhyveload: enter capability mode [...]")
    so that arbitrary code in the loader can't open writable fds to either
    of the directories we need to maintain access to.
    
    Reviewed by:    imp
    
    (cherry picked from commit c067be72e835e469518ec985b6cc4e475c378944)
    (cherry picked from commit f9b17005bf8f1a30e2a74a3e66c92e34aa87f9bf)
---
 usr.sbin/bhyveload/bhyveload.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/usr.sbin/bhyveload/bhyveload.c b/usr.sbin/bhyveload/bhyveload.c
index 86f046a0a0c9..d4f282bcc178 100644
--- a/usr.sbin/bhyveload/bhyveload.c
+++ b/usr.sbin/bhyveload/bhyveload.c
@@ -731,12 +731,17 @@ usage(void)
 static void
 hostbase_open(const char *base)
 {
+	cap_rights_t rights;
 
 	if (hostbase_fd != -1)
 		close(hostbase_fd);
 	hostbase_fd = open(base, O_DIRECTORY | O_PATH);
 	if (hostbase_fd == -1)
 		err(EX_OSERR, "open");
+
+	if (caph_rights_limit(hostbase_fd, cap_rights_init(&rights, CAP_FSTATAT,
+	    CAP_LOOKUP, CAP_READ)) < 0)
+		err(EX_OSERR, "caph_rights_limit");
 }
 
 static void
@@ -857,11 +862,24 @@ main(int argc, char** argv)
 	 * guest requesting a different one.
 	 */
 	if (explicit_loader_fd == -1) {
+		cap_rights_t rights;
+
 		bootfd = open("/boot", O_DIRECTORY | O_PATH);
 		if (bootfd == -1) {
 			perror("open");
 			exit(1);
 		}
+
+		/*
+		 * bootfd will be used to do a lookup of our loader and do an
+		 * fdlopen(3) on the loader; thus, we need mmap(2) in addition
+		 * to the more usual lookup rights.
+		 */
+		if (caph_rights_limit(bootfd, cap_rights_init(&rights,
+		    CAP_FSTATAT, CAP_LOOKUP, CAP_MMAP_RX, CAP_READ)) < 0) {
+			perror("caph_rights_limit");
+			exit(1);
+		}
 	}
 
 	caph_cache_catpages();