From owner-freebsd-hackers@FreeBSD.ORG Sun Mar 9 01:26:43 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2071BA41; Sun, 9 Mar 2014 01:26:43 +0000 (UTC) Received: from mail-lb0-x233.google.com (mail-lb0-x233.google.com [IPv6:2a00:1450:4010:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2E0DEF94; Sun, 9 Mar 2014 01:26:42 +0000 (UTC) Received: by mail-lb0-f179.google.com with SMTP id p9so3754099lbv.38 for ; Sat, 08 Mar 2014 17:26:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=09pov9duj6YTLdA8Og5JL9snTMqU4734PNOMV48RXG0=; b=iZiXPiOyJ7qEoKDJlCoSfNlLWX0eYSFB4rPkmGnWvlwZLCqTuoWcMqpchtMqRl/8MW JjMiQh/JJV+s6NuOrd2hIsEM0MVjPlRnf96ov77hGjD/H5+WApMyxNfG6oIkvKfOQYNe L37bXapaduJEUl7WJwa6OHCg56mqtbWjNJXUhXUhS9C8WQ44g+rVCOUMFj0HSxWWuJhk 5/4KSlHg+WX4Fq29fq/u/mxTxwRKyExIyJ7ZO5QNEc4GBZz0ulBWiWY8SM1PGOCPH0n0 D4KrIpGa6fsgieuEKAjNbXHO9oL6hU/UTz0mBo/lnKvLq8PZxhW1LzWxCZc0F7Z6FL9e 91cw== MIME-Version: 1.0 X-Received: by 10.152.205.11 with SMTP id lc11mr17780545lac.29.1394328400321; Sat, 08 Mar 2014 17:26:40 -0800 (PST) Received: by 10.112.35.167 with HTTP; Sat, 8 Mar 2014 17:26:40 -0800 (PST) Date: Sun, 9 Mar 2014 01:26:40 +0000 Message-ID: Subject: [PATCH] Xorg in a jail From: Tom Evans To: "freebsd-x11@freebsd.org" , "freebsd-hackers@freebsd.org" Content-Type: multipart/mixed; boundary=001a1133a8180070a404f42261fd Cc: Alexander Leidinger , jamie@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Mar 2014 01:26:43 -0000 --001a1133a8180070a404f42261fd Content-Type: text/plain; charset=UTF-8 I've been reinstalling my home server with 10-STABLE and wanted to compartmentalise all the disparate tasks it does - file storage, DNS, web servers and mplayer/xorg/media stuff in general - in to a separate jail for each task. For the most part, this was quite straightforward, apart from with xorg I found that it wasn't quite supported. I found Alexander's patch, and the work Jamie did in part integrating it, allowing kmem read, and reworked it for 10-STABLE. >From Jamie's emails it looked like he was working on a way of properly integrating these permissions in a more unified way, but I had a pressing need :) I've tested this on 10-STABLE r262457M, intel graphics (ivy bridge, WITH_NEW_XORG), and everything seems to work just fine. I'm going to try out radeonkms and nvidia tomorrow also. Also please note that whilst I want things jailed for separation and neatness concerns rather than security, it must be pointed out that letting one jail read and write kernel memory of the whole machine is not at all secure! Anyone with root in this xorg jail would be able to break free of the jail. I'm not