Download raw body.
ccp(4): Pledge for ioctl
Hi,
with this diff, software using the pledge "vmm" will be able to use
the ioctl needed for SEV vm operations. This is needed to allow vmd(8)
to access ccp(4).
Take care,
Hans-Joerg
------------------------------------------------------------------
commit 4f305db4be73ca298e6bd9df4b9024de52f32712
Author: Hans-Joerg Hoexer <hshoexer@genua.de>
Date: Wed Jul 24 13:54:17 2024 +0200
ccp(4): pledge for ioctl(2)
Limit ccp(4) ioctls to processes that pledge vmm.
diff --git a/sys/arch/amd64/include/conf.h b/sys/arch/amd64/include/conf.h
index 5a2b10fe45b..7e87c2f539d 100644
--- a/sys/arch/amd64/include/conf.h
+++ b/sys/arch/amd64/include/conf.h
@@ -54,3 +54,6 @@ cdev_decl(pctr);
#include "vmm.h"
cdev_decl(vmm);
+
+#include "ccp.h"
+cdev_decl(psp);
diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c
index 6ee11243037..e33d65ae1de 100644
--- a/sys/kern/kern_pledge.c
+++ b/sys/kern/kern_pledge.c
@@ -76,6 +76,7 @@
#if NVMM > 0
#include <machine/conf.h>
#endif
+#include "ccp.h"
#endif
#include "drm.h"
@@ -1349,6 +1350,18 @@ pledge_ioctl(struct proc *p, long com, struct file *fp)
}
#endif
+#if NCCP > 0
+#if NVMM > 0
+ if ((pledge & PLEDGE_VMM)) {
+ if ((fp->f_type == DTYPE_VNODE) &&
+ (vp->v_type == VCHR) &&
+ (cdevsw[major(vp->v_rdev)].d_open == pspopen)) {
+ return (0);
+ }
+ }
+#endif
+#endif
+
return pledge_fail(p, error, PLEDGE_TTY);
}
ccp(4): Pledge for ioctl