From owner-svn-src-all@FreeBSD.ORG  Wed Jan 29 13:54:06 2014
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3C8C5547;
 Wed, 29 Jan 2014 13:54:06 +0000 (UTC)
Received: from m2.gritton.org (gritton.org [199.192.164.235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 167721AA5;
 Wed, 29 Jan 2014 13:54:05 +0000 (UTC)
Received: from [192.168.0.34] (c-50-168-192-61.hsd1.ut.comcast.net
 [50.168.192.61]) (authenticated bits=0)
 by m2.gritton.org (8.14.7/8.14.7) with ESMTP id s0TDn9li028033;
 Wed, 29 Jan 2014 06:49:09 -0700 (MST)
 (envelope-from jamie@freebsd.org)
Message-ID: <52E906CD.9050202@freebsd.org>
Date: Wed, 29 Jan 2014 06:49:01 -0700
From: James Gritton <jamie@freebsd.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Gleb Smirnoff <glebius@FreeBSD.org>, netchild@FreeBSD.org
Subject: Re: svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys
 usr.sbin/jail
References: <201401291341.s0TDfDcB068211@svn.freebsd.org>
 <20140129134344.GW66160@FreeBSD.org>
In-Reply-To: <20140129134344.GW66160@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org,
 src-committers@freebsd.org
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2014 13:54:06 -0000

It does.  I included a warning in jail.8 that this will pretty much
undo jail security.  There are still reasons some may want to do this,
but it's definitely not for everyone or even most people.

- Jamie

On 1/29/2014 6:43 AM, Gleb Smirnoff wrote:
> On Wed, Jan 29, 2014 at 01:41:13PM +0000, Jamie Gritton wrote:
> J> Author: jamie
> J> Date: Wed Jan 29 13:41:13 2014
> J> New Revision: 261266
> J> URL: http://svnweb.freebsd.org/changeset/base/261266
> J>
> J> Log:
> J>   Add a jail parameter, allow.kmem, which lets jailed processes access
> J>   /dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
> J>   This in conjunction with changing the drm driver's permission check from
> J>   PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.
> J>
> J>   Submitted by:	netchild
>
> Doesn't this allow to easily unjail self? :)