From owner-freebsd-hackers@FreeBSD.ORG Sun Mar 9 04:42:10 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C6F06674; Sun, 9 Mar 2014 04:42:10 +0000 (UTC) Received: from m2.gritton.org (gritton.org [199.192.164.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9B1BB100; Sun, 9 Mar 2014 04:42:10 +0000 (UTC) Received: from [192.168.0.34] (c-50-168-192-61.hsd1.ut.comcast.net [50.168.192.61]) (authenticated bits=0) by m2.gritton.org (8.14.7/8.14.7) with ESMTP id s294g3hs029017; Sat, 8 Mar 2014 21:42:03 -0700 (MST) (envelope-from jamie@freebsd.org) Message-ID: <531BF113.7060704@freebsd.org> Date: Sat, 08 Mar 2014 21:41:55 -0700 From: James Gritton User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Tom Evans , "freebsd-x11@freebsd.org" , "freebsd-hackers@freebsd.org" Subject: Re: [PATCH] Xorg in a jail References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Alexander Leidinger X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Mar 2014 04:42:10 -0000 On 3/8/2014 6:26 PM, Tom Evans wrote: > I've been reinstalling my home server with 10-STABLE and wanted to > compartmentalise all the disparate tasks it does - file storage, DNS, > web servers and mplayer/xorg/media stuff in general - in to a separate > jail for each task. > > For the most part, this was quite straightforward, apart from with > xorg I found that it wasn't quite supported. I found Alexander's > patch, and the work Jamie did in part integrating it, allowing kmem > read, and reworked it for 10-STABLE. > > From Jamie's emails it looked like he was working on a way of properly > integrating these permissions in a more unified way, but I had a > pressing need :) > > I've tested this on 10-STABLE r262457M, intel graphics (ivy bridge, > WITH_NEW_XORG), and everything seems to work just fine. I'm going to > try out radeonkms and nvidia tomorrow also. > > Also please note that whilst I want things jailed for separation and > neatness concerns rather than security, it must be pointed out that > letting one jail read and write kernel memory of the whole machine is > not at all secure! Anyone with root in this xorg jail would be able to > break free of the jail. The work to "properly integrate" the permissions got the kibosh for just that reason. The kmem permission thing can stand on it's own, but it's not going to be jail-triggered except in an unofficial patch. There's theoretically a "right way" to do this, that would allow an X11-enabled jail to remain secure, but that right way involves rewriting the graphics drivers not to use any direct kernel/dev memory access, and is so way out of scope as not to be considered (at least by anyone I know). - Jamie