sure I did the jail allow parameters right, but it works for me - I would appreciate someone more competent taking a look! Also, dev_io_access should probably be renamed or using it to control access to /dev/mem split out from it? Also, is the style right? vim: noet sw=8 ts=8 is what I was using. Cheers Tom PS: I haven't tested any input devices yet with this, let me know! Instructions: Apply patch, rebuild world and kernel, install and update jails/basejails Create /etc/devfs.rules to unhide the pertinent devices and restart devfs This is what I am using, it might be overkill... [devfsrules_unhide_xorg=8] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add path agpgart unhide add path console unhide add path consolectl unhide add path dri unhide add path 'dri/*' unhide add path io unhide add path mem unhide add path pci unhide add path tty unhide add path ttyv0 unhide add path ttyv1 unhide add path ttyv8 unhide Set sysctls on jail host to allow jails to have permission granted to them to access (in particular) /dev/mem, /dev/io and /dev/dri/* security.jail.dev_io_access=1 security.jail.dev_dri_access=1 Configure your chosen jail to use these devfs rules and allow them to use the devices. I use ezjail, so for me this meant changing /usr/local/etc/ezjail/ and setting these lines: export jail_xorg_foo_com_devfs_ruleset="8" export jail_xorg_foo_com_parameters="allow.dev_io_access=1 allow.dev_dri_access=1" Load any required kernel modules in the jail host - xorg in the jail will not be able to load them for you. Therefore, make sure to load i915kms, radeonkms or nvidia before hand. Install and use xorg in the jail as you would normally. --001a1133a8180070a404f42261fd Content-Type: text/plain; charset=US-ASCII; name="sys-jail-priv--xorg-in-jail.diff.txt" Content-Disposition: attachment; filename="sys-jail-priv--xorg-in-jail.diff.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hsjmunfq0 SW5kZXg6IHN5cy9kZXYvZHJtL2RybVAuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMvZGV2L2RybS9kcm1Q LmgJKHJldmlzaW9uIDI2MjQ1NykKKysrIHN5cy9kZXYvZHJtL2RybVAuaAkod29ya2luZyBjb3B5 KQpAQCAtMjI4LDcgKzIyOCw3IEBACiAjZGVmaW5lIFBBR0VfQUxJR04oYWRkcikgcm91bmRfcGFn ZShhZGRyKQogLyogRFJNX1NVU0VSIHJldHVybnMgdHJ1ZSBpZiB0aGUgdXNlciBpcyBzdXBlcnVz ZXIgKi8KICNpZiBfX0ZyZWVCU0RfdmVyc2lvbiA+PSA3MDAwMDAKLSNkZWZpbmUgRFJNX1NVU0VS KHApCQkocHJpdl9jaGVjayhwLCBQUklWX0RSSVZFUikgPT0gMCkKKyNkZWZpbmUgRFJNX1NVU0VS KHApCQkocHJpdl9jaGVjayhwLCBQUklWX0RSSV9EUklWRVIpID09IDApCiAjZWxzZQogI2RlZmlu ZSBEUk1fU1VTRVIocCkJCShzdXNlcihwKSA9PSAwKQogI2VuZGlmCkluZGV4OiBzeXMvZGV2L2Ry