Date: Mon, 10 Mar 2008 12:28:29 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: freebsd-jail@freebsd.org Subject: X.org in a jail, testers wanted Message-ID: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net>
next in thread | raw e-mail | index | archive | help
Hi, at http://www.Leidinger.net/FreeBSD/current-patches/jail.diff I have =20 some changes which should apply to RELENG_7(_0) and HEAD which allow =20 access to /dev/io (if configured appropriately, see the included =20 man-page change). This is needed to run a X server in a jail. You may =20 also need to load manually (or via the loader) the kernel module which =20 is normally loaded by the X server (in my case (a Radeon card) this =20 means to have radeon_load=3D"YES" in loader.conf). AFAIR the X server =20 works without this, but probably without some acceleration. I haven't =20 tested any 3D stuff. You also need to setup /etc/devfs.rules (this is a copy of my one, it =20 contains more than is needed to run the X server, so you can trim this =20 if you want): ---snip--- [devfsrules_unhide_audio=3D5] add path 'audio*' unhide add path 'dsp*' unhide add path midistat unhide add path 'mixer*' unhide add path 'music*' unhide add path 'sequencer*' unhide add path sndstat unhide add path speaker unhide [devfsrules_unhide_printers=3D6] add path 'lpt*' unhide add path 'ulpt*' unhide add path 'unlpt*' unhide [devfsrules_unhide_input=3D7] add path 'atkbd*' unhide add path 'kbd*' unhide add path 'joy*' unhide add path 'psm*' unhide add path sysmouse unhide add path 'ukbd*' unhide add path 'ums*' unhide [devfsrules_unhide_xorg=3D8] add path agpgart unhide #add path console unhide add path dri unhide add path 'dri*' unhide add path io unhide add path mem unhide #add path pci unhide add path tty unhide add path ttyv0 unhide add path ttyv1 unhide add path ttyv8 unhide [devfsrules_unhide_cam=3D9] add path 'da*' unhide add path 'cd*' unhide [devfsrules_unhide_kmem=3D10] add path kmem unhide # # This allows to run a desktop system in a jail. Think about what you want = to # achieve before you use this, it opens up the entire machine to access from # this jail to any sophisticated program. # [devfsrules_jail_desktop=3D11] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_audio add include $devfsrules_unhide_input add include $devfsrules_unhide_xorg add include $devfsrules_unhide_cam add include $devfsrules_unhide_kmem ---snip--- You also need to make sure those rules are applied to your jail =20 (jail_<jailname>_devfs_ruleset=3D"devfsrules_jail_desktop"). I'm running with security.jail.dev_io_access_allowed=3D1 since several =20 months. Today I took the time to add =20 security.jail.dev_io_access_allowed_hostname (WARNING: only =20 compile-tested!) and the man-page. I would like to get some reviews of the patch and some success/failure =20 reports for the security.jail.dev_io_access_allowed_hostname sysctl. Bye, Alexander. --=20 Too cool to calypso, Too tough to tango, Too weird to watusi =09=09-- The Only Ones http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080310122829.4egaxtbe3z0gwgw8>