From owner-freebsd-jail@freebsd.org Sun Dec 13 15:24:00 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A790FA14B10 for ; Sun, 13 Dec 2015 15:24:00 +0000 (UTC) (envelope-from jamie@gritton.org) Received: from gritton.org (gritton.org [162.220.209.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "www.gritton.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 89B5D1255 for ; Sun, 13 Dec 2015 15:24:00 +0000 (UTC) (envelope-from jamie@gritton.org) Received: from gritton.org (gritton.org [162.220.209.3]) by gritton.org (8.15.2/8.15.2) with ESMTPS id tBDFNvXJ041264 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 13 Dec 2015 08:23:58 -0700 (MST) (envelope-from jamie@gritton.org) Received: (from www@localhost) by gritton.org (8.15.2/8.15.2/Submit) id tBDFNvpv041263; Sun, 13 Dec 2015 08:23:57 -0700 (MST) (envelope-from jamie@gritton.org) X-Authentication-Warning: gritton.org: www set sender to jamie@gritton.org using -f To: freebsd-jail@freebsd.org Subject: Re: OSS in jail X-PHP-Originating-Script: 0:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sun, 13 Dec 2015 08:23:57 -0700 From: James Gritton In-Reply-To: <20151212224422.GB4884@hpmini> References: <20151212224422.GB4884@hpmini> Message-ID: X-Sender: jamie@gritton.org User-Agent: Roundcube Webmail/1.1.2 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Dec 2015 15:24:00 -0000 On 2015-12-12 15:44, Luís Fernando Schultz Xavier da Silveira wrote: > > I would like one of my jails to have the ability to play back sound, > but not to record it. As I understand, sound is played back by writing > to /dev/dsp and recorded by reading from it. Hence, placing the > /dev/dsp > device (and /dev/dsp[0-9]* devices) in the jail via devfs.rules is not > a solution since the jail superuser can override permissions on these > devices and even read from them when they lack read permission. > > Is there a way to give a device to a jail in write-only mode? > If not, is it possible to create a virtual OSS stack and give that to > the jail? > How would you solve this problem? > > Also, is it possible to give the jail a mixer device that can only read > mixer settings but not alter them? There is no mechanism for adding a device to a jail with partial permissions. Generally, it wouldn't just be reading and writing, but a per-device decision on different ioctl calls. This would require an entire jail device framework that doesn't exist. I suppose it's possible to create a virtual OSS stack - sounds like a pretty big project though. If I had this job to do, that's likely the direction I'd go, though instead of a virtual OSS driver, I'd consider something on the user level, with a listening UNIX socket inside the jail. I doubt this would work seamlessly without recompiling software though (again, the ioctl question). - Jamie