Site Navigation

Date:      Wed, 06 Sep 2017 22:19:47 +0200
From:      Alexander Leidinger <Alexander@leidinger.net>
To:        Giulio Ferro <auryn@zirakzigil.org>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: devd in jail
Message-ID:  <20170906221947.Horde.RITHvdc1wVE9v0-3nBavR0Z@webmail.leidinger.net>
In-Reply-To: <D5C4EF81-BCF7-496E-8CD4-2C053607D20C@zirakzigil.org>
References:  <e03a6040-1322-c82c-0e96-49c474188d5c@zirakzigil.org> <CAOtMX2g7PR9S7v%2BrUXwBeQUPDFfJy2zZwAvg7q5ze99jDF4hmA@mail.gmail.com> <20170810225439.Horde.1s8Qi_dlNtxgEigsNKbdrer@webmail.leidinger.net> <4a1a99a5-35ea-19c9-7ac8-77875ac6f71f@zirakzigil.org> <20170905151537.Horde.10cHNOX1OVri7mGaUcDeX1l@webmail.leidinger.net> <7ca865ee-b613-2f0c-daf0-d828884b5e74@zirakzigil.org> <1C181EF2-B8B1-4F42-BF80-ABEA0593DD43@dsl-only.net> <c17afdad-6bf0-3c4b-6325-2417fb0d18d7@zirakzigil.org> <20170906122556.Horde.5OdDwtii7HXPNArY77YUyBi@webmail.leidinger.net> <D5C4EF81-BCF7-496E-8CD4-2C053607D20C@zirakzigil.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This message is in MIME format and has been PGP signed.

--=_ftI2LZ5H-mMGjTwCMPldQ0D
Content-Type: multipart/mixed; boundary="=_cvyxBqX5U1UWLjXD9L-9SOS"

This message is in MIME format.

--=_cvyxBqX5U1UWLjXD9L-9SOS
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


Quoting Giulio Ferro <auryn@zirakzigil.org> (from Wed, 6 Sep 2017=20=20
14:13:52=20+0200):

> Hi Alexander,
>
> I've installed everything after my custom kernel was installed. And=20=20
>=20as I said, it differs from GENERIC only for the addition of VIMAGE=20=
=20
>=20and bridge.
>
> What I can try to do is installing your patches so to remove the=20=20
>=20devd issue, and see if it starts like this.
>
> Can you point me to patches for 11.1 stable?

Attached, patch against releng-11.1. Beware, this is not even=20=20
compile-tested.=20And you need the modifications described in a previous=20=
=20
mail=20for /etc/devfs.rules.

Bye,
Alexander.

--=20
http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF

--=_cvyxBqX5U1UWLjXD9L-9SOS
Content-Type: text/x-diff; name=x11_in_jail__releng_11_1.diff
Content-Disposition: attachment; size=3579;
 filename=x11_in_jail__releng_11_1.diff
Content-Transfer-Encoding: quoted-printable

