From nobody Mon Feb 16 15:29:11 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fF6Bh25vxz6RwMc
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Mon, 16 Feb 2026 15:29:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fF6Bh1JW4z4Lts
	for <dev-commits-src-main@FreeBSD.org>; Mon, 16 Feb 2026 15:29:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1771255756;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/5r6Arord7LpQ0Ag+rz8wqN2/Z/A5VVvD6QOQmWqayk=;
	b=tjKSvGCEM1Vw7fwq6W3//zxsmZ3H2ZvNXZB+TacdB6vBS3Kka8OpB+RphFCvcB13E+pgZI
	DlgixDjUzsD1JrzfQT8sZjkh6cgK/2C2MHwNpNPUZEWevNaaGqvelQ1tYcWLdfRm+XMHvf
	K04jlDG3jxg71Z5+tm3Rw7s8UzW0HCtxcnMbO7irfcWjuaQhsZXT4+bb4BHwDF/cBlFGF+
	n7ev1L1q8YfGnDYs7/q5ahodO80I7ncTQ8h7jMpxBjS8tuy5P6R9OVu8CAZTe24u+QExdb
	LTK9/iBy8eGeI+5rabMW4RwjA1r6M6btl35bepmXUAc8fcksbKGhj+5XrND/+A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771255756; a=rsa-sha256; cv=none;
	b=wE9ptUrC/6vLRV1uSvF/s51glfLFw89w0sHSC6t22ADrFmJqnmSKhzEpA538N9YSYsXy6F
	fJou9fY+p6b8MQUulzO6cLL93mTCP2BO7SXppwVyyVJmkfqZrW1bZtjPbNf3rfplnZmPq2
	WNoTdVtqhrdZ1MFEtu642GwZsngPC4m6+tpuUcvI63cDft1AfRwG8+464CKFFXE29acnsp
	o4mfevOosgJQX7dYpUO4K3sTm8Fe193Qyrzwfl8/dcqf5NC6W6tYxUz3o2VasUrP2sk8O6
	k1zUosbnVMLOD/0BVxCe6eI0v3i/bZNoq3G9DmTBfib8NoeDmxf345CWLsCsjA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1771255756;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/5r6Arord7LpQ0Ag+rz8wqN2/Z/A5VVvD6QOQmWqayk=;
	b=ZrybaLxqLxzeifz/Z90Xo3AhwccTAo1h5Eq+mcLqXYVDbRsrQQqj54HB0mnE93lG0snYiH
	SQJ1/A9gFK38/8/pif0YGkdqZgnxOoUB6DNto2mGlYSL6P6UFBSfDrnRBtdqA8gPqjVCvu
	92AOfqwjKLMX8oQQk3/FafDEUUqLHCU1KYCCa1QBXlMXwLF0IMFFOYHNQ7kp5s0i5BMXIZ
	NjW2Tw0i+i2VCmgPqrQClMHwAUowT7P4ogbEQnl4BtLWHa+uEY+T1YsAt3PTdjq2P4w2C4
	eDpB1sO6UUFP2QpiRfK58zeIr3Ji7+iVFb1CIxt6ofTWRCdWh7E92OWgKs8OQg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fF6Bh0VwyzCmQ
	for <dev-commits-src-main@FreeBSD.org>; Mon, 16 Feb 2026 15:29:16 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 1dcc8
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 16 Feb 2026 15:29:11 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: c71354030a26 - main - vmm: Allow the use of PCI passthrough in a jail
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: c71354030a26900e564f0c80a8abdff7e77b3c9e
Auto-Submitted: auto-generated
Date: Mon, 16 Feb 2026 15:29:11 +0000
Message-Id: <699337c7.1dcc8.3cb007a8@gitrepo.freebsd.org>

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=c71354030a26900e564f0c80a8abdff7e77b3c9e

commit c71354030a26900e564f0c80a8abdff7e77b3c9e
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-02-16 14:56:25 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-02-16 15:28:49 +0000

    vmm: Allow the use of PCI passthrough in a jail
    
    After commit e11768e94787 ("vmm: Add PRIV_DRIVER checks for passthru
    ioctls"), it is not possible to use PCI passthru from jails, as
    PRIV_DRIVER is not granted to jails.  Apparently some users expect this
    to work, understanding that jailing bhyve provides little security
    benefit in this configuration.
    
    I believe we should disable ppt access in jails even when allow.vmm is
    configured.  To provide an escape hatch for users, add a new
    allow.vmm_ppt jail configuration knob, and check it when handling ppt
    ioctls in jails.  Also add a new PRIV_VMM_PPTDEV to replace the use of
    PRIV_DRIVER.
    
