Sandboxing the hypervisor

February 15, 2017 by Paweł Biernacki

I’m pleased to announce that bhyve, the FreeBSD’s hypervisor, is now sandboxed using Capsicum framework.

bhyve is one of the hypervisors available in FreeBSD, and the only one available in the base system. It’s also used by downstream projects like xhyve and Docker on Mac.

The userland part of bhyve is sandboxed as of r313727. Capsicum limits available syscalls and devices (file descriptors) used by the process, like disks, network cards, console / VNC etc… In case of a vulnerability in the process that could result in escaping to the host system, sandbox will block all attempts at forking / executing new processes (like shell), gaining new privileges or opening new files, etc. This gives us an additional layer of protection.

If you’d like to test it, you need to obtain the source code for FreeBSD head ( CURRENT) and recompile lib/libvmmapi and usr.sbin/bhyve (or the whole world). There are few small changes to be committed to make the code more readable, but they won’t change the base functionality. After this, I hope to see it merged to 11-STABLE before 11.1-RELEASE.

I’d like to thank Peter Grehan, Ed Maste, Bartek Rutkowski and Mariusz Zaborski for their help and involvement during the review process.

This work was sponsored by Mysterious Code Ltd.

Posted in: FreeBSD Security