Date: Tue, 18 Mar 2008 11:01:17 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: freebsd-jail@freebsd.org Subject: Re: X.org in a jail, testers wanted Message-ID: <20080318110117.qhcztlqlk4s48gwo@webmail.leidinger.net> In-Reply-To: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net> References: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Alexander Leidinger <Alexander@Leidinger.net> (from Mon, 10 =20
Mar 2008 12:28:29 +0100):
I've read in some web based discussions some stuff about this. I would =20
like to clarify some things here in the official place.
> You also need to setup /etc/devfs.rules (this is a copy of my one, it
> contains more than is needed to run the X server, so you can trim this
> if you want):
> ---snip---
> [devfsrules_unhide_audio=3D5]
> add path 'audio*' unhide
> add path 'dsp*' unhide
> add path midistat unhide
> add path 'mixer*' unhide
> add path 'music*' unhide
> add path 'sequencer*' unhide
> add path sndstat unhide
> add path speaker unhide
Those are needed if you want to use audio in the jail. Normally they =20
are not visible in a jail. If they are visible in a jail, you can use =20
them (no usage restrictions). My desktop should be able to play some =20
audio, so I add them for my desktop.
> [devfsrules_unhide_printers=3D6]
> add path 'lpt*' unhide
> add path 'ulpt*' unhide
> add path 'unlpt*' unhide
I also want access to my printer, the same comments as for the audio stuff.
> [devfsrules_unhide_input=3D7]
> add path 'atkbd*' unhide
> add path 'kbd*' unhide
> add path 'joy*' unhide
> add path 'psm*' unhide
> add path sysmouse unhide
> add path 'ukbd*' unhide
> add path 'ums*' unhide
And again: the same as above.
> [devfsrules_unhide_xorg=3D8]
> add path agpgart unhide
Needed by X.
> #add path console unhide
> add path dri unhide
> add path 'dri*' unhide
dri is needed too, but I haven't really tested it.
> add path io unhide
io can be unhide in a jail, but in the kernel there's an access =20
restriction for it and you can not access it if you are jailed. My =20
patch adds a systctl which allows the admin to give access to either =20
all jails (if io is made visible in the jail with devfs), or only by =20
one jail.
> add path mem unhide
mem is not visible by default. If you make it visible, a jail can =20
access it. There are no additional access restrictions in the kernel =20
like for io. I don't know why there's is one for io but not for mem. =20
It's not symmetric, and I would expect either a check for both or not =20
check at all. My patch is not supposed to make it symmetric, nor do I =20
want to remove the priv check for io.
Yes, if you give access to this your system will be "insecure", so =20
don't expect any big benefits. The reason I do this is:
- it raises the bar (an attacker not only has to get root
access in my desktop to make everything he wants, he also
has to know how to use mem/io to get access to the entire
machine, so the security is somewhere between a desktop
on the bare metal, and a real jail without access to mem/io)
- virtualisation of my desktop (I can move it to a different
machine if I want)
- because I can do it
> #add path pci unhide
> add path tty unhide
> add path ttyv0 unhide
> add path ttyv1 unhide
> add path ttyv8 unhide
My X server is running on ttyv8 (explicitly configured in the X =20
config). During my testing I also had to give access to other ttys, =20
but I don't remember if it was before or after the hardcoding of the =20
tty in the config.
> [devfsrules_unhide_cam=3D9]
> add path 'da*' unhide
> add path 'cd*' unhide
I play around with access to the CD and some USB mass storage from my deskto=
p.
> [devfsrules_unhide_kmem=3D10]
> add path kmem unhide
Needed by the X server.
> #
> # This allows to run a desktop system in a jail. Think about what =20
> you want to
> # achieve before you use this, it opens up the entire machine to access fr=
om
> # this jail to any sophisticated program.
To all those which think this patch will open up access to the system =20
(to someone who has root access in the jail and knows how to get out =20
of /dev/mem, /dev/kmem and /dev/io what he wants): you are right, as =20
explicitly told here and in the man page, so don't complain please (if =20
you use this, you should know what you are doing).
Bye,
Alexander.
--=20
FORTUNE'S FUN FACTS TO KNOW AND TELL: #8
=09Idaho state law makes it illegal for a man to give his sweetheart
a box of candy weighing less than fifty pounds.
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080318110117.qhcztlqlk4s48gwo>