Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 9 Mar 2014 01:26:40 +0000
From:      Tom Evans <tevans.uk@googlemail.com>
To:        "freebsd-x11@freebsd.org" <freebsd-x11@freebsd.org>,  "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Cc:        Alexander Leidinger <Alexander@leidinger.net>, jamie@freebsd.org
Subject:   [PATCH] Xorg in a jail
Message-ID:  <CAFHbX1JUzM%2BN9Zx=eCQdejvz1jAWcXNHepB2=5ZRuunu1gAG6g@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
--001a1133a8180070a404f42261fd
Content-Type: text/plain; charset=UTF-8

I've been reinstalling my home server with 10-STABLE and wanted to
compartmentalise all the disparate tasks it does - file storage, DNS,
web servers and mplayer/xorg/media stuff in general - in to a separate
jail for each task.

For the most part, this was quite straightforward, apart from with
xorg I found that it wasn't quite supported. I found Alexander's
patch, and the work Jamie did in part integrating it, allowing kmem
read, and reworked it for 10-STABLE.

>From Jamie's emails it looked like he was working on a way of properly
integrating these permissions in a more unified way, but I had a
pressing need :)

I've tested this on 10-STABLE r262457M, intel graphics (ivy bridge,
WITH_NEW_XORG), and everything seems to work just fine. I'm going to
try out radeonkms and nvidia tomorrow also.

Also please note that whilst I want things jailed for separation and
neatness concerns rather than security, it must be pointed out that
letting one jail read and write kernel memory of the whole machine is
not at all secure! Anyone with root in this xorg jail would be able to
break free of the jail.

I'm not sure I did the jail allow parameters right, but it works for
me - I would appreciate someone more competent taking a look! Also,
dev_io_access should probably be renamed or using it to control access
to /dev/mem split out from it? Also, is the style right? vim: noet
sw=8 ts=8 is what I was using.

Cheers

Tom

PS: I haven't tested any input devices yet with this, let me know!

Instructions:

Apply patch, rebuild world and kernel, install and update jails/basejails

Create /etc/devfs.rules to unhide the pertinent devices and restart devfs
This is what I am using, it might be overkill...

  [devfsrules_unhide_xorg=8]
  add include $devfsrules_hide_all
  add include $devfsrules_unhide_basic
  add include $devfsrules_unhide_login
  add path agpgart unhide
  add path console unhide
  add path consolectl unhide
  add path dri unhide
  add path 'dri/*' unhide
  add path io unhide
  add path mem unhide
  add path pci unhide
  add path tty unhide
  add path ttyv0 unhide
  add path ttyv1 unhide
  add path ttyv8 unhide

Set sysctls on jail host to allow jails to have permission granted to
them to access (in particular) /dev/mem, /dev/io and /dev/dri/*

  security.jail.dev_io_access=1
  security.jail.dev_dri_access=1

Configure your chosen jail to use these devfs rules and allow them to
use the devices. I use ezjail, so for me this meant changing
/usr/local/etc/ezjail/<name_of_jail> and setting these lines:

  export jail_xorg_foo_com_devfs_ruleset="8"
  export jail_xorg_foo_com_parameters="allow.dev_io_access=1
allow.dev_dri_access=1"

Load any required kernel modules in the jail host - xorg in the jail
will not be able to load them for you. Therefore, make sure to load
i915kms, radeonkms or nvidia before hand.

Install and use xorg in the jail as you would normally.

--001a1133a8180070a404f42261fd
Content-Type: text/plain; charset=US-ASCII; name="sys-jail-priv--xorg-in-jail.diff.txt"
Content-Disposition: attachment; 
	filename="sys-jail-priv--xorg-in-jail.diff.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hsjmunfq0

