From owner-freebsd-hackers@FreeBSD.ORG Fri May 10 10:11:58 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 21A6D146 for ; Fri, 10 May 2013 10:11:58 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 7EB1BEF7 for ; Fri, 10 May 2013 10:11:57 +0000 (UTC) Received: from outgoing.leidinger.net (p5DD44783.dip0.t-ipconnect.de [93.212.71.131]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 23C458443D3; Fri, 10 May 2013 12:11:36 +0200 (CEST) Received: from unknown (Titan.Leidinger.net [192.168.1.17]) by outgoing.leidinger.net (Postfix) with ESMTP id 9E5673760; Fri, 10 May 2013 12:11:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1368180693; bh=JxiQ0PVNPtphpXM0fak4J4MK0lG9WzvzY5cwAgOq2qg=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=akDQJlSDtCfKpxJDI4a1aGODzgjl7IZij5ojN0RAKcC3PD9A4Z/OC1BipkH2fbs90 JWIOW5mlgZswwnkdKR10M3D7rUTsR3KqQ7nPiZWU8i05aAYApKxR22s2BJ+up6wrK/ LW9J1Un/3dwA4BE6NsRP3xPsoSD5a4t+RsdS0caezaYHKsM/m1A4Z+AiJCTZglZd5q PUc7Zjnzu+6+59BG9toCwYOpSo1+mzfFRbozEfY3XNkXR0Gut0RyYsYXvBLw25GcNl Jd2HeGdDi2gjTMkAcuacSjX6+MwGKWx092U7GTQf4LIZFATYAk+s4NE+P41T750/We x1TZFkWXyEQmA== Date: Fri, 10 May 2013 12:11:33 +0200 From: Alexander Leidinger To: Joshua Isom Subject: Re: priv_check/make_dev/devfs.rules: What is preventing a device to show up in a jail? Message-ID: <20130510121133.00001e2a@unknown> In-Reply-To: <518C060E.8040301@gmail.com> References: <20130509110718.0000528e@unknown> <518C060E.8040301@gmail.com> X-Mailer: Claws Mail 3.9.0git149+gcbfce9 (GTK+ 2.16.6; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 23C458443D3.A1EF3 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-0.557, required 6, autolearn=disabled, ALL_TRUSTED -1.00, AWL -0.80, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, J_CHICKENPOX_53 0.60, J_CHICKENPOX_55 0.60, TW_DV 0.08, TW_EV 0.08, T_RP_MATCHES_RCVD -0.01, URIBL_BLOCKED 0.00) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1368785497.16672@I1BypEkNdGRLFK+s0fBJEQ X-EBL-Spam-Status: No X-Mailman-Approved-At: Fri, 10 May 2013 11:34:24 +0000 Cc: freebsd-hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 May 2013 10:11:58 -0000 On Thu, 09 May 2013 15:24:46 -0500 Joshua Isom wrote: > If you're just doing virtualization and not worrying about security, I worry about what is going on. We have something which is supposed to provide security as required, but is does not seem to work as described. We either need to fix the documentation, or a bug in the code. To do the later it needs to be debugged. My questions are if this is supposed to work, and if yes how to debug this. Bye, Alexander. > there's a simple test. Don't set "devfs_enable" in rc.conf, and > instead add a devfs line to the jail's fstab file. It should give > full access to everything in the host's /dev. > > On 5/9/2013 4:07 AM, Alexander Leidinger wrote: > > Hi, > > > > big picture: I want to get access to my USB DVB device in a jail. > > First I explain what works (to show what I already know in this > > regard), then I explain what doesn't work (where I seem to lack > > some knowledge). > > > > What I did so far: > > I already patched my kernel to give access to /dev/io and /dev/dri > > in a jail to have X1 up and running in a jail (works since some > > years): > > - changed PRIV_DRIVER to PRIV_DRI_DRIVER (new in my kernel) > > for the priv_check() for /dev/dri > > - added cases PRIV_IO and PRIV_DRI_DRIVER to sys/kern/kern_jail.c > > which allow access if a specific allow.xxx flag is set for the > > jail > > - added the following lines to devfs.rules in a x11-jail specific > > section (plus some more devices): > > ---snip--- > > add path agpgart unhide > > add path dri unhide > > add path 'dri*' unhide > > add path nvidiactl unhide > > add path 'nvidia*' unhide > > add path io unhide > > add path mem unhide > > ---snip--- > > > > Patches at > > http://www.Leidinger.net/FreeBSD/current-patches/0_jail.diff > > > > Result so far: > > - I see the io/mem/nvidia* devices (when I had a Radeon card which > > used /dev/dri, I was also seeing the devices in the /dev/dri/ > > directory) > > - I have X11 running in a jail (some config stuff skipped in the > > above list). > > > > My problem: > > I try now to get the device nodes which are created by > > multimedia/cuse4bsd-kmod + mltimedia/webcamd visible > > in a jail, but they only show up in the jail-host, not in the jail > > itself. > > > > I patched the priv_check()s in cuse4bsd-kmod to use PRIV_DRI_DRIVER > > (because it is already available in my kernel and allowed in the > > jail where I test this; I expect this is necessary in case I want > > to run webcamd in the jail instead on the host system) and have the > > following entries in devfs.rules: > > ---snip--- > > [devfsrules_unhide_cuse=13] > > add path cuse unhide > > add path video unhide > > add path 'video*' unhide > > add path dvb unhide > > add path 'dvb*' unhide > > add path input unhide > > add path 'input*' unhide > > ---snip--- > > > > I also tried with: > > ---snip--- > > add path 'dvb/*' unhide > > add path 'dvb/adapter0/*' unhide > > ---snip--- > > (I was as desperate to even reboot the entire host system after > > changing the rules to make sure I didn't forget to run something > > which should be run before.) > > > > When starting webcamd in the host system (to rule out some other > > interactions if I would start it in the jail), i can see in the > > jail: ---snip--- > > /dev/cuse > > /dev/dvb/ > > /dev/input/ > > /dev/input/event0 > > ---snip--- > > > > In the host system I have additionally: > > ---snip--- > > /dev/dvb/adapter0/ca0 > > /dev/dvb/adapter0/demux0 > > /dev/dvb/adapter0/dvr0 > > /dev/dvb/adapter0/frontend0 > > ---snip--- > > > > I would expect to see at least the /dev/dvb/adapter0, if not all of > > them in the jail itself. > > > > Is there something to the devfs.rules syntax or priv_check() or > > make_dev()/make_dev_cred() I don't know/understand which is involved > > when subdirectories of subdirectories in /dev are involved? > > > > How can I debug this (where to look, what to look for, ...)? > > > > Bye, > > Alexander. > > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org" > -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137