I’m pleased to announce that bhyve, the FreeBSD’s hypervisor, is now sandboxed using Capsicum framework.
bhyve is one of the hypervisors available in FreeBSD, and the only one available in the base system. It’s also
used by downstream projects like xhyve and Docker on Mac.
The userland part of bhyve is sandboxed as
of r313727. Capsicum limits available
syscalls and devices (file descriptors) used by the process, like disks, network cards, console / VNC etc… In case of a
vulnerability in the process that could result in escaping to the host system, sandbox will block all attempts at
forking / executing new processes (like shell), gaining new privileges or opening new files, etc. This gives us an
additional layer of protection.
If you’d like to test it, you need
to obtain the source code for FreeBSD head (
CURRENT) and recompile lib/libvmmapi and usr.sbin/bhyve (or the whole world). There are few small changes to be
committed to make the code more readable, but they won’t change the base functionality. After this, I hope to see it
merged to 11-STABLE before 11.1-RELEASE.
I’d like to thank Peter Grehan, Ed Maste, Bartek Rutkowski and Mariusz Zaborski for their help and involvement during the review process.
This work was sponsored by Mysterious Code Ltd.