SW5kZXg6IHN5cy9kZXYvZHJtL2RybVAuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMvZGV2L2RybS9kcm1Q
LmgJKHJldmlzaW9uIDI2MjQ1NykKKysrIHN5cy9kZXYvZHJtL2RybVAuaAkod29ya2luZyBjb3B5
KQpAQCAtMjI4LDcgKzIyOCw3IEBACiAjZGVmaW5lIFBBR0VfQUxJR04oYWRkcikgcm91bmRfcGFn
ZShhZGRyKQogLyogRFJNX1NVU0VSIHJldHVybnMgdHJ1ZSBpZiB0aGUgdXNlciBpcyBzdXBlcnVz
ZXIgKi8KICNpZiBfX0ZyZWVCU0RfdmVyc2lvbiA+PSA3MDAwMDAKLSNkZWZpbmUgRFJNX1NVU0VS
KHApCQkocHJpdl9jaGVjayhwLCBQUklWX0RSSVZFUikgPT0gMCkKKyNkZWZpbmUgRFJNX1NVU0VS
KHApCQkocHJpdl9jaGVjayhwLCBQUklWX0RSSV9EUklWRVIpID09IDApCiAjZWxzZQogI2RlZmlu
ZSBEUk1fU1VTRVIocCkJCShzdXNlcihwKSA9PSAwKQogI2VuZGlmCkluZGV4OiBzeXMvZGV2L2Ry
bTIvZHJtUC5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT0KLS0tIHN5cy9kZXYvZHJtMi9kcm1QLmgJKHJldmlzaW9uIDI2
MjQ1NykKKysrIHN5cy9kZXYvZHJtMi9kcm1QLmgJKHdvcmtpbmcgY29weSkKQEAgLTI1MSw3ICsy
NTEsNyBAQAogCiAjZGVmaW5lIFBBR0VfQUxJR04oYWRkcikgcm91bmRfcGFnZShhZGRyKQogLyog
RFJNX1NVU0VSIHJldHVybnMgdHJ1ZSBpZiB0aGUgdXNlciBpcyBzdXBlcnVzZXIgKi8KLSNkZWZp
bmUgRFJNX1NVU0VSKHApCQkocHJpdl9jaGVjayhwLCBQUklWX0RSSVZFUikgPT0gMCkKKyNkZWZp
bmUgRFJNX1NVU0VSKHApCQkocHJpdl9jaGVjayhwLCBQUklWX0RSSV9EUklWRVIpID09IDApCiAj
ZGVmaW5lIERSTV9BR1BfRklORF9ERVZJQ0UoKQlhZ3BfZmluZF9kZXZpY2UoKQogI2RlZmluZSBE
Uk1fTVRSUl9XQwkJTURGX1dSSVRFQ09NQklORQogI2RlZmluZSBqaWZmaWVzCQkJdGlja3MKSW5k
ZXg6IHN5cy9rZXJuL2tlcm5famFpbC5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHN5cy9rZXJuL2tlcm5famFp
bC5jCShyZXZpc2lvbiAyNjI0NTcpCisrKyBzeXMva2Vybi9rZXJuX2phaWwuYwkod29ya2luZyBj
b3B5KQpAQCAtMjA3LDYgKzIwNyw4IEBACiAJImFsbG93Lm1vdW50LnpmcyIsCiAJImFsbG93Lm1v
dW50LnByb2NmcyIsCiAJImFsbG93Lm1vdW50LnRtcGZzIiwKKwkiYWxsb3cuZGV2X2lvX2FjY2Vz
cyIsCisJImFsbG93LmRldl9kcmlfYWNjZXNzIiwKIH07CiBjb25zdCBzaXplX3QgcHJfYWxsb3df
bmFtZXNfc2l6ZSA9IHNpemVvZihwcl9hbGxvd19uYW1lcyk7CiAKQEAgLTIyMyw2ICsyMjUsOCBA
QAogCSJhbGxvdy5tb3VudC5ub3pmcyIsCiAJImFsbG93Lm1vdW50Lm5vcHJvY2ZzIiwKIAkiYWxs
b3cubW91bnQubm90bXBmcyIsCisJImFsbG93Lm5vZGV2X2lvX2FjY2VzcyIsCisJImFsbG93Lm5v
ZGV2X2RyaV9hY2Nlc3MiLAogfTsKIGNvbnN0IHNpemVfdCBwcl9hbGxvd19ub25hbWVzX3NpemUg