    PR:             292750
    Reviewed by:    corvink
    MFC after:      2 weeks
    Sponsored by:   The FreeBSD Foundation
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D55066
---
 sys/amd64/vmm/vmm_dev_machdep.c | 14 +++++++-------
 sys/dev/vmm/vmm_dev.c           | 20 +++++++++++++-------
 sys/dev/vmm/vmm_dev.h           |  2 +-
 sys/kern/kern_jail.c            |  7 +++++++
 sys/sys/priv.h                  |  7 ++++++-
 usr.sbin/jail/jail.8            | 11 +++++++++++
 6 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/sys/amd64/vmm/vmm_dev_machdep.c b/sys/amd64/vmm/vmm_dev_machdep.c
index b84be809ea24..55fccf8f25b2 100644
--- a/sys/amd64/vmm/vmm_dev_machdep.c
+++ b/sys/amd64/vmm/vmm_dev_machdep.c
@@ -125,15 +125,15 @@ const struct vmmdev_ioctl vmmdev_machdep_ioctls[] = {
 
 	VMMDEV_IOCTL(VM_BIND_PPTDEV,
 	    VMMDEV_IOCTL_XLOCK_MEMSEGS | VMMDEV_IOCTL_LOCK_ALL_VCPUS |
-	    VMMDEV_IOCTL_PRIV_CHECK_DRIVER),
+	    VMMDEV_IOCTL_PPT),
 	VMMDEV_IOCTL(VM_UNBIND_PPTDEV,
 	    VMMDEV_IOCTL_XLOCK_MEMSEGS | VMMDEV_IOCTL_LOCK_ALL_VCPUS |
-	    VMMDEV_IOCTL_PRIV_CHECK_DRIVER),
+	    VMMDEV_IOCTL_PPT),
 
 	VMMDEV_IOCTL(VM_MAP_PPTDEV_MMIO, VMMDEV_IOCTL_LOCK_ALL_VCPUS |
-	    VMMDEV_IOCTL_PRIV_CHECK_DRIVER),
+	    VMMDEV_IOCTL_PPT),
 	VMMDEV_IOCTL(VM_UNMAP_PPTDEV_MMIO, VMMDEV_IOCTL_LOCK_ALL_VCPUS |
-	    VMMDEV_IOCTL_PRIV_CHECK_DRIVER),
+	    VMMDEV_IOCTL_PPT),
 #ifdef BHYVE_SNAPSHOT
 #ifdef COMPAT_FREEBSD13
 	VMMDEV_IOCTL(VM_SNAPSHOT_REQ_13, VMMDEV_IOCTL_LOCK_ALL_VCPUS),
@@ -151,9 +151,9 @@ const struct vmmdev_ioctl vmmdev_machdep_ioctls[] = {
 
 	VMMDEV_IOCTL(VM_LAPIC_LOCAL_IRQ, VMMDEV_IOCTL_MAYBE_ALLOC_VCPU),
 
-	VMMDEV_IOCTL(VM_PPTDEV_MSI, VMMDEV_IOCTL_PRIV_CHECK_DRIVER),
-	VMMDEV_IOCTL(VM_PPTDEV_MSIX, VMMDEV_IOCTL_PRIV_CHECK_DRIVER),
-	VMMDEV_IOCTL(VM_PPTDEV_DISABLE_MSIX, VMMDEV_IOCTL_PRIV_CHECK_DRIVER),
+	VMMDEV_IOCTL(VM_PPTDEV_MSI, VMMDEV_IOCTL_PPT),
+	VMMDEV_IOCTL(VM_PPTDEV_MSIX, VMMDEV_IOCTL_PPT),
+	VMMDEV_IOCTL(VM_PPTDEV_DISABLE_MSIX, VMMDEV_IOCTL_PPT),
 	VMMDEV_IOCTL(VM_LAPIC_MSI, 0),
 	VMMDEV_IOCTL(VM_IOAPIC_ASSERT_IRQ, 0),
 	VMMDEV_IOCTL(VM_IOAPIC_DEASSERT_IRQ, 0),
diff --git a/sys/dev/vmm/vmm_dev.c b/sys/dev/vmm/vmm_dev.c
index 09fd3a9048bd..0df21402683d 100644
--- a/sys/dev/vmm/vmm_dev.c
+++ b/sys/dev/vmm/vmm_dev.c
@@ -91,7 +91,7 @@ static bool vmm_initialized = false;
 
 static SLIST_HEAD(, vmmdev_softc) head;
 
-static unsigned pr_allow_flag;
+static unsigned int pr_allow_vmm_flag, pr_allow_vmm_ppt_flag;
 static struct sx vmmdev_mtx;
 SX_SYSINIT(vmmdev_mtx, &vmmdev_mtx, "vmm device mutex");
 
