From owner-freebsd-hackers@FreeBSD.ORG Mon Mar 10 19:02:02 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5A166E47; Mon, 10 Mar 2014 19:02:02 +0000 (UTC) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 32078A1; Mon, 10 Mar 2014 19:02:02 +0000 (UTC) Received: from jhbbsd.localnet (unknown [209.249.190.124]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 1CB9AB9C4; Mon, 10 Mar 2014 15:02:01 -0400 (EDT) From: John Baldwin To: freebsd-hackers@freebsd.org Subject: Re: [PATCH] Xorg in a jail Date: Mon, 10 Mar 2014 14:42:23 -0400 User-Agent: KMail/1.13.5 (FreeBSD/8.4-CBSD-20130906; KDE/4.5.5; amd64; ; ) References: <531BF113.7060704@freebsd.org> In-Reply-To: <531BF113.7060704@freebsd.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201403101442.23546.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Mon, 10 Mar 2014 15:02:01 -0400 (EDT) Cc: Tom Evans , Alexander Leidinger , "freebsd-x11@freebsd.org" , James Gritton X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2014 19:02:02 -0000 On Saturday, March 08, 2014 11:41:55 pm James Gritton wrote: > On 3/8/2014 6:26 PM, Tom Evans wrote: > > I've been reinstalling my home server with 10-STABLE and wanted to > > compartmentalise all the disparate tasks it does - file storage, DNS, > > web servers and mplayer/xorg/media stuff in general - in to a separate > > jail for each task. > > > > For the most part, this was quite straightforward, apart from with > > xorg I found that it wasn't quite supported. I found Alexander's > > patch, and the work Jamie did in part integrating it, allowing kmem > > read, and reworked it for 10-STABLE. > > > > From Jamie's emails it looked like he was working on a way of properly > > integrating these permissions in a more unified way, but I had a > > pressing need :) > > > > I've tested this on 10-STABLE r262457M, intel graphics (ivy bridge, > > WITH_NEW_XORG), and everything seems to work just fine. I'm going to > > try out radeonkms and nvidia tomorrow also. > > > > Also please note that whilst I want things jailed for separation and > > neatness concerns rather than security, it must be pointed out that > > letting one jail read and write kernel memory of the whole machine is > > not at all secure! Anyone with root in this xorg jail would be able to > > break free of the jail. > > The work to "properly integrate" the permissions got the kibosh for > just that reason. The kmem permission thing can stand on it's own, > but it's not going to be jail-triggered except in an unofficial patch. > > There's theoretically a "right way" to do this, that would allow an > X11-enabled jail to remain secure, but that right way involves > rewriting the graphics drivers not to use any direct kernel/dev memory > access, and is so way out of scope as not to be considered (at least > by anyone I know). I think it's more that a flag whose name implied "no security checks" would be fine, but that 'allow_kmem' was a bit too inocuous-looking for a jail flag. -- John Baldwin