Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Aug 2007 06:10:39 +0100
From:      "mal content" <artifact.one@googlemail.com>
To:        freebsd-security@freebsd.org
Subject:   Jailed X applications
Message-ID:  <8e96a0b90708162210y2cb9c6b2gb858f277674f84d1@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hello.

Has anyone here ever successfully set up a jail for X apps, connecting
to an external X server? I'm trying an experimental sandbox setup here.
I have a jail running on an aliased IP on my local machine and X
programs connect out of the jail to my local X server via an SSH
tunneled TCP connection. All other packets to and from the jail are
denied by the packet filter.  The trouble I am having is that many
applications (all X apps so far and a few of the SSH tools) try to open
and read from /dev/tty, which clearly isn't going to happen:

 96950 xterm    RET   sigprocmask 0
 96950 xterm    CALL  open(0x807bdfc,0x2,0xbfbfe458)
 96950 xterm    NAMI  "/dev/tty"
 96950 xterm    RET   open -1 errno 16 Device busy
 96950 xterm    CALL  setitimer(0,0xbfbfe380,0xbfbfe370)
 96950 xterm    RET   setitimer 0
 96950 xterm    CALL  sigaction(0xe,0xbfbfe360,0xbfbfe340)
 96950 xterm    RET   sigaction 0
 96950 xterm    CALL  write(0x2,0xbfbfdd70,0x1b)
 96950 xterm    GIO   fd 2 wrote 27 bytes
       "xterm: Error 14, errno 16: "
 96950 xterm    RET   write 27/0x1b
 96950 xterm    CALL  write(0x2,0xbfbfdd80,0xc)
 96950 xterm    GIO   fd 2 wrote 12 bytes
       "Device busy
       "
 96950 xterm    RET   write 12/0xc
 96950 xterm    CALL  write(0x2,0xbfbfdd80,0x29)
 96950 xterm    GIO   fd 2 wrote 41 bytes
       "Reason: spawn: open() failed on /dev/tty
       "
 96950 xterm    RET   write 41/0x29
 96950 xterm    CALL  close(0)
 96950 xterm    RET   close 0
 96950 xterm    CALL  chown(0x808f000,0,0)

I am seeing successful connections from the jail to my X server,
a white window is drawn where the X client will be spawned but this
flashes out of existence as soon as the above error is encountered.

<wishful thinking>
  I'd love a TrustedBSD based sandboxing tool.
</wishful thinking>

Any ideas would be appreciated.
MC

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8e96a0b90708162210y2cb9c6b2gb858f277674f84d1>