@@ -115,7 +115,7 @@ static int
 vmm_priv_check(struct ucred *ucred)
 {
 	if (jailed(ucred) &&
-	    !(ucred->cr_prison->pr_allow & pr_allow_flag))
+	    (ucred->cr_prison->pr_allow & pr_allow_vmm_flag) == 0)
 		return (EPERM);
 
 	return (0);
@@ -459,8 +459,11 @@ vmmdev_ioctl(struct cdev *cdev, u_long cmd, caddr_t data, int fflag,
 	if (ioctl == NULL)
 		return (ENOTTY);
 
-	if ((ioctl->flags & VMMDEV_IOCTL_PRIV_CHECK_DRIVER) != 0) {
-		error = priv_check(td, PRIV_DRIVER);
+	if ((ioctl->flags & VMMDEV_IOCTL_PPT) != 0) {
+		if (jailed(td->td_ucred) && (td->td_ucred->cr_prison->pr_allow &
+		    pr_allow_vmm_ppt_flag) == 0)
+			return (EPERM);
+		error = priv_check(td, PRIV_VMM_PPTDEV);
 		if (error != 0)
 			return (error);
 	}
@@ -1178,9 +1181,12 @@ vmmdev_init(void)
 	sx_xlock(&vmmdev_mtx);
 	error = make_dev_p(MAKEDEV_CHECKNAME, &vmmctl_cdev, &vmmctlsw, NULL,
 	    UID_ROOT, GID_WHEEL, 0600, "vmmctl");
-	if (error == 0)
-		pr_allow_flag = prison_add_allow(NULL, "vmm", NULL,
-		    "Allow use of vmm in a jail.");
+	if (error == 0) {
+		pr_allow_vmm_flag = prison_add_allow(NULL, "vmm", NULL,
+		    "Allow use of vmm in a jail");
+		pr_allow_vmm_ppt_flag = prison_add_allow(NULL, "vmm_ppt", NULL,
+		    "Allow use of vmm with ppt devices in a jail");
+	}
 	sx_xunlock(&vmmdev_mtx);
 
 	return (error);
diff --git a/sys/dev/vmm/vmm_dev.h b/sys/dev/vmm/vmm_dev.h
index f8f637fda687..4b971d88f80e 100644
--- a/sys/dev/vmm/vmm_dev.h
+++ b/sys/dev/vmm/vmm_dev.h
@@ -48,7 +48,7 @@ struct vmmdev_ioctl {
 #define	VMMDEV_IOCTL_LOCK_ALL_VCPUS	0x08
 #define	VMMDEV_IOCTL_ALLOC_VCPU		0x10
 #define	VMMDEV_IOCTL_MAYBE_ALLOC_VCPU	0x20
-#define	VMMDEV_IOCTL_PRIV_CHECK_DRIVER	0x40
+#define	VMMDEV_IOCTL_PPT		0x40
 	int		flags;
 };
 
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 5111b98bf221..369b6aca926c 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -4736,6 +4736,13 @@ prison_priv_check(struct ucred *cred, int priv)
 		else
 			return (EPERM);
 
+	case PRIV_VMM_PPTDEV:
+		/*
+		 * Allow jailed root to manage passthrough devices.  vmm(4) also
+		 * checks for the dynamically added allow.vmm_ppt.
+		 */
+		return (0);
+
 	default:
 		/*
 		 * In all remaining cases, deny the privilege request.  This
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 9c493629f7cf..1ad6a4882ffc 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -535,10 +535,15 @@
 #define	PRIV_VERIEXEC_NOVERIFY	701	/* Can override O_VERIFY */
 #define	PRIV_VERIEXEC_CONTROL	702	/* Can configure veriexec */
 
+/*
+ * vmm privileges.
+ */
+#define	PRIV_VMM_PPTDEV		710	/* Can manipulate ppt devices. */
+
 /*
  * Track end of privilege list.
  */
-#define	_PRIV_HIGHEST		703
+#define	_PRIV_HIGHEST		711
 
 /*
  * Validate that a named privilege is known by the privilege system.  Invalid
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 45eb7dea096d..adba3f34101b 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -833,6 +833,17 @@ The jail may access
 This flag is only available when the
 .Xr vmm 4
 kernel module is loaded.
+.It Va allow.vmm_ppt
+The jail may configure PCI passtrough devices for use by
+.Xr vmm 4
+virtual machine guests.
+This allows privileged users inside the jail to manipulate physical devices
+claimed by the
+.Dv ppt
+driver, and thus must not be configured in untrusted jails.
+This flag is only available when the
+.Xr vmm 4
+kernel module is loaded.
 .It Va linux
 Determine how a jail's Linux emulation environment appears.
 A value of