Date: Mon, 18 Sep 2017 15:32:12 +0200 From: Alexander Leidinger <Alexander@leidinger.net> To: Giulio Ferro <auryn@zirakzigil.org> Cc: freebsd-hackers@freebsd.org Subject: Re: devd in jail Message-ID: <20170918153212.Horde.reuh2WwJotWq2qHgpHwvnNq@webmail.leidinger.net> In-Reply-To: <d7bfb91d-c265-3baf-b598-5f771e587d34@zirakzigil.org> References: <e03a6040-1322-c82c-0e96-49c474188d5c@zirakzigil.org> <4a1a99a5-35ea-19c9-7ac8-77875ac6f71f@zirakzigil.org> <20170905151537.Horde.10cHNOX1OVri7mGaUcDeX1l@webmail.leidinger.net> <7ca865ee-b613-2f0c-daf0-d828884b5e74@zirakzigil.org> <1C181EF2-B8B1-4F42-BF80-ABEA0593DD43@dsl-only.net> <c17afdad-6bf0-3c4b-6325-2417fb0d18d7@zirakzigil.org> <20170906122556.Horde.5OdDwtii7HXPNArY77YUyBi@webmail.leidinger.net> <D5C4EF81-BCF7-496E-8CD4-2C053607D20C@zirakzigil.org> <20170906221947.Horde.RITHvdc1wVE9v0-3nBavR0Z@webmail.leidinger.net> <da552407-fb13-677b-f514-c3bfacc83e73@zirakzigil.org> <20170909150335.Horde.wBLIPwBuhV3lyQlBxKud39f@webmail.leidinger.net> <27e72cfb-54cf-4af8-b569-85fff089c45f@zirakzigil.org> <20170911161253.Horde.vawLu00EtbbHOVeJRXjp7N0@webmail.leidinger.net> <3236AD55-0D14-49A5-B5B9-3147A216D8A5@zirakzigil.org> <AE1CE061-7BDB-4ED0-B6AF-CC30929D93D3@zirakzigil.org> <20170917210736.Horde.TlHhnPnnzSWoAGi9k7b1_sp@webmail.leidinger.net> <d7bfb91d-c265-3baf-b598-5f771e587d34@zirakzigil.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed. --=_7eXKBp8FFURc-MFKYqZEmFE Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting Giulio Ferro <auryn@zirakzigil.org> (from Mon, 18 Sep 2017=20=20 08:49:32=20+0200): > nope, even the old way I get: > > jail: xxx: unknown parameter: allow.kmem_access > > > Has anyone else tried this in 11.1 stable? As I'm creating the diff vs. 11.1 just for you: no. Here an updated change (thanks to jamie@ for the cluebat). It's a full=20= =20 patch=20vs 11.1. =20=20=20=20=20=20 http://www.Leidinger.net/FreeBSD/current-patches/x11_in_jail_releng_11_1.di= ff The=20difference of what you have already are two lines: ---snip--- Index: sys/kern/kern_jail.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/kern/kern_jail.c (revision 323230) +++ sys/kern/kern_jail.c (working copy) @@ -3788,6 +3806,8 @@ "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, kmem_access, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may access kmem-like devices (io, dri) if they exist"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount=20=20 permission=20flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, ---snip--- I have validated this in -current, this is the missing piece. When=20=20 this=20is in the kernel, you should see kmem_access in the output of sysctl security.jail.param.allow This should then work with the jail.conf (and rc.conf) way of=20=20 configuring a jail. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_7eXKBp8FFURc-MFKYqZEmFE Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJZv8rcAAoJEKrxQhqFIICEE7sQAIBJ3xRG8b1xiPdfNkUfpRJ5 QzhgDiHtROIxBot8wJkIY0Gqtjicwrv67lXAILxoD3wG6AtTZq19eThTps+2Gr53 t3LhSHC+3RyOITiuoIB6ERrEjF54h80u59ke7ciE2F19vgii01Cx4BI1gte+s+ZC h+NJGLyLZXDssyVekGU4XdVgcfNcnSS7EUBI4fDaa35vrs9MTSb2fEVeBBsdhlTA n9jWfvmSHb3FpV9NUmmK6+6hj2m5fQVHeEdFuCSZLxV4c9i8m2mdmqmLwvk0o0z4 JRQ66UxDqRods3QhkhAwlQB+Qp7oatioZCvyuN34bFWt3vdhaC5N2BEb80JVCTel B/Ji0qSs2MdqtxwKKZP/LdK/ptmBJay4RLQjMbI6jULKAPaRg+sKBEiWB66IY3mH yrlW9VhCdelAeXfihKwQ2AcVBOmGs1Uu37H41lIO0HfXSs3r+XhATzinmz8127oA zv/tupLSkCkZdq5eJ+KHbJC9hM6qFi7B/iUTlW4mPg7Qsgs7+CreMnt4tHfWVqAp 5/UFdYBVinTjfDTuB2+PrZvD/3WZdlfBBDe/wgOI/uWDJIYl4X86tBF9D7JcRX7N amSrC7Okx+Fz2WRSGJzquHWKcwQdKQsFqqpcK0wmY0IctiVQKVNgvqKDnIkY3qE9 6MM1PqXtqDmCYDDIfYia =0efs -----END PGP SIGNATURE----- --=_7eXKBp8FFURc-MFKYqZEmFE--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170918153212.Horde.reuh2WwJotWq2qHgpHwvnNq>