From owner-svn-src-head@FreeBSD.ORG  Fri Jan 31 12:34:56 2014
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 55C6893F;
 Fri, 31 Jan 2014 12:34:56 +0000 (UTC)
Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69])
 by mx1.freebsd.org (Postfix) with ESMTP id 2CA521AFD;
 Fri, 31 Jan 2014 12:34:56 +0000 (UTC)
Received: from fledge.watson.org (fledge.watson.org [198.74.231.63])
 by cyrus.watson.org (Postfix) with ESMTPS id 6038E46B1A;
 Fri, 31 Jan 2014 07:34:48 -0500 (EST)
Date: Fri, 31 Jan 2014 12:34:48 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Alexander Leidinger <Alexander@Leidinger.net>
Subject: Re: svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys
 usr.sbin/jail
In-Reply-To: <20140129222210.0000711f@unknown>
Message-ID: <alpine.BSF.2.00.1401311231490.36707@fledge.watson.org>
References: <201401291341.s0TDfDcB068211@svn.freebsd.org>
 <20140129134344.GW66160@FreeBSD.org> <52E906CD.9050202@freebsd.org>
 <20140129222210.0000711f@unknown>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org,
 Gleb Smirnoff <glebius@FreeBSD.org>, src-committers@freebsd.org,
 James Gritton <jamie@freebsd.org>
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 12:34:56 -0000

On Wed, 29 Jan 2014, Alexander Leidinger wrote:

>> It does.  I included a warning in jail.8 that this will pretty much undo 
>> jail security.  There are still reasons some may want to do this, but it's 
>> definitely not for everyone or even most people.
>
> It only "unjails" (= basically the same security level as the jail-host with 
> the added benefit of the flexibility of a jail like easy moving from one 
> system to another) the jail which has this flag set. All other jails without 
> the flag can not "escape" to the host.
>
> I also have to add that just setting this flag does not give access to the 
> host, you also have to configure a non-default devfs rule for this jail (to 
> have the devices appear in the jail).

This is not correct: devices do not need to be delegated in devfs for PRIV_IO 
to allow bypass of the Jail security model, due to sysarch() and the 
Linux-emulated equivalent, which turn out direct I/O access from a user 
process without use of a device node.

Frankly, I'd like to see this backed out and not reintroduced.  If it must be 
retained, then it needs a much more clear warning that enabling this feature 
disables Jail's security model.  Don't use the word 'obviate', instead 
explicitly state that root within the jail can escape the jail.

Robert