bTIvZHJtUC5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0KLS0tIHN5cy9kZXYvZHJtMi9kcm1QLmgJKHJldmlzaW9uIDI2 MjQ1NykKKysrIHN5cy9kZXYvZHJtMi9kcm1QLmgJKHdvcmtpbmcgY29weSkKQEAgLTI1MSw3ICsy NTEsNyBAQAogCiAjZGVmaW5lIFBBR0VfQUxJR04oYWRkcikgcm91bmRfcGFnZShhZGRyKQogLyog RFJNX1NVU0VSIHJldHVybnMgdHJ1ZSBpZiB0aGUgdXNlciBpcyBzdXBlcnVzZXIgKi8KLSNkZWZp bmUgRFJNX1NVU0VSKHApCQkocHJpdl9jaGVjayhwLCBQUklWX0RSSVZFUikgPT0gMCkKKyNkZWZp bmUgRFJNX1NVU0VSKHApCQkocHJpdl9jaGVjayhwLCBQUklWX0RSSV9EUklWRVIpID09IDApCiAj ZGVmaW5lIERSTV9BR1BfRklORF9ERVZJQ0UoKQlhZ3BfZmluZF9kZXZpY2UoKQogI2RlZmluZSBE Uk1fTVRSUl9XQwkJTURGX1dSSVRFQ09NQklORQogI2RlZmluZSBqaWZmaWVzCQkJdGlja3MKSW5k ZXg6IHN5cy9rZXJuL2tlcm5famFpbC5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHN5cy9rZXJuL2tlcm5famFp bC5jCShyZXZpc2lvbiAyNjI0NTcpCisrKyBzeXMva2Vybi9rZXJuX2phaWwuYwkod29ya2luZyBj b3B5KQpAQCAtMjA3LDYgKzIwNyw4IEBACiAJImFsbG93Lm1vdW50LnpmcyIsCiAJImFsbG93Lm1v dW50LnByb2NmcyIsCiAJImFsbG93Lm1vdW50LnRtcGZzIiwKKwkiYWxsb3cuZGV2X2lvX2FjY2Vz cyIsCisJImFsbG93LmRldl9kcmlfYWNjZXNzIiwKIH07CiBjb25zdCBzaXplX3QgcHJfYWxsb3df bmFtZXNfc2l6ZSA9IHNpemVvZihwcl9hbGxvd19uYW1lcyk7CiAKQEAgLTIyMyw2ICsyMjUsOCBA QAogCSJhbGxvdy5tb3VudC5ub3pmcyIsCiAJImFsbG93Lm1vdW50Lm5vcHJvY2ZzIiwKIAkiYWxs b3cubW91bnQubm90bXBmcyIsCisJImFsbG93Lm5vZGV2X2lvX2FjY2VzcyIsCisJImFsbG93Lm5v ZGV2X2RyaV9hY2Nlc3MiLAogfTsKIGNvbnN0IHNpemVfdCBwcl9hbGxvd19ub25hbWVzX3NpemUg PSBzaXplb2YocHJfYWxsb3dfbm9uYW1lcyk7CiAKQEAgLTM5NTAsNiArMzk1NCwyNyBAQAogCQly ZXR1cm4gKDApOwogCiAJCS8qCisJCSAqIEFsbG93IGFjY2VzcyB0byAvZGV2L2lvIGluIGEgamFp bCBpZiB0aGUgbm9uLWphaWxlZCBhZG1pbgorCQkgKiByZXF1ZXN0cyB0aGlzIGFuZCBpZiAvZGV2 L2lvIGV4aXN0cyBpbiB0aGUgamFpbC4gVGhpcworCQkgKiBhbGxvd3MgWG9yZyB0byBwcm9iZSBh IGNhcmQuCisJCSAqLworCWNhc2UgUFJJVl9JTzoKKwljYXNlIFBSSVZfS01FTV9XUklURToKKwkJ aWYgKGNyZWQtPmNyX3ByaXNvbi0+cHJfYWxsb3cgJiBQUl9BTExPV19ERVZfSU9fQUNDRVNTKQor CQkJcmV0dXJuICgwKTsKKwkJZWxzZQorCQkJcmV0dXJuIChFUEVSTSk7CisKKwkJLyoKKwkJICog QWxsb3cgbG93IGxldmVsIGFjY2VzcyB0byBEUkkuIFRoaXMgYWxsb3dzIFhvcmdzIHRvIHVzZSBE UkkuCisJCSAqLworCWNhc2UgUFJJVl9EUklfRFJJVkVSOgorCQlpZiAoY3JlZC0+Y3JfcHJpc29u LT5wcl9hbGxvdyAmIFBSX0FMTE9XX0RFVl9EUklfQUNDRVNTKQorCQkJcmV0dXJuICgwKTsKKwkJ ZWxzZQorCQkJcmV0dXJuIChFUEVSTSk7CisKKwkJLyoKIAkJICogQWxsb3cgamFpbGVkIHJvb3Qg dG8gc2V0IGxvZ2luY2xhc3MuCiAJCSAqLwogCWNhc2UgUFJJVl9QUk9DX1NFVExPR0lOQ0xBU1M6 CkBAIC00MjQ2LDYgKzQyNzEsMTUgQEAKICAgICBOVUxMLCBQUl9BTExPV19NT1VOVF9aRlMsIHN5 c2N0bF9qYWlsX2RlZmF1bHRfYWxsb3csICJJIiwKICAgICAiUHJvY2Vzc2VzIGluIGphaWwgY2Fu IG1vdW50IHRoZSB6ZnMgZmlsZSBzeXN0ZW0iKTsKIAorU1lTQ1RMX1BST0MoX3NlY3VyaXR5X2ph aWwsIE9JRF9BVVRPLCBkZXZfaW9fYWNjZXNzLAorICAgIENUTFRZUEVfSU5UIHwgQ1RMRkxBR19S VyB8IENUTEZMQUdfTVBTQUZFLAorICAgIE5VTEwsIFBSX0FMTE9XX0RFVl9JT19BQ0NFU1MsIHN5 