From owner-freebsd-jail@FreeBSD.ORG Mon Mar 17 11:07:07 2008 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AA32106564A for ; Mon, 17 Mar 2008 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 31E128FC1C for ; Mon, 17 Mar 2008 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2HB778P055149 for ; Mon, 17 Mar 2008 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2HB768x055145 for freebsd-jail@FreeBSD.org; Mon, 17 Mar 2008 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Mar 2008 11:07:06 GMT Message-Id: <200803171107.m2HB768x055145@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 11:07:07 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/119305 jail [jail] [patch] jexec(8): jexec -n prisonname: selectio o kern/120753 jail [jail] Zombie jails (jailed child process exits while 10 problems total. From owner-freebsd-jail@FreeBSD.ORG Tue Mar 18 10:02:07 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D22B106566C for ; Tue, 18 Mar 2008 10:02:07 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id E28B68FC2D for ; Tue, 18 Mar 2008 10:02:06 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54B6A.dip.t-dialin.net [84.165.75.106]) by redbull.bpaserver.net (Postfix) with ESMTP id A5A092E04C for ; Tue, 18 Mar 2008 11:01:47 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 484D47ACAF; Tue, 18 Mar 2008 11:01:18 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1205834478; bh=DHjgPgL3tG85ch1yuttDocutlhkXlEGM/ M2uTsl0h3Q=; h=Message-ID:X-Priority:Date:From:To:Cc:Subject: References:In-Reply-To:MIME-Version:Content-Type: Content-Disposition:Content-Transfer-Encoding:User-Agent; b=CynVJj gt3K/IovJJ5pZrrL2Cgf8H5ai+kG9bSnQPP4cNo4R094GR9I+MLUEhDXoLzenrqS+ya V2quueWy5ckA3dqcMmUiEsBryTOAuvAN1Os5RQLGoUvIFRl48dIO7LtYU5eP1E/b2qw nnILJRf1mFjIVpK/n4YsTN6lHW+hVkagxts6/MfWltuQxmm/LrVsUIiaaPQlAc9fxTO gW3/wTvqmRx/vzOFTuNQaQFHiLlBixbFU3Hou/aRf3yaxuNcWjmIDCgh41PW8k+u9iB yutdaCXUIv+7n1OdQ7QWEh/5VmNiyWemf+cyN7s+ABDmJDTsVQoGsLDH7DFJ4Xij/tl Q== Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m2IA1HSH080771; Tue, 18 Mar 2008 11:01:17 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Tue, 18 Mar 2008 11:01:17 +0100 Message-ID: <20080318110117.qhcztlqlk4s48gwo@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Tue, 18 Mar 2008 11:01:17 +0100 From: Alexander Leidinger To: Alexander Leidinger References: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net> In-Reply-To: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.5) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-13.427, required 6, BAYES_00 -15.00, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00, MIME_QP_LONG_LINE 1.40, RDNS_DYNAMIC 0.10, TW_SN 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@freebsd.org Subject: Re: X.org in a jail, testers wanted X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2008 10:02:07 -0000 Quoting Alexander Leidinger (from Mon, 10 =20 Mar 2008 12:28:29 +0100): I've read in some web based discussions some stuff about this. I would =20 like to clarify some things here in the official place. > You also need to setup /etc/devfs.rules (this is a copy of my one, it > contains more than is needed to run the X server, so you can trim this > if you want): > ---snip--- > [devfsrules_unhide_audio=3D5] > add path 'audio*' unhide > add path 'dsp*' unhide > add path midistat unhide > add path 'mixer*' unhide > add path 'music*' unhide > add path 'sequencer*' unhide > add path sndstat unhide > add path speaker unhide Those are needed if you want to use audio in the jail. Normally they =20 are not visible in a jail. If they are visible in a jail, you can use =20 them (no usage restrictions). My desktop should be able to play some =20 audio, so I add them for my desktop. > [devfsrules_unhide_printers=3D6] > add path 'lpt*' unhide > add path 'ulpt*' unhide > add path 'unlpt*' unhide I also want access to my printer, the same comments as for the audio stuff. > [devfsrules_unhide_input=3D7] > add path 'atkbd*' unhide > add path 'kbd*' unhide > add path 'joy*' unhide > add path 'psm*' unhide > add path sysmouse unhide > add path 'ukbd*' unhide > add path 'ums*' unhide And again: the same as above. > [devfsrules_unhide_xorg=3D8] > add path agpgart unhide Needed by X. > #add path console unhide > add path dri unhide > add path 'dri*' unhide dri is needed too, but I haven't really tested it. > add path io unhide io can be unhide in a jail, but in the kernel there's an access =20 restriction for it and you can not access it if you are jailed. My =20 patch adds a systctl which allows the admin to give access to either =20 all jails (if io is made visible in the jail with devfs), or only by =20 one jail. > add path mem unhide mem is not visible by default. If you make it visible, a jail can =20 access it. There are no additional access restrictions in the kernel =20 like for io. I don't know why there's is one for io but not for mem. =20 It's not symmetric, and I would expect either a check for both or not =20 check at all. My patch is not supposed to make it symmetric, nor do I =20 want to remove the priv check for io. Yes, if you give access to this your system will be "insecure", so =20 don't expect any big benefits. The reason I do this is: - it raises the bar (an attacker not only has to get root access in my desktop to make everything he wants, he also has to know how to use mem/io to get access to the entire machine, so the security is somewhere between a desktop on the bare metal, and a real jail without access to mem/io) - virtualisation of my desktop (I can move it to a different machine if I want) - because I can do it > #add path pci unhide > add path tty unhide > add path ttyv0 unhide > add path ttyv1 unhide > add path ttyv8 unhide My X server is running on ttyv8 (explicitly configured in the X =20 config). During my testing I also had to give access to other ttys, =20 but I don't remember if it was before or after the hardcoding of the =20 tty in the config. > [devfsrules_unhide_cam=3D9] > add path 'da*' unhide > add path 'cd*' unhide I play around with access to the CD and some USB mass storage from my deskto= p. > [devfsrules_unhide_kmem=3D10] > add path kmem unhide Needed by the X server. > # > # This allows to run a desktop system in a jail. Think about what =20 > you want to > # achieve before you use this, it opens up the entire machine to access fr= om > # this jail to any sophisticated program. To all those which think this patch will open up access to the system =20 (to someone who has root access in the jail and knows how to get out =20 of /dev/mem, /dev/kmem and /dev/io what he wants): you are right, as =20 explicitly told here and in the man page, so don't complain please (if =20 you use this, you should know what you are doing). Bye, Alexander. --=20 FORTUNE'S FUN FACTS TO KNOW AND TELL: #8 =09Idaho state law makes it illegal for a man to give his sweetheart a box of candy weighing less than fifty pounds. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137