Date: Mon, 18 Sep 2017 15:32:12 +0200 From: Alexander Leidinger <Alexander@leidinger.net> To: Giulio Ferro <auryn@zirakzigil.org> Cc: freebsd-hackers@freebsd.org Subject: Re: devd in jail Message-ID: <20170918153212.Horde.reuh2WwJotWq2qHgpHwvnNq@webmail.leidinger.net> In-Reply-To: <d7bfb91d-c265-3baf-b598-5f771e587d34@zirakzigil.org> References: <e03a6040-1322-c82c-0e96-49c474188d5c@zirakzigil.org> <4a1a99a5-35ea-19c9-7ac8-77875ac6f71f@zirakzigil.org> <20170905151537.Horde.10cHNOX1OVri7mGaUcDeX1l@webmail.leidinger.net> <7ca865ee-b613-2f0c-daf0-d828884b5e74@zirakzigil.org> <1C181EF2-B8B1-4F42-BF80-ABEA0593DD43@dsl-only.net> <c17afdad-6bf0-3c4b-6325-2417fb0d18d7@zirakzigil.org> <20170906122556.Horde.5OdDwtii7HXPNArY77YUyBi@webmail.leidinger.net> <D5C4EF81-BCF7-496E-8CD4-2C053607D20C@zirakzigil.org> <20170906221947.Horde.RITHvdc1wVE9v0-3nBavR0Z@webmail.leidinger.net> <da552407-fb13-677b-f514-c3bfacc83e73@zirakzigil.org> <20170909150335.Horde.wBLIPwBuhV3lyQlBxKud39f@webmail.leidinger.net> <27e72cfb-54cf-4af8-b569-85fff089c45f@zirakzigil.org> <20170911161253.Horde.vawLu00EtbbHOVeJRXjp7N0@webmail.leidinger.net> <3236AD55-0D14-49A5-B5B9-3147A216D8A5@zirakzigil.org> <AE1CE061-7BDB-4ED0-B6AF-CC30929D93D3@zirakzigil.org> <20170917210736.Horde.TlHhnPnnzSWoAGi9k7b1_sp@webmail.leidinger.net> <d7bfb91d-c265-3baf-b598-5f771e587d34@zirakzigil.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Quoting Giulio Ferro <auryn@zirakzigil.org> (from Mon, 18 Sep 2017
08:49:32 +0200):
> nope, even the old way I get:
>
> jail: xxx: unknown parameter: allow.kmem_access
>
>
> Has anyone else tried this in 11.1 stable?
As I'm creating the diff vs. 11.1 just for you: no.
Here an updated change (thanks to jamie@ for the cluebat). It's a full
patch vs 11.1.
http://www.Leidinger.net/FreeBSD/current-patches/x11_in_jail_releng_11_1.diff
The difference of what you have already are two lines:
---snip---
Index: sys/kern/kern_jail.c
===================================================================
--- sys/kern/kern_jail.c (revision 323230)
+++ sys/kern/kern_jail.c (working copy)
@@ -3788,6 +3806,8 @@
"B", "Jail may set file quotas");
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, kmem_access, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may access kmem-like devices (io, dri) if they exist");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount
permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
---snip---
I have validated this in -current, this is the missing piece. When
this is in the kernel, you should see kmem_access in the output of
sysctl security.jail.param.allow
This should then work with the jail.conf (and rc.conf) way of
configuring a jail.
Bye,
Alexander.
--
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJZv8rcAAoJEKrxQhqFIICEE7sQAIBJ3xRG8b1xiPdfNkUfpRJ5
QzhgDiHtROIxBot8wJkIY0Gqtjicwrv67lXAILxoD3wG6AtTZq19eThTps+2Gr53
t3LhSHC+3RyOITiuoIB6ERrEjF54h80u59ke7ciE2F19vgii01Cx4BI1gte+s+ZC
h+NJGLyLZXDssyVekGU4XdVgcfNcnSS7EUBI4fDaa35vrs9MTSb2fEVeBBsdhlTA
n9jWfvmSHb3FpV9NUmmK6+6hj2m5fQVHeEdFuCSZLxV4c9i8m2mdmqmLwvk0o0z4
JRQ66UxDqRods3QhkhAwlQB+Qp7oatioZCvyuN34bFWt3vdhaC5N2BEb80JVCTel
B/Ji0qSs2MdqtxwKKZP/LdK/ptmBJay4RLQjMbI6jULKAPaRg+sKBEiWB66IY3mH
yrlW9VhCdelAeXfihKwQ2AcVBOmGs1Uu37H41lIO0HfXSs3r+XhATzinmz8127oA
zv/tupLSkCkZdq5eJ+KHbJC9hM6qFi7B/iUTlW4mPg7Qsgs7+CreMnt4tHfWVqAp
5/UFdYBVinTjfDTuB2+PrZvD/3WZdlfBBDe/wgOI/uWDJIYl4X86tBF9D7JcRX7N
amSrC7Okx+Fz2WRSGJzquHWKcwQdKQsFqqpcK0wmY0IctiVQKVNgvqKDnIkY3qE9
6MM1PqXtqDmCYDDIfYia
=0efs
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170918153212.Horde.reuh2WwJotWq2qHgpHwvnNq>