aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Johnston <markj@FreeBSD.org>2026-02-19 14:38:46 +0000
committerMark Johnston <markj@FreeBSD.org>2026-02-19 17:16:15 +0000
commitaf099eaa5ec3604639807b7c5d3ed5be336e5643 (patch)
tree65b534446644567fda58b3acf45190fe8d1ea647
parentd4c05edd410e7925875c844c0642929410f22053 (diff)
vmm: Enable unprivileged bhyve
- Add the vmm group. - Let /dev/vmmctl belong to the vmm group by default, and give group write permissions. - When creating a VM's device files, make them owned by the creating process' effective UID. Reviewed by: bnovkov MFC after: 2 months Sponsored by: The FreeBSD Foundation Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D54741
Diffstat
-rw-r--r--etc/group1
-rw-r--r--sys/dev/vmm/vmm_dev.c10
-rw-r--r--sys/sys/conf.h1
3 files changed, 7 insertions, 5 deletions
diff --git a/etc/group b/etc/group
index 35df51838ae4..af42fa1bcc11 100644
--- a/etc/group
+++ b/etc/group
@@ -34,5 +34,6 @@ ntpd:*:123:
_ypldap:*:160:
hast:*:845:
tests:*:977:
+vmm:*:978:
nogroup:*:65533:
nobody:*:65534:
diff --git a/sys/dev/vmm/vmm_dev.c b/sys/dev/vmm/vmm_dev.c
index 5d7802f929ae..0e5477745db5 100644
--- a/sys/dev/vmm/vmm_dev.c
+++ b/sys/dev/vmm/vmm_dev.c
@@ -1033,8 +1033,8 @@ vmmdev_create(const char *name, uint32_t flags, struct ucred *cred)
make_dev_args_init(&mda);
mda.mda_devsw = &vmmdevsw;
mda.mda_cr = sc->ucred;
- mda.mda_uid = UID_ROOT;
- mda.mda_gid = GID_WHEEL;
+ mda.mda_uid = cred->cr_uid;
+ mda.mda_gid = GID_VMM;
mda.mda_mode = 0600;
mda.mda_si_drv1 = sc;
mda.mda_flags = MAKEDEV_CHECKNAME | MAKEDEV_WAITOK;
@@ -1201,7 +1201,7 @@ vmmdev_init(void)
sx_xlock(&vmmdev_mtx);
error = make_dev_p(MAKEDEV_CHECKNAME, &vmmctl_cdev, &vmmctlsw, NULL,
- UID_ROOT, GID_WHEEL, 0600, "vmmctl");
+ UID_ROOT, GID_VMM, 0660, "vmmctl");
if (error == 0) {
pr_allow_vmm_flag = prison_add_allow(NULL, "vmm", NULL,
"Allow use of vmm in a jail");
@@ -1357,8 +1357,8 @@ devmem_create_cdev(struct vmmdev_softc *sc, int segid, char *devname)
make_dev_args_init(&mda);
mda.mda_devsw = &devmemsw;
mda.mda_cr = sc->ucred;
- mda.mda_uid = UID_ROOT;
- mda.mda_gid = GID_WHEEL;
+ mda.mda_uid = sc->ucred->cr_uid;
+ mda.mda_gid = GID_VMM;
mda.mda_mode = 0600;
mda.mda_si_drv1 = dsc;
mda.mda_flags = MAKEDEV_CHECKNAME | MAKEDEV_WAITOK;
diff --git a/sys/sys/conf.h b/sys/sys/conf.h
index a830c9d4c622..e5a6be9b891c 100644
--- a/sys/sys/conf.h
+++ b/sys/sys/conf.h
@@ -160,6 +160,7 @@ typedef int dumper_hdr_t(struct dumperinfo *di, struct kerneldumpheader *kdh);
#define GID_ID_PRIO 48
#define GID_DIALER 68
#define GID_U2F 116
+#define GID_VMM 978
#define GID_NOGROUP 65533
#define GID_NOBODY 65534
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-20 19:42:29 +0000