Date: Mon, 10 Mar 2014 14:42:23 -0400 From: John Baldwin <jhb@freebsd.org> To: freebsd-hackers@freebsd.org Cc: Tom Evans <tevans.uk@googlemail.com>, Alexander Leidinger <Alexander@leidinger.net>, "freebsd-x11@freebsd.org" <freebsd-x11@freebsd.org>, James Gritton <jamie@freebsd.org> Subject: Re: [PATCH] Xorg in a jail Message-ID: <201403101442.23546.jhb@freebsd.org> In-Reply-To: <531BF113.7060704@freebsd.org> References: <CAFHbX1JUzM%2BN9Zx=eCQdejvz1jAWcXNHepB2=5ZRuunu1gAG6g@mail.gmail.com> <531BF113.7060704@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday, March 08, 2014 11:41:55 pm James Gritton wrote: > On 3/8/2014 6:26 PM, Tom Evans wrote: > > I've been reinstalling my home server with 10-STABLE and wanted to > > compartmentalise all the disparate tasks it does - file storage, DNS, > > web servers and mplayer/xorg/media stuff in general - in to a separate > > jail for each task. > > > > For the most part, this was quite straightforward, apart from with > > xorg I found that it wasn't quite supported. I found Alexander's > > patch, and the work Jamie did in part integrating it, allowing kmem > > read, and reworked it for 10-STABLE. > > > > From Jamie's emails it looked like he was working on a way of properly > > integrating these permissions in a more unified way, but I had a > > pressing need :) > > > > I've tested this on 10-STABLE r262457M, intel graphics (ivy bridge, > > WITH_NEW_XORG), and everything seems to work just fine. I'm going to > > try out radeonkms and nvidia tomorrow also. > > > > Also please note that whilst I want things jailed for separation and > > neatness concerns rather than security, it must be pointed out that > > letting one jail read and write kernel memory of the whole machine is > > not at all secure! Anyone with root in this xorg jail would be able to > > break free of the jail. > > The work to "properly integrate" the permissions got the kibosh for > just that reason. The kmem permission thing can stand on it's own, > but it's not going to be jail-triggered except in an unofficial patch. > > There's theoretically a "right way" to do this, that would allow an > X11-enabled jail to remain secure, but that right way involves > rewriting the graphics drivers not to use any direct kernel/dev memory > access, and is so way out of scope as not to be considered (at least > by anyone I know). I think it's more that a flag whose name implied "no security checks" would be fine, but that 'allow_kmem' was a bit too inocuous-looking for a jail flag. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403101442.23546.jhb>