From owner-freebsd-x11@FreeBSD.ORG Mon May 12 21:38:52 2014 Return-Path: Delivered-To: freebsd-x11@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8BE27CD8 for ; Mon, 12 May 2014 21:38:52 +0000 (UTC) Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 12D5423DE for ; Mon, 12 May 2014 21:38:51 +0000 (UTC) Received: by mail-lb0-f172.google.com with SMTP id l4so8008016lbv.31 for ; Mon, 12 May 2014 14:38:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SVScsuDORB6OzaWnQUlNEkbSdN/1o5oIofwnEWYnX70=; b=rk8ml7wAq7T9fbmdl5QfuQCVCwwqo8CoAHIgGNIS/Xunqioo2Wmok8G8RLLKyqDnqY AEYgEmGXDrhPEZk7/UPYLnj+RJSmswH4MH7uBRvaKpo4pvkAB+TCjfGk2uq6X2/93tK+ K0G265dKlXPjze+tF9rlbrP4/Rm9eC2HYuqnck88zzGB9l2Bxr/mshgwRctKCVflukrS pT8BBaI6EWP0vhkV2ih/d43+xTB2TNZOdtpIhK+p2CpvESSA9I73oo72yPBI3RqZ0XGW fC33Gdzx6GalH6FqvduqO8M7DADG48lpKOgojPmBeWmJE8CzVYdG4lGaQ10JVOfnYH26 mJIw== MIME-Version: 1.0 X-Received: by 10.112.26.199 with SMTP id n7mr25799903lbg.27.1399930729780; Mon, 12 May 2014 14:38:49 -0700 (PDT) Received: by 10.112.129.164 with HTTP; Mon, 12 May 2014 14:38:49 -0700 (PDT) In-Reply-To: <53713185.208@a1poweruser.com> References: <201404161828.s3GISoA3071853@svn.freebsd.org> <534ECCE7.7050204@freebsd.org> <5370F453.3000602@a1poweruser.com> <53710066.7080407@daemonic.se> <537123B3.5080309@a1poweruser.com> <53713185.208@a1poweruser.com> Date: Mon, 12 May 2014 22:38:49 +0100 Message-ID: Subject: Re: [HEADS UP] WITH_NEW_XORG is now the default on FreeBSD 10 and 9 stable From: Tom Evans To: Fbsd8 Content-Type: text/plain; charset=UTF-8 Cc: "freebsd-x11@freebsd.org" X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2014 21:38:52 -0000 On Mon, May 12, 2014 at 9:39 PM, Fbsd8 wrote: > Tom Evans wrote: >> No it isn't - the patch that allows xorg to access kmem and to give >> access to the drm devices is the answer to running xorg in a jail. > > > We all ready know that patch has been rejected as a security breach so its > not a solution. So back to the new vt, can it be expanded and used to change > the way xorg talks to the host console? vt will not help you run xorg in a jail. Xorg needs read access to /dev/mem - vt cannot help with that. The patch works well for me and the other people who have expressed an interest - my desktop and HTPC both run their Xorg in jails. As far as I can see, it is not the security implications per se, but the naming of the knob that allows the access. > > Is the upstream xorg project people aware of xorg not working in a jail? > Is there something in the xorg port that can be changed in some way to make > it work in a jail? I don't know if they know or not, but I would doubt they would care significantly - for it to work inside the jail without giving the jail raw access would require a lot of rewriting and new APIs. Given that jails only exist on BSD, and that very few people who run BSD run desktops with BSD, and that very few of those people want to run Xorg in a jail, it would not be worth it to make those really very large changes. > Looking for options here, have any ideas on how to get xorg in a jail? > Keep asking for the patch to be committed. John Baldwin's reply in the thread I linked earlier implied that it couldn't be committed as "allow.kmem_access", perhaps "allow.insecure_kmem_access" is acceptable. In the mean time, it is really not that hard to patch your sources and recompile the kernel. This isn't Linux, there aren't hundreds of complicated kernel choices, just patch and use a GENERIC kernel. Cheers Tom