PSBzaXplb2YocHJfYWxsb3dfbm9uYW1lcyk7CiAKQEAgLTM5NTAsNiArMzk1NCwyNyBAQAogCQly
ZXR1cm4gKDApOwogCiAJCS8qCisJCSAqIEFsbG93IGFjY2VzcyB0byAvZGV2L2lvIGluIGEgamFp
bCBpZiB0aGUgbm9uLWphaWxlZCBhZG1pbgorCQkgKiByZXF1ZXN0cyB0aGlzIGFuZCBpZiAvZGV2
L2lvIGV4aXN0cyBpbiB0aGUgamFpbC4gVGhpcworCQkgKiBhbGxvd3MgWG9yZyB0byBwcm9iZSBh
IGNhcmQuCisJCSAqLworCWNhc2UgUFJJVl9JTzoKKwljYXNlIFBSSVZfS01FTV9XUklURToKKwkJ
aWYgKGNyZWQtPmNyX3ByaXNvbi0+cHJfYWxsb3cgJiBQUl9BTExPV19ERVZfSU9fQUNDRVNTKQor
CQkJcmV0dXJuICgwKTsKKwkJZWxzZQorCQkJcmV0dXJuIChFUEVSTSk7CisKKwkJLyoKKwkJICog
QWxsb3cgbG93IGxldmVsIGFjY2VzcyB0byBEUkkuIFRoaXMgYWxsb3dzIFhvcmdzIHRvIHVzZSBE
UkkuCisJCSAqLworCWNhc2UgUFJJVl9EUklfRFJJVkVSOgorCQlpZiAoY3JlZC0+Y3JfcHJpc29u
LT5wcl9hbGxvdyAmIFBSX0FMTE9XX0RFVl9EUklfQUNDRVNTKQorCQkJcmV0dXJuICgwKTsKKwkJ
ZWxzZQorCQkJcmV0dXJuIChFUEVSTSk7CisKKwkJLyoKIAkJICogQWxsb3cgamFpbGVkIHJvb3Qg
dG8gc2V0IGxvZ2luY2xhc3MuCiAJCSAqLwogCWNhc2UgUFJJVl9QUk9DX1NFVExPR0lOQ0xBU1M6
CkBAIC00MjQ2LDYgKzQyNzEsMTUgQEAKICAgICBOVUxMLCBQUl9BTExPV19NT1VOVF9aRlMsIHN5
c2N0bF9qYWlsX2RlZmF1bHRfYWxsb3csICJJIiwKICAgICAiUHJvY2Vzc2VzIGluIGphaWwgY2Fu
IG1vdW50IHRoZSB6ZnMgZmlsZSBzeXN0ZW0iKTsKIAorU1lTQ1RMX1BST0MoX3NlY3VyaXR5X2ph
aWwsIE9JRF9BVVRPLCBkZXZfaW9fYWNjZXNzLAorICAgIENUTFRZUEVfSU5UIHwgQ1RMRkxBR19S
VyB8IENUTEZMQUdfTVBTQUZFLAorICAgIE5VTEwsIFBSX0FMTE9XX0RFVl9JT19BQ0NFU1MsIHN5
c2N0bF9qYWlsX2RlZmF1bHRfYWxsb3csICJJIiwKKyAgICAiUHJvY2Vzc2VzIGluIGphaWwgY2Fu
IGFjY2VzcyAvZGV2L2lvIGlmIGl0IGV4aXN0cyIpOworU1lTQ1RMX1BST0MoX3NlY3VyaXR5X2ph
aWwsIE9JRF9BVVRPLCBkZXZfZHJpX2FjY2VzcywKKyAgICBDVExUWVBFX0lOVCB8IENUTEZMQUdf
UlcgfCBDVExGTEFHX01QU0FGRSwKKyAgICBOVUxMLCBQUl9BTExPV19ERVZfRFJJX0FDQ0VTUywg
c3lzY3RsX2phaWxfZGVmYXVsdF9hbGxvdywgIkkiLAorICAgICJQcm9jZXNzZXMgaW4gamFpbCBj
YW4gYWNjZXNzIC9kZXYvZHJpIGlmIGl0IGV4aXN0cyIpOworCiBzdGF0aWMgaW50CiBzeXNjdGxf
amFpbF9kZWZhdWx0X2xldmVsKFNZU0NUTF9IQU5ETEVSX0FSR1MpCiB7CkBAIC00MzgzLDYgKzQ0
MTcsMTAgQEAKICAgICAiQiIsICJKYWlsIG1heSBzZXQgZmlsZSBxdW90YXMiKTsKIFNZU0NUTF9K
QUlMX1BBUkFNKF9hbGxvdywgc29ja2V0X2FmLCBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcsCiAg
