From owner-freebsd-hackers@freebsd.org Mon Sep 18 13:32:38 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5858CE10942 for ; Mon, 18 Sep 2017 13:32:38 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:375::1:5]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0633268B73 for ; Mon, 18 Sep 2017 13:32:38 +0000 (UTC) (envelope-from Alexander@leidinger.net) Date: Mon, 18 Sep 2017 15:32:12 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1505741555; bh=T2tfSNgOegCF1an3A0ycmLUZFqcL2owOpY93E39Y7Vg=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=BQq6VHDcmZFvuyC5F2AJobl8UilXYXJ+hucroZS54yHwlbzg3mESvY0591TNKE4lS 4KH+lVpV1fyLdRHuBwYwGTsJjnZCwhp66R7uQR+Z1UZRJTrNd9phZdz6JzlHg6XvCt /poikZr0kFXhDYny5Hv9pJeGSHDvpFnVyP5Hnvz9ZEkmYUPT8c3kImEyn+y0jizAMz i5A/9i7mOm4UjFbA1tCj8SlijsDg+T+rZoEA7TJyowXUQicMewToCYrbgnsNkvut0c HF+EpTgclIjUuaExYc7TO2/SofC3PGdGR7mtsHPG8O7DqijNG8CVkph3hA5j2c7pjZ eOfXZnARfZ01g== Message-ID: <20170918153212.Horde.reuh2WwJotWq2qHgpHwvnNq@webmail.leidinger.net> From: Alexander Leidinger To: Giulio Ferro Cc: freebsd-hackers@freebsd.org Subject: Re: devd in jail References: <4a1a99a5-35ea-19c9-7ac8-77875ac6f71f@zirakzigil.org> <20170905151537.Horde.10cHNOX1OVri7mGaUcDeX1l@webmail.leidinger.net> <7ca865ee-b613-2f0c-daf0-d828884b5e74@zirakzigil.org> <1C181EF2-B8B1-4F42-BF80-ABEA0593DD43@dsl-only.net> <20170906122556.Horde.5OdDwtii7HXPNArY77YUyBi@webmail.leidinger.net> <20170906221947.Horde.RITHvdc1wVE9v0-3nBavR0Z@webmail.leidinger.net> <20170909150335.Horde.wBLIPwBuhV3lyQlBxKud39f@webmail.leidinger.net> <27e72cfb-54cf-4af8-b569-85fff089c45f@zirakzigil.org> <20170911161253.Horde.vawLu00EtbbHOVeJRXjp7N0@webmail.leidinger.net> <3236AD55-0D14-49A5-B5B9-3147A216D8A5@zirakzigil.org> <20170917210736.Horde.TlHhnPnnzSWoAGi9k7b1_sp@webmail.leidinger.net> In-Reply-To: User-Agent: Horde Application Framework 5 Content-Type: multipart/signed; boundary="=_7eXKBp8FFURc-MFKYqZEmFE"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 18 Sep 2017 16:00:46 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2017 13:32:38 -0000 This message is in MIME format and has been PGP signed. --=_7eXKBp8FFURc-MFKYqZEmFE Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting Giulio Ferro (from Mon, 18 Sep 2017=20=20 08:49:32=20+0200): > nope, even the old way I get: > > jail: xxx: unknown parameter: allow.kmem_access > > > Has anyone else tried this in 11.1 stable? As I'm creating the diff vs. 11.1 just for you: no. Here an updated change (thanks to jamie@ for the cluebat). It's a full=20= =20 patch=20vs 11.1. =20=20=20=20=20=20 http://www.Leidinger.net/FreeBSD/current-patches/x11_in_jail_releng_11_1.di= ff The=20difference of what you have already are two lines: ---snip--- Index: sys/kern/kern_jail.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/kern/kern_jail.c (revision 323230) +++ sys/kern/kern_jail.c (working copy) @@ -3788,6 +3806,8 @@ "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, kmem_access, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may access kmem-like devices (io, dri) if they exist"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount=20=20 permission=20flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, ---snip--- I have validated this in -current, this is the missing piece. When=20=20 this=20is in the kernel, you should see kmem_access in the output of sysctl security.jail.param.allow This should then work with the jail.conf (and rc.conf) way of=20=20 configuring a jail. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_7eXKBp8FFURc-MFKYqZEmFE Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJZv8rcAAoJEKrxQhqFIICEE7sQAIBJ3xRG8b1xiPdfNkUfpRJ5 QzhgDiHtROIxBot8wJkIY0Gqtjicwrv67lXAILxoD3wG6AtTZq19eThTps+2Gr53 t3LhSHC+3RyOITiuoIB6ERrEjF54h80u59ke7ciE2F19vgii01Cx4BI1gte+s+ZC h+NJGLyLZXDssyVekGU4XdVgcfNcnSS7EUBI4fDaa35vrs9MTSb2fEVeBBsdhlTA n9jWfvmSHb3FpV9NUmmK6+6hj2m5fQVHeEdFuCSZLxV4c9i8m2mdmqmLwvk0o0z4 JRQ66UxDqRods3QhkhAwlQB+Qp7oatioZCvyuN34bFWt3vdhaC5N2BEb80JVCTel B/Ji0qSs2MdqtxwKKZP/LdK/ptmBJay4RLQjMbI6jULKAPaRg+sKBEiWB66IY3mH yrlW9VhCdelAeXfihKwQ2AcVBOmGs1Uu37H41lIO0HfXSs3r+XhATzinmz8127oA zv/tupLSkCkZdq5eJ+KHbJC9hM6qFi7B/iUTlW4mPg7Qsgs7+CreMnt4tHfWVqAp 5/UFdYBVinTjfDTuB2+PrZvD/3WZdlfBBDe/wgOI/uWDJIYl4X86tBF9D7JcRX7N amSrC7Okx+Fz2WRSGJzquHWKcwQdKQsFqqpcK0wmY0IctiVQKVNgvqKDnIkY3qE9 6MM1PqXtqDmCYDDIfYia =0efs -----END PGP SIGNATURE----- --=_7eXKBp8FFURc-MFKYqZEmFE--