Regarding the vmm chunk -- as I said in my other reply, these
explanations are too precise. They risk becoming outdated as things
change. Furthermore, some of those ioctl may work in one way, but not
another way. Which would be too complicated to describe also. I urge
simple messaging:
.It Va vmm
Operations required by
.Xr vmd 8 .
It is accurate. If someone later wanted to use those operations, they
would figure it out by reading kernel and vmd source.
Josh Rickmar <joshrick...@outlook.com> wrote:
> Here's my take at documenting the missing pledge promises in pledge.2
> and placing them in a reasonable order with the others. Each of these
> just enabled various ioctl or sysctl interfaces.
>
> I'm unhappy with the explanation for drm, but don't know how to
> explain the purpose of these ioctls, and could not find any man page
> to .Xr which documents these ioctl commands.
>
> diff db8264de5e686d467fdfaede154dd2a2b3b1dc3d /usr/src
> blob - 5794003962d7bc22bb4bb10471ed6f3381383cdf
> file + lib/libc/sys/pledge.2
> --- lib/libc/sys/pledge.2
> +++ lib/libc/sys/pledge.2
> @@ -498,6 +498,24 @@ programs like
> .Xr top 1
> and
> .Xr vmstat 8 .
> +.It Va vmm
> +Allows a subset of
> +.Xr ioctl 2
> +operations on the
> +.Xr vmm 4
> +device:
> +.Pp
> +.Dv VMM_IOC_CREATE ,
> +.Dv VMM_IOC_RUN ,
> +.Dv VMM_IOC_INFO ,
> +.Dv VMM_IOC_TERM ,
> +.Dv VMM_IOC_RESETCPU ,
> +.Dv VMM_IOC_INTR ,
> +.Dv VMM_IOC_READREGS ,
> +.Dv VMM_IOC_WRITEREGS ,
> +.Dv VMM_IOC_READVMPARAMS ,
> +.Dv VMM_IOC_WRITEVMPARAMS ,
> +.Dv VMM_IOC_MPROTECT_EPT
> .It Va id
> Allows the following system calls which can change the rights of a
> process:
> @@ -579,12 +597,27 @@ devices:
> .Dv VIDIOC_STREAMON ,
> .Dv VIDIOC_TRY_FMT ,
> .Dv VIDIOC_REQBUFS
> +.It Va drm
> +Allows a subset of
> +.Xr ioctl 2
> +operations on
> +.Xr drm 4
> +devices.
> .It Va bpf
> Allow
> .Dv BIOCGSTATS
> operation for statistics collection from a
> .Xr bpf 4
> device.
> +.It Va disklabel
> +Allow enough
> +.Xr sysctl 2
> +interfaces to allow inspection of
> +.Xr disklabel 5
> +partitions by programs like
> +.Xr disklabel 8
> +and
> +.Xr fdisk 8 .
> .It Va unveil
> Allow
> .Xr unveil 2
> blob - a8e23adf2a48afcb82c4118a45b76ad3060c1069
> file + sys/sys/pledge.h
> --- sys/sys/pledge.h
> +++ sys/sys/pledge.h
> @@ -100,18 +100,18 @@ static const struct {
> { PLEDGE_SETTIME, "settime" },
> { PLEDGE_PS, "ps" },
> { PLEDGE_VMINFO, "vminfo" },
> + { PLEDGE_VMM, "vmm" },
> { PLEDGE_ID, "id" },
> { PLEDGE_PF, "pf" },
> { PLEDGE_ROUTE, "route" },
> { PLEDGE_WROUTE, "wroute" },
> { PLEDGE_AUDIO, "audio" },
> { PLEDGE_VIDEO, "video" },
> + { PLEDGE_DRM, "drm" },
> { PLEDGE_BPF, "bpf" },
> + { PLEDGE_DISKLABEL, "disklabel" },
> { PLEDGE_UNVEIL, "unveil" },
> { PLEDGE_ERROR, "error" },
> - { PLEDGE_DISKLABEL, "disklabel" },
> - { PLEDGE_DRM, "drm" },
> - { PLEDGE_VMM, "vmm" },
> { 0, NULL },
> };
> #endif
>
