The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=af099eaa5ec3604639807b7c5d3ed5be336e5643
commit af099eaa5ec3604639807b7c5d3ed5be336e5643 Author: Mark Johnston <[email protected]> AuthorDate: 2026-02-19 14:38:46 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2026-02-19 17:16:15 +0000 vmm: Enable unprivileged bhyve - Add the vmm group. - Let /dev/vmmctl belong to the vmm group by default, and give group write permissions. - When creating a VM's device files, make them owned by the creating process' effective UID. Reviewed by: bnovkov MFC after: 2 months Sponsored by: The FreeBSD Foundation Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D54741 --- etc/group | 1 + sys/dev/vmm/vmm_dev.c | 10 +++++----- sys/sys/conf.h | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/etc/group b/etc/group index 35df51838ae4..af42fa1bcc11 100644 --- a/etc/group +++ b/etc/group @@ -34,5 +34,6 @@ ntpd:*:123: _ypldap:*:160: hast:*:845: tests:*:977: +vmm:*:978: nogroup:*:65533: nobody:*:65534: diff --git a/sys/dev/vmm/vmm_dev.c b/sys/dev/vmm/vmm_dev.c index 5d7802f929ae..0e5477745db5 100644 --- a/sys/dev/vmm/vmm_dev.c +++ b/sys/dev/vmm/vmm_dev.c @@ -1033,8 +1033,8 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred) make_dev_args_init(&mda); mda.mda_devsw = &vmmdevsw; mda.mda_cr = sc->ucred; - mda.mda_uid = UID_ROOT; - mda.mda_gid = GID_WHEEL; + mda.mda_uid = cred->cr_uid; + mda.mda_gid = GID_VMM; mda.mda_mode = 0600; mda.mda_si_drv1 = sc; mda.mda_flags = MAKEDEV_CHECKNAME | MAKEDEV_WAITOK; @@ -1201,7 +1201,7 @@ vmmdev_init(void) sx_xlock(&vmmdev_mtx); error = make_dev_p(MAKEDEV_CHECKNAME, &vmmctl_cdev, &vmmctlsw, NULL, - UID_ROOT, GID_WHEEL, 0600, "vmmctl"); + UID_ROOT, GID_VMM, 0660, "vmmctl"); if (error == 0) { pr_allow_vmm_flag = prison_add_allow(NULL, "vmm", NULL, "Allow use of vmm in a jail"); @@ -1357,8 +1357,8 @@ devmem_create_cdev(struct vmmdev_softc *sc, int segid, char *devname) make_dev_args_init(&mda); mda.mda_devsw = &devmemsw; mda.mda_cr = sc->ucred; - mda.mda_uid = UID_ROOT; - mda.mda_gid = GID_WHEEL; + mda.mda_uid = sc->ucred->cr_uid; + mda.mda_gid = GID_VMM; mda.mda_mode = 0600; mda.mda_si_drv1 = dsc; mda.mda_flags = MAKEDEV_CHECKNAME | MAKEDEV_WAITOK; diff --git a/sys/sys/conf.h b/sys/sys/conf.h index a830c9d4c622..e5a6be9b891c 100644 --- a/sys/sys/conf.h +++ b/sys/sys/conf.h @@ -160,6 +160,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh); #define GID_ID_PRIO 48 #define GID_DIALER 68 #define GID_U2F 116 +#define GID_VMM 978 #define GID_NOGROUP 65533 #define GID_NOBODY 65534
