From owner-freebsd-current@FreeBSD.ORG  Fri May 17 19:14:35 2013
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 93727804
 for <freebsd-current@FreeBSD.org>; Fri, 17 May 2013 19:14:35 +0000 (UTC)
 (envelope-from jamie@FreeBSD.org)
Received: from m2.gritton.org (gritton.org [199.192.164.235])
 by mx1.freebsd.org (Postfix) with ESMTP id 78209114
 for <freebsd-current@FreeBSD.org>; Fri, 17 May 2013 19:14:35 +0000 (UTC)
Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net
 [198.65.168.24]) (authenticated bits=0)
 by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r4HJESnu038848
 for <freebsd-current@freebsd.org>; Fri, 17 May 2013 13:14:29 -0600 (MDT)
 (envelope-from jamie@FreeBSD.org)
Message-ID: <5196818F.8080201@FreeBSD.org>
Date: Fri, 17 May 2013 13:14:23 -0600
From: Jamie Gritton <jamie@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:9.0) Gecko/20120126 Thunderbird/9.0
MIME-Version: 1.0
To: FreeBSD Current <freebsd-current@FreeBSD.org>
Subject: A PRIV_* flag for /dev/mem?
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2013 19:14:35 -0000

I'm considering Alexander Leidinger's patch to make X11 work inside a 
jail (http://leidinger.net/FreeBSD/current-patches/0_jail.diff).  It 
allows a jail to optionally have access to /dev/io and DRI (provided the 
requisite device files are visible in the devfs ruleset).

I'm planning on putting this under a single jail permission, which would 
group those two together as device access that allows messing with 
kernel memory.  It seems more complete to put /dev/mem under that same 
umbrella, with the side benefit of letting me call it "allow.dev_mem".

Currently, access is controlled only by device file permission and a 
securelevel check.  Jail access is allowed as long as the /dev/mem is in 
the jail's ruleset (it isn't by default).  Adding a prison_priv_check() 
call would allow some finer control over this.  Something like:

int
memopen(struct cdev *dev __unused, int flags, int fmt __unused,
     struct thread *td)
{
     int error;

     error = priv_check(td, PRIV_FOO);
     if (error != 0 && (flags & FWRITE))
         error = securelevel_gt(td->td_ucred, 0);

     return (error);
}

The main question I'm coming up with here is, what PRIV_* flag should I 
use.  Does PRIV_IO make sense?  PRIV_DRIVER?  Something new like 
PRIV_KMEM?  Also, I'd appreciate if anyone familiar with this interface 
can tell me if memopen() is the right/only place to make this change.

- Jamie