Date: Wed, 15 Oct 2008 14:35:03 +0000 (UTC) From: Alexander Leidinger <netchild@FreeBSD.org> To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r183915 - in user/netchild/deskjail/src: sys/kern usr.sbin/jail Message-ID: <200810151435.m9FEZ3MO036003@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: netchild Date: Wed Oct 15 14:35:03 2008 New Revision: 183915 URL: http://svn.freebsd.org/changeset/base/183915 Log: Add 2 sysctl's to allow access to /dev/io either in all jails, or in a specific jail. Use at your own risk, it opens up the machine. This allows to run a X server in a jail. Modified: user/netchild/deskjail/src/sys/kern/kern_jail.c user/netchild/deskjail/src/usr.sbin/jail/jail.8 Modified: user/netchild/deskjail/src/sys/kern/kern_jail.c ============================================================================== --- user/netchild/deskjail/src/sys/kern/kern_jail.c Wed Oct 15 14:32:43 2008 (r183914) +++ user/netchild/deskjail/src/sys/kern/kern_jail.c Wed Oct 15 14:35:03 2008 (r183915) @@ -80,6 +80,17 @@ SYSCTL_INT(_security_jail, OID_AUTO, mou &jail_mount_allowed, 0, "Processes in jail can mount/unmount jail-friendly file systems"); +static int jail_dev_io_access_allowed = 0; +SYSCTL_INT(_security_jail, OID_AUTO, dev_io_access_allowed, CTLFLAG_RW, + &jail_dev_io_access_allowed, 0, + "Processes in all jails can get access to /dev/io if available"); + +static char jail_dev_io_access_allowed_hostname[MAXHOSTNAMELEN] = ""; +SYSCTL_STRING(_security_jail, OID_AUTO, dev_io_access_allowed_hostname, + CTLFLAG_RW, jail_dev_io_access_allowed_hostname, + sizeof(jail_dev_io_access_allowed_hostname), + "Hostname of specific jail which can get access to /dev/io if available"); + /* allprison, lastprid, and prisoncount are protected by allprison_lock. */ struct prisonlist allprison; struct sx allprison_lock; @@ -752,6 +763,26 @@ prison_priv_check(struct ucred *cred, in case PRIV_NETINET_GETCRED: return (0); + /* + * Allow access to /dev/io in a jail if the non-jailed admin + * requests this and if /dev/io exists in the jail. This + * allows Xorg to probe a card. + */ + case PRIV_IO: + if (jail_dev_io_access_allowed) + return (0); + + { + char jail_hostname[MAXHOSTNAMELEN]; + + getcredhostname(cred, jail_hostname, MAXHOSTNAMELEN); + if (strncasecmp(jail_dev_io_access_allowed_hostname, + jail_hostname, MAXHOSTNAMELEN) == 0) + return (0); + } + + return (EPERM); + default: /* * In all remaining cases, deny the privilege request. This Modified: user/netchild/deskjail/src/usr.sbin/jail/jail.8 ============================================================================== --- user/netchild/deskjail/src/usr.sbin/jail/jail.8 Wed Oct 15 14:32:43 2008 (r183914) +++ user/netchild/deskjail/src/usr.sbin/jail/jail.8 Wed Oct 15 14:35:03 2008 (r183915) @@ -33,7 +33,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 5, 2007 +.Dd March 10, 2008 .Dt JAIL 8 .Os .Sh NAME @@ -546,6 +546,38 @@ or clear system file flags; if non-zero, privileged, and may manipulate system file flags subject to the usual constraints on .Va kern.securelevel . +.It Va security.jail.dev_io_access_allowed +This MIB entry determines if a privileged user inside +.Va every +jail will be able to access +.Pa /dev/io +in case +.Xr devfs 8 +is used to show +.Pa /dev/io +in a jail. +The default value of 0 does not allow access even if +.Pa /dev/io +is visible in a jail. +A value of 1 allowes access in a jail. +This sysctl should not be used to give this access rights to only one +specific jail. +To give access to only one specific jail the sysctl +.Va security.jail.dev_io_access_allowed_hostname +should be used instead. +.It Va security.jail.dev_io_access_allowed_hostname +This MIB entry determines if a privileged user only inside the +.Va specified +jail will be able to access +.Pa /dev/io +in case +.Xr devfs 8 +is used to show +.Pa /dev/io +in a jail. +The string-value of this sysctl is compared case-insensitive with the hostname +of the jail. +Access is allowed if the string matches. .It Va security.jail.mount_allowed This MIB entry determines if a privileged user inside a jail will be able to mount and unmount file system types marked as jail-friendly.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810151435.m9FEZ3MO036003>