Index: sys/dev/drm/drmP.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/dev/drm/drmP.h	(Revision 323230)
+++ sys/dev/drm/drmP.h	(Arbeitskopie)
@@ -219,7 +219,7 @@
=20
=20#define PAGE_ALIGN(addr) round_page(addr)
 /* DRM_SUSER returns true if the user is superuser */
-#define DRM_SUSER(p)		(priv_check(p, PRIV_DRIVER) =3D=3D 0)
+#define DRM_SUSER(p)		(priv_check(p, PRIV_KMEM_WRITE) =3D=3D 0)
 #define DRM_AGP_FIND_DEVICE()	agp_find_device()
 #define DRM_MTRR_WC		MDF_WRITECOMBINE
 #define jiffies			ticks
Index: sys/kern/kern_jail.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/kern/kern_jail.c	(Revision 323230)
+++ sys/kern/kern_jail.c	(Arbeitskopie)
@@ -199,6 +199,7 @@
 	"allow.mount.fdescfs",
 	"allow.mount.linprocfs",
 	"allow.mount.linsysfs",
+	"allow.kmem_access",
 };
 const size_t pr_allow_names_size =3D sizeof(pr_allow_names);
=20
@@=20-218,6 +219,7 @@
 	"allow.mount.nofdescfs",
 	"allow.mount.nolinprocfs",
 	"allow.mount.nolinsysfs",
+	"allow.nokmem_access",
 };
 const size_t pr_allow_nonames_size =3D sizeof(pr_allow_nonames);
=20
@@=20-3334,6 +3336,22 @@
 	case PRIV_NETINET_GETCRED:
 		return (0);
=20
+=09case PRIV_IO:
+	       if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM_ACCESS)
+		       return (0);
+	       else
+		       return (EPERM);
+
+	       /*
+		* Allow low level access to KMEM-like devices (e.g. to
+		* allow Xorg to use DRI).
+		*/
+       case PRIV_KMEM_WRITE:
+	       if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM_ACCESS)
+		       return (0);
+	       else
+		       return (EPERM);
+
 		/*
 		 * Allow jailed root to set loginclass.
 		 */
Index: sys/sys/jail.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- sys/sys/jail.h	(Revision 323230)
+++ sys/sys/jail.h	(Arbeitskopie)
@@ -215,22 +215,24 @@
 					/* by this jail or an ancestor */
=20
=20/* Flags for pr_allow */
-#define	PR_ALLOW_SET_HOSTNAME		0x0001
-#define	PR_ALLOW_SYSVIPC		0x0002
-#define	PR_ALLOW_RAW_SOCKETS		0x0004
-#define	PR_ALLOW_CHFLAGS		0x0008
-#define	PR_ALLOW_MOUNT			0x0010
-#define	PR_ALLOW_QUOTAS			0x0020
-#define	PR_ALLOW_SOCKET_AF		0x0040
-#define	PR_ALLOW_MOUNT_DEVFS		0x0080
-#define	PR_ALLOW_MOUNT_NULLFS		0x0100
-#define	PR_ALLOW_MOUNT_ZFS		0x0200
-#define	PR_ALLOW_MOUNT_PROCFS		0x0400
-#define	PR_ALLOW_MOUNT_TMPFS		0x0800
-#define	PR_ALLOW_MOUNT_FDESCFS		0x1000
-#define	PR_ALLOW_MOUNT_LINPROCFS	0x2000
-#define	PR_ALLOW_MOUNT_LINSYSFS		0x4000
-#define	PR_ALLOW_ALL			0x7fff
+#define        PR_ALLOW_SET_HOSTNAME           0x00000001
+#define        PR_ALLOW_SYSVIPC                0x00000002
+#define        PR_ALLOW_RAW_SOCKETS            0x00000004
+#define        PR_ALLOW_CHFLAGS                0x00000008
+#define        PR_ALLOW_MOUNT                  0x00000010
+#define        PR_ALLOW_QUOTAS                 0x00000020
+#define        PR_ALLOW_SOCKET_AF              0x00000040
+#define        PR_ALLOW_MOUNT_DEVFS            0x00000080
+#define        PR_ALLOW_MOUNT_NULLFS           0x00000100
+#define        PR_ALLOW_MOUNT_ZFS              0x00000200
+#define        PR_ALLOW_MOUNT_PROCFS           0x00000400
+#define        PR_ALLOW_MOUNT_TMPFS            0x00000800
+#define        PR_ALLOW_MOUNT_FDESCFS          0x00001000
+#define        PR_ALLOW_MOUNT_LINPROCFS        0x00002000
+#define        PR_ALLOW_MOUNT_LINSYSFS         0x00004000
+#define        PR_ALLOW_RESERVED_PORTS         0x00008000
+#define        PR_ALLOW_KMEM_ACCESS            0x00010000      /* reserved=
, not used yet */
+#define        PR_ALLOW_ALL                    0x0001ffff
=20
=20/*
  * OSD methods

--=_cvyxBqX5U1UWLjXD9L-9SOS--

--=_ftI2LZ5H-mMGjTwCMPldQ0D
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABAgAGBQJZsFhjAAoJEKrxQhqFIICENZ4P/19RnVfMpy8NgXDJBn6+IHKF
/4uYVoSSR8M/o31cEDYjUnFmH7ajM9fpXWvfNKgE5mLKJgokew60Yn9iYVzIMCm6
MpxQ+H/8XwQtnN+bN9KOWxE+QyCUf6D5ZD2bMlzezzQxv08wM5HQd763Hw9F5ExR
unN8HzvuZYF75xjFOq0+tX8F5g22F0cHwHnYMkKrdEODMmwBDLbIR2caKDgNnSj6
XdramhfpNhTm5UTvs1n0x94Lo6x0m1lirHiagyUMHAPz9bpd8Lbc/pFySwffUrh0
JFZOg7zqXBQDjqg4yRrdXNSwIdcq85SUOVojt+TU0U0ecDvIABx6igzkWs8X55mK
WyMGiofPe0bA3G/W41k5NQ7gcmvD8KfQaSI6I10hH2Yq97Gpe4LRIqkNyYR6nYGo
qfYKfYxVkItsYDNpEbseMH/AA3BjecqWm9jra7kEcWJ2RvKubULKk/a21Spr1vXn
9V8Hlw7pz428