From owner-freebsd-jail@FreeBSD.ORG Mon Mar 10 11:30:04 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 965FD1065676 for ; Mon, 10 Mar 2008 11:30:04 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 404108FC15 for ; Mon, 10 Mar 2008 11:30:04 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54F51.dip.t-dialin.net [84.165.79.81]) by redbull.bpaserver.net (Postfix) with ESMTP id 0A1602E0D7 for ; Mon, 10 Mar 2008 12:29:55 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 657C093626 for ; Mon, 10 Mar 2008 12:28:29 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m2ABSTxE052081 for freebsd-jail@freebsd.org; Mon, 10 Mar 2008 12:28:29 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Mon, 10 Mar 2008 12:28:29 +0100 Message-ID: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Mon, 10 Mar 2008 12:28:29 +0100 From: Alexander Leidinger To: freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.5) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-13.427, required 6, BAYES_00 -15.00, MIME_QP_LONG_LINE 1.40, RDNS_DYNAMIC 0.10, TW_SN 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Subject: X.org in a jail, testers wanted X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 11:30:04 -0000 Hi, at http://www.Leidinger.net/FreeBSD/current-patches/jail.diff I have =20 some changes which should apply to RELENG_7(_0) and HEAD which allow =20 access to /dev/io (if configured appropriately, see the included =20 man-page change). This is needed to run a X server in a jail. You may =20 also need to load manually (or via the loader) the kernel module which =20 is normally loaded by the X server (in my case (a Radeon card) this =20 means to have radeon_load=3D"YES" in loader.conf). AFAIR the X server =20 works without this, but probably without some acceleration. I haven't =20 tested any 3D stuff. You also need to setup /etc/devfs.rules (this is a copy of my one, it =20 contains more than is needed to run the X server, so you can trim this =20 if you want): ---snip--- [devfsrules_unhide_audio=3D5] add path 'audio*' unhide add path 'dsp*' unhide add path midistat unhide add path 'mixer*' unhide add path 'music*' unhide add path 'sequencer*' unhide add path sndstat unhide add path speaker unhide [devfsrules_unhide_printers=3D6] add path 'lpt*' unhide add path 'ulpt*' unhide add path 'unlpt*' unhide [devfsrules_unhide_input=3D7] add path 'atkbd*' unhide add path 'kbd*' unhide add path 'joy*' unhide add path 'psm*' unhide add path sysmouse unhide add path 'ukbd*' unhide add path 'ums*' unhide [devfsrules_unhide_xorg=3D8] add path agpgart unhide #add path console unhide add path dri unhide add path 'dri*' unhide add path io unhide add path mem unhide #add path pci unhide add path tty unhide add path ttyv0 unhide add path ttyv1 unhide add path ttyv8 unhide [devfsrules_unhide_cam=3D9] add path 'da*' unhide add path 'cd*' unhide [devfsrules_unhide_kmem=3D10] add path kmem unhide # # This allows to run a desktop system in a jail. Think about what you want = to # achieve before you use this, it opens up the entire machine to access from # this jail to any sophisticated program. # [devfsrules_jail_desktop=3D11] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_audio add include $devfsrules_unhide_input add include $devfsrules_unhide_xorg add include $devfsrules_unhide_cam add include $devfsrules_unhide_kmem ---snip--- You also need to make sure those rules are applied to your jail =20 (jail__devfs_ruleset=3D"devfsrules_jail_desktop"). I'm running with security.jail.dev_io_access_allowed=3D1 since several =20 months. Today I took the time to add =20 security.jail.dev_io_access_allowed_hostname (WARNING: only =20 compile-tested!) and the man-page. I would like to get some reviews of the patch and some success/failure =20 reports for the security.jail.dev_io_access_allowed_hostname sysctl. Bye, Alexander. --=20 Too cool to calypso, Too tough to tango, Too weird to watusi =09=09-- The Only Ones http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137