ICAgIkIiLCAiSmFpbCBtYXkgY3JlYXRlIHNvY2tldHMgb3RoZXIgdGhhbiBqdXN0IFVOSVgvSVB2
NC9JUHY2L3JvdXRlIik7CitTWVNDVExfSkFJTF9QQVJBTShfYWxsb3csIGRldl9pb19hY2Nlc3Ms
IENUTFRZUEVfSU5UIHwgQ1RMRkxBR19SVywKKyAgICAiQiIsICJKYWlsIG1heSBhY2Nlc3MgL2Rl
di9pbyBpZiBpdCBleGlzdHMiKTsKK1NZU0NUTF9KQUlMX1BBUkFNKF9hbGxvdywgZGV2X2RyaV9h
Y2Nlc3MsIENUTFRZUEVfSU5UIHwgQ1RMRkxBR19SVywKKyAgICAiQiIsICJKYWlsIG1heSBhY2Nl
c3MgL2Rldi9kcmkgaWYgaXQgZXhpc3RzIik7CiAKIFNZU0NUTF9KQUlMX1BBUkFNX1NVQk5PREUo
YWxsb3csIG1vdW50LCAiSmFpbCBtb3VudC91bm1vdW50IHBlcm1pc3Npb24gZmxhZ3MiKTsKIFNZ
U0NUTF9KQUlMX1BBUkFNKF9hbGxvd19tb3VudCwgLCBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcs
CkluZGV4OiBzeXMvc3lzL2phaWwuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMvc3lzL2phaWwuaAkocmV2
aXNpb24gMjYyNDU3KQorKysgc3lzL3N5cy9qYWlsLmgJKHdvcmtpbmcgY29weSkKQEAgLTIyOCw3
ICsyMjgsOSBAQAogI2RlZmluZQlQUl9BTExPV19NT1VOVF9aRlMJCTB4MDIwMAogI2RlZmluZQlQ
Ul9BTExPV19NT1VOVF9QUk9DRlMJCTB4MDQwMAogI2RlZmluZQlQUl9BTExPV19NT1VOVF9UTVBG
UwkJMHgwODAwCi0jZGVmaW5lCVBSX0FMTE9XX0FMTAkJCTB4MGZmZgorI2RlZmluZQlQUl9BTExP
V19ERVZfSU9fQUNDRVNTCQkweDEwMDAKKyNkZWZpbmUJUFJfQUxMT1dfREVWX0RSSV9BQ0NFU1MJ
CTB4MjAwMAorI2RlZmluZQlQUl9BTExPV19BTEwJCQkweDNmZmYKIAogLyoKICAqIE9TRCBtZXRo
b2RzCkluZGV4OiBzeXMvc3lzL3ByaXYuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMvc3lzL3ByaXYuaAko
cmV2aXNpb24gMjYyNDU3KQorKysgc3lzL3N5cy9wcml2LmgJKHdvcmtpbmcgY29weSkKQEAgLTUw
MCwxMCArNTAwLDExIEBACiAjZGVmaW5lCVBSSVZfS01FTV9SRUFECQk2ODAJLyogT3BlbiBtZW0v
a21lbSBmb3IgcmVhZGluZy4gKi8KICNkZWZpbmUJUFJJVl9LTUVNX1dSSVRFCQk2ODEJLyogT3Bl
biBtZW0va21lbSBmb3Igd3JpdGluZy4gKi8KIAorI2RlZmluZQlQUklWX0RSSV9EUklWRVIJCTY4
MgogLyoKICAqIFRyYWNrIGVuZCBvZiBwcml2aWxlZ2UgbGlzdC4KICAqLwotI2RlZmluZQlfUFJJ
Vl9ISUdIRVNUCQk2ODIKKyNkZWZpbmUJX1BSSVZfSElHSEVTVAkJNjgzCiAKIC8qCiAgKiBWYWxp
ZGF0ZSB0aGF0IGEgbmFtZWQgcHJpdmlsZWdlIGlzIGtub3duIGJ5IHRoZSBwcml2aWxlZ2Ugc3lz
dGVtLiAgSW52YWxpZAo=
--001a1133a8180070a404f42261fd--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFHbX1JUzM%2BN9Zx=eCQdejvz1jAWcXNHepB2=5ZRuunu1gAG6g>