usr/src/lib/brand/bhyve/zone/config.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

<?xml version="1.0"?>

<!--
 This file and its contents are supplied under the terms of the
 Common Development and Distribution License ("CDDL"), version 1.0.
 You may only use this file in accordance with the terms of version
 1.0 of the CDDL.

 A full copy of the text of the CDDL should have accompanied this
 source.  A copy of the CDDL is also available via the Internet at
 http://www.illumos.org/license/CDDL.

 Copyright (c) 2018, Joyent, Inc.

 DO NOT EDIT THIS FILE.
-->

<!DOCTYPE brand PUBLIC "-//Joyent Inc//DTD Brands//EN"
    "file:///usr/share/lib/xml/dtd/brand.dtd.1">

<brand name="bhyve">
	<modname></modname>

	<initname>/usr/lib/brand/bhyve/zhyve</initname>
	<login_cmd />
	<forcedlogin_cmd />
	<user_cmd />

	<!-- XXX-mg
	  Until we have better separation of concerns, bhyve brand will use the
	  kvm installer, which is intertwined with vmadm.
	-->
	<install>/usr/lib/brand/kvm/kinstall -z %z -R %R</install>
	<installopts>R:t:U:q:z:</installopts>
	<boot>/usr/lib/brand/bhyve/boot %z %R</boot>
	<halt />
	<verify_cfg />
	<verify_adm />
	<postclone />
	<postinstall />
	<attach>/usr/lib/brand/bhyve/attach -z %z -R %R</attach>
	<detach>/usr/lib/brand/bhyve/detach -z %z -R %R</detach>
	<clone />
	<uninstall>/usr/lib/brand/bhyve/uninstall -z %z -R %R</uninstall>
	<prestatechange>/usr/lib/brand/bhyve/statechange pre %z %R</prestatechange>
	<poststatechange>/usr/lib/brand/bhyve/statechange post %z %R</poststatechange>

	<privilege set="default" name="net_rawaccess" ip-type="exclusive" />
	<privilege set="default" name="proc_clock_highres" />
	<privilege set="default" name="proc_lock_memory" />
	<privilege set="default" name="sys_admin" />
	<privilege set="default" name="sys_mount" />

	<privilege set="prohibited" name="dtrace_kernel" />
	<privilege set="prohibited" name="proc_zone" />
	<privilege set="prohibited" name="sys_config" />
	<privilege set="prohibited" name="sys_devices" />
	<privilege set="prohibited" name="sys_ip_config" ip-type="shared" />
	<privilege set="prohibited" name="sys_linkdir" />
	<privilege set="prohibited" name="sys_net_config" />
	<privilege set="prohibited" name="sys_res_config" />
	<privilege set="prohibited" name="sys_suser_compat" />
	<privilege set="prohibited" name="xvm_control" />
	<privilege set="prohibited" name="virt_manage" />
	<privilege set="prohibited" name="sys_ppp_config" ip-type="shared" />

	<privilege set="required" name="proc_exec" />
	<privilege set="required" name="sys_mount" />
</brand>