c2N0bF9qYWlsX2RlZmF1bHRfYWxsb3csICJJIiwKKyAgICAiUHJvY2Vzc2VzIGluIGphaWwgY2Fu IGFjY2VzcyAvZGV2L2lvIGlmIGl0IGV4aXN0cyIpOworU1lTQ1RMX1BST0MoX3NlY3VyaXR5X2ph aWwsIE9JRF9BVVRPLCBkZXZfZHJpX2FjY2VzcywKKyAgICBDVExUWVBFX0lOVCB8IENUTEZMQUdf UlcgfCBDVExGTEFHX01QU0FGRSwKKyAgICBOVUxMLCBQUl9BTExPV19ERVZfRFJJX0FDQ0VTUywg c3lzY3RsX2phaWxfZGVmYXVsdF9hbGxvdywgIkkiLAorICAgICJQcm9jZXNzZXMgaW4gamFpbCBj YW4gYWNjZXNzIC9kZXYvZHJpIGlmIGl0IGV4aXN0cyIpOworCiBzdGF0aWMgaW50CiBzeXNjdGxf amFpbF9kZWZhdWx0X2xldmVsKFNZU0NUTF9IQU5ETEVSX0FSR1MpCiB7CkBAIC00MzgzLDYgKzQ0 MTcsMTAgQEAKICAgICAiQiIsICJKYWlsIG1heSBzZXQgZmlsZSBxdW90YXMiKTsKIFNZU0NUTF9K QUlMX1BBUkFNKF9hbGxvdywgc29ja2V0X2FmLCBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcsCiAg ICAgIkIiLCAiSmFpbCBtYXkgY3JlYXRlIHNvY2tldHMgb3RoZXIgdGhhbiBqdXN0IFVOSVgvSVB2 NC9JUHY2L3JvdXRlIik7CitTWVNDVExfSkFJTF9QQVJBTShfYWxsb3csIGRldl9pb19hY2Nlc3Ms IENUTFRZUEVfSU5UIHwgQ1RMRkxBR19SVywKKyAgICAiQiIsICJKYWlsIG1heSBhY2Nlc3MgL2Rl di9pbyBpZiBpdCBleGlzdHMiKTsKK1NZU0NUTF9KQUlMX1BBUkFNKF9hbGxvdywgZGV2X2RyaV9h Y2Nlc3MsIENUTFRZUEVfSU5UIHwgQ1RMRkxBR19SVywKKyAgICAiQiIsICJKYWlsIG1heSBhY2Nl c3MgL2Rldi9kcmkgaWYgaXQgZXhpc3RzIik7CiAKIFNZU0NUTF9KQUlMX1BBUkFNX1NVQk5PREUo YWxsb3csIG1vdW50LCAiSmFpbCBtb3VudC91bm1vdW50IHBlcm1pc3Npb24gZmxhZ3MiKTsKIFNZ U0NUTF9KQUlMX1BBUkFNKF9hbGxvd19tb3VudCwgLCBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcs CkluZGV4OiBzeXMvc3lzL2phaWwuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMvc3lzL2phaWwuaAkocmV2 aXNpb24gMjYyNDU3KQorKysgc3lzL3N5cy9qYWlsLmgJKHdvcmtpbmcgY29weSkKQEAgLTIyOCw3 ICsyMjgsOSBAQAogI2RlZmluZQlQUl9BTExPV19NT1VOVF9aRlMJCTB4MDIwMAogI2RlZmluZQlQ Ul9BTExPV19NT1VOVF9QUk9DRlMJCTB4MDQwMAogI2RlZmluZQlQUl9BTExPV19NT1VOVF9UTVBG UwkJMHgwODAwCi0jZGVmaW5lCVBSX0FMTE9XX0FMTAkJCTB4MGZmZgorI2RlZmluZQlQUl9BTExP V19ERVZfSU9fQUNDRVNTCQkweDEwMDAKKyNkZWZpbmUJUFJfQUxMT1dfREVWX0RSSV9BQ0NFU1MJ CTB4MjAwMAorI2RlZmluZQlQUl9BTExPV19BTEwJCQkweDNmZmYKIAogLyoKICAqIE9TRCBtZXRo b2RzCkluZGV4OiBzeXMvc3lzL3ByaXYuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMvc3lzL3ByaXYuaAko cmV2aXNpb24gMjYyNDU3KQorKysgc3lzL3N5cy9wcml2LmgJKHdvcmtpbmcgY29weSkKQEAgLTUw MCwxMCArNTAwLDExIEBACiAjZGVmaW5lCVBSSVZfS01FTV9SRUFECQk2ODAJLyogT3BlbiBtZW0v a21lbSBmb3IgcmVhZGluZy4gKi8KICNkZWZpbmUJUFJJVl9LTUVNX1dSSVRFCQk2ODEJLyogT3Bl biBtZW0va21lbSBmb3Igd3JpdGluZy4gKi8KIAorI2RlZmluZQlQUklWX0RSSV9EUklWRVIJCTY4 MgogLyoKICAqIFRyYWNrIGVuZCBvZiBwcml2aWxlZ2UgbGlzdC4KICAqLwotI2RlZmluZQlfUFJJ Vl9ISUdIRVNUCQk2ODIKKyNkZWZpbmUJX1BSSVZfSElHSEVTVAkJNjgzCiAKIC8qCiAgKiBWYWxp ZGF0ZSB0aGF0IGEgbmFtZWQgcHJpdmlsZWdlIGlzIGtub3duIGJ5IHRoZSBwcml2aWxlZ2Ugc3lz dGVtLiAgSW52YWxpZAo= --001a1133a8180070a404f42261fd--