From owner-freebsd-hackers@FreeBSD.ORG Tue Mar 11 09:42:05 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CE608BA0; Tue, 11 Mar 2014 09:42:05 +0000 (UTC) Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 01A1AC56; Tue, 11 Mar 2014 09:42:04 +0000 (UTC) Received: by mail-la0-f52.google.com with SMTP id ec20so5319731lab.25 for ; Tue, 11 Mar 2014 02:42:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1py25ZgCSCG/ftprsE6OsSSpBjXOShO1zsEdwr6/shg=; b=c3qb4OHI6HRdkD85+Vz72t/4U93tw2/fjhyThPdc6iUA/PxDB4RLxF8aC5LRdywkcC VQb0jUIcIi00gxr7HKe1jTUttQlnf35iti/78Zvd7Zx7W/Raif31FOJXzB6t44ZAzYgn Yf10g09UlvO2qGr1tYHpH0mu1QT9eYECtxA/v2KE8Eu1qf84VrmHX+rwcHvUPD98HtlI prKecC0qHy0eI1id6A/hU25fUL61dYazSZd4nqmkJkMFMkmlE+Otmpbr1MLov92JSm30 yfxbpC7N7AnfJi61YwbkzbKYUY/vTQdIRN6D5CIAV/eLnn16UxpJ+o4gjIXMrUWx3UUq 8ukQ== MIME-Version: 1.0 X-Received: by 10.112.88.138 with SMTP id bg10mr1409401lbb.42.1394530923018; Tue, 11 Mar 2014 02:42:03 -0700 (PDT) Received: by 10.112.129.164 with HTTP; Tue, 11 Mar 2014 02:42:02 -0700 (PDT) In-Reply-To: <20140309190802.00006452@unknown> References: <20140309190802.00006452@unknown> Date: Tue, 11 Mar 2014 09:42:02 +0000 Message-ID: Subject: Re: [PATCH] Xorg in a jail From: Tom Evans To: Alexander Leidinger Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-hackers@freebsd.org" , "freebsd-x11@freebsd.org" , jamie@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 09:42:05 -0000 On Sun, Mar 9, 2014 at 6:08 PM, Alexander Leidinger wrote: > Seems you have an old one. Attached is what I was sending to jamie not > long ago (but this is not in the FreeBSD tree due to the conclusion that > such a huge impact on the security part should not be a simple allow.xxx > switch). Yes, I can't actually find it from this computer, but it was a patch on your site. This newer patch you shared (thanks!) is much simpler and more correct. > Do NOT use the sysctls in this patch, they allow all jails to access the > devices, if the devfs rules are appropriate. The attached patch doesn't > have them anymore. > > I had them in in the first implementation, then jamie introduced the > allow.XXX and I transitioned to this but forgot to remove the sysctls > after migrating my jail. I removed them recently before sending the > patch to jamie after his kmem change. Right! I really wasn't sure what I was doing at that point, cargo cult programming until it worked. Thanks to you and Jamie for your hints. Cheers Tom