Date: Tue, 11 Mar 2014 19:54:49 +0100 From: =?UTF-8?Q?Ulrich_Sp=C3=B6rlein?= <uqs@FreeBSD.org> To: Tom Evans <tevans.uk@googlemail.com> Cc: Alexander Leidinger <Alexander@leidinger.net>, "freebsd-x11@freebsd.org" <freebsd-x11@freebsd.org>, jamie@freebsd.org, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: [PATCH] Xorg in a jail Message-ID: <CAJ9axoRgpru4WGcX%2BkBRXTNG61iuEq0rB8TPD9MR1czxPzKJJg@mail.gmail.com> In-Reply-To: <CAFHbX1LovZKiJU7-sO21nPWikT4n0ZPjeRjoZNMtp=6Lc4cd5A@mail.gmail.com> References: <CAFHbX1JUzM%2BN9Zx=eCQdejvz1jAWcXNHepB2=5ZRuunu1gAG6g@mail.gmail.com> <20140309190802.00006452@unknown> <CAFHbX1LovZKiJU7-sO21nPWikT4n0ZPjeRjoZNMtp=6Lc4cd5A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2014-03-11 10:42 GMT+01:00 Tom Evans <tevans.uk@googlemail.com>: > On Sun, Mar 9, 2014 at 6:08 PM, Alexander Leidinger > <Alexander@leidinger.net> wrote: > > Seems you have an old one. Attached is what I was sending to jamie not > > long ago (but this is not in the FreeBSD tree due to the conclusion that > > such a huge impact on the security part should not be a simple allow.xxx > > switch). > > Yes, I can't actually find it from this computer, but it was a patch > on your site. This newer patch you shared (thanks!) is much simpler > and more correct. > > > Do NOT use the sysctls in this patch, they allow all jails to access the > > devices, if the devfs rules are appropriate. The attached patch doesn't > > have them anymore. > > > > I had them in in the first implementation, then jamie introduced the > > allow.XXX and I transitioned to this but forgot to remove the sysctls > > after migrating my jail. I removed them recently before sending the > > patch to jamie after his kmem change. > > Right! I really wasn't sure what I was doing at that point, cargo cult > programming until it worked. > > Thanks to you and Jamie for your hints. > Awesome stuff, I was porting Alex' old patch to 10-STABLE as well, just the other day, but I couldn't yet get the right incantation going to let Xorg boot up (it still complained about not being able to read /dev/mem and then it found dri/card0 but kept probing and then died). Anyway, I will be able to give the new patches a go next week and will report back. I "only" want to get XBMC neatly installed in a jail (for pkg pollution only) and bound to a specific IP (which might help my zeroconf/upnp visibility problems). Cheers, Uli
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ9axoRgpru4WGcX%2BkBRXTNG61iuEq0rB8TPD9MR1czxPzKJJg>