1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-28 05:29:48 +00:00
freebsd-ports/sysutils/grub2-bhyve/Makefile
Conrad Meyer 419a5e5ce8 sysutils/grub2-bhyve: Neutralize privileged guest commands
GRUB was designed to run in a trusted environment, where anyone with access
to grub2.cfg could also modify grub itself.  In grub2-bhyve, we have
modified it to run in host context, but interpret the commands of guest
grub2.cfg.  This means we have to worry about malicious guests.

This patch addresses two escalation vectors: font-loading, and the direct
'read', 'write', 'in', and 'out' commands (which read/write arbitrary
addresses).  Both reported by Reno Robert.

Disable font-loading by neutering the command.  It is believed to be non-
essential and there is at least one buffer overflow in the font loading
code.

Disable reading and writing host memory and IO ports.  It is believed to be
non-essential.

admbugs:	948
Reported by:	Reno Robert <renorobert AT gmail.com>
Approved by:	bapt
MFH:		2010Q1 (bapt)
Security:	yes
2020-02-12 15:32:31 +00:00

43 lines
1.0 KiB
Makefile

# Created by: kmoore@FreeBSD.org
# $FreeBSD$
PORTNAME= grub2-bhyve
DISTVERSIONPREFIX= v
DISTVERSION= 0.40
PORTREVISION= 8
CATEGORIES= sysutils
MAINTAINER= ports@FreeBSD.org
COMMENT= Grub-emu loader for bhyve
LICENSE= GPLv3
BUILD_DEPENDS= ${LOCALBASE}/bin/flex:textproc/flex \
help2man:misc/help2man
ONLY_FOR_ARCHS= amd64
SSP_UNSAFE= yes
USE_GITHUB= yes
GH_ACCOUNT= grehan-freebsd
USES= bison gmake
USE_GCC= yes
PLIST_FILES= sbin/grub-bhyve
MAKE_JOBS_UNSAFE= yes
CONFIGURE_ARGS= --with-platform=emu CC=${CC} LEX=${LOCALBASE}/bin/flex \
--enable-grub-mount=no --enable-grub-mkfont=no \
--enable-grub-emu-sdl=no --disable-nls --disable-werror
post-patch:
@${REINPLACE_CMD} -e "s/libintl\.h/I_do_not_want_libintl.h/g" ${WRKSRC}/configure
@${REINPLACE_CMD} -e "s/-lintl//g" ${WRKSRC}/grub-core/Makefile.in
do-configure:
@ cd ${WRKSRC}/ && ./configure ${CONFIGURE_ARGS}
do-install:
${INSTALL_PROGRAM} ${WRKSRC}/grub-core/grub-emu ${STAGEDIR}${LOCALBASE}/sbin/grub-bhyve
.include <bsd.port.mk>
RUN_DEPENDS:= ${RUN_DEPENDS:Ngcc*}