On Mon, Aug 26, 2019 at 11:01:26AM +0100, Ricardo Mestre wrote: > Hi, > > Currently vmd(8) has 3 processes that run under chroot(2)/chdir(2), namely > control, vmm and priv. From these both control and vmm already run under > different pledge(2)s but without any filesystem access, priv in the other hand > cannot use pledge due to forbidden ioctls. > > That being said the priv proc can instead just run with an unveil("/", "") to > disable fs access, and while here remove the need of chroot/chdir dance since > it's not needed any longer. > > I've been running this for more than a week now without issues. Any > comments/objections? OK? > > /mestre
Tested here, no problems with my local VMs. Confirm that the priv process is now unveiled. root 12241 0.0 0.0 1224 1780 ?? SU 9:11AM 0:00.01 vmd: priv (vmd) Just to clarify, this diff is removing chroot(2) from 3 processes: * priv - (cannot be pledged) * control - pledged "stdio,unix,sendfd,recvfd" * vmm - pledged "stdio,proc,sendfd,recvfd,vmm" I think this should be OK. -Bryan. > Index: priv.c > =================================================================== > RCS file: /cvs/src/usr.sbin/vmd/priv.c,v > retrieving revision 1.15 > diff -u -p -u -r1.15 priv.c > --- priv.c 28 Jun 2019 13:32:51 -0000 1.15 > +++ priv.c 19 Aug 2019 09:38:51 -0000 > @@ -66,8 +66,14 @@ priv_run(struct privsep *ps, struct priv > > /* > * no pledge(2) in the "priv" process: > - * write ioctls are not permitted by pledge. > + * write ioctls are not permitted by pledge, but we can restrict fs > + * access with unveil > */ > + /* no filesystem visibility */ > + if (unveil("/", "") == -1) > + fatal("unveil"); > + if (unveil(NULL, NULL) == -1) > + fatal("unveil"); > > /* Open our own socket for generic interface ioctls */ > if ((env->vmd_fd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) > Index: proc.c > =================================================================== > RCS file: /cvs/src/usr.sbin/vmd/proc.c,v > retrieving revision 1.18 > diff -u -p -u -r1.18 proc.c > --- proc.c 10 Sep 2018 10:36:01 -0000 1.18 > +++ proc.c 19 Aug 2019 09:38:51 -0000 > @@ -524,7 +524,6 @@ proc_run(struct privsep *ps, struct priv > void (*run)(struct privsep *, struct privsep_proc *, void *), void *arg) > { > struct passwd *pw; > - const char *root; > struct control_sock *rcs; > > log_procinit(p->p_title); > @@ -545,17 +544,6 @@ proc_run(struct privsep *ps, struct priv > pw = p->p_pw; > else > pw = ps->ps_pw; > - > - /* Change root directory */ > - if (p->p_chroot != NULL) > - root = p->p_chroot; > - else > - root = pw->pw_dir; > - > - if (chroot(root) == -1) > - fatal("%s: chroot", __func__); > - if (chdir("/") == -1) > - fatal("%s: chdir(\"/\")", __func__); > > privsep_process = p->p_id; > > Index: proc.h > =================================================================== > RCS file: /cvs/src/usr.sbin/vmd/proc.h,v > retrieving revision 1.16 > diff -u -p -u -r1.16 proc.h > --- proc.h 10 Sep 2018 10:36:01 -0000 1.16 > +++ proc.h 19 Aug 2019 09:38:51 -0000 > @@ -136,7 +136,6 @@ struct privsep_proc { > void (*p_init)(struct privsep *, > struct privsep_proc *); > void (*p_shutdown)(void); > - const char *p_chroot; > struct passwd *p_pw; > struct privsep *p_ps; > }; > Index: vmd.c > =================================================================== > RCS file: /cvs/src/usr.sbin/vmd/vmd.c,v > retrieving revision 1.115 > diff -u -p -u -r1.115 vmd.c > --- vmd.c 14 Aug 2019 07:34:49 -0000 1.115 > +++ vmd.c 19 Aug 2019 09:38:51 -0000 > @@ -789,9 +789,8 @@ main(int argc, char **argv) > if ((ps->ps_pw = getpwnam(VMD_USER)) == NULL) > fatal("unknown user %s", VMD_USER); > > - /* First proc runs as root without pledge but in default chroot */ > + /* First proc runs as root without pledge but with unveil */ > proc_priv->p_pw = &proc_privpw; /* initialized to all 0 */ > - proc_priv->p_chroot = ps->ps_pw->pw_dir; /* from VMD_USER */ > > /* Open /dev/vmm */ > if (env->vmd_noaction == 0) { > Index: vmm.c > =================================================================== > RCS file: /cvs/src/usr.sbin/vmd/vmm.c,v > retrieving revision 1.93 > diff -u -p -u -r1.93 vmm.c > --- vmm.c 28 Jun 2019 13:32:51 -0000 1.93 > +++ vmm.c 19 Aug 2019 09:38:51 -0000 > @@ -655,7 +655,7 @@ vmm_start_vm(struct imsg *imsg, uint32_t > if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, fds) == -1) > fatal("socketpair"); > > - /* Start child vmd for this VM (fork, chroot, drop privs) */ > + /* Start child vmd for this VM (fork, drop privs) */ > ret = fork(); > > /* Start child failed? - cleanup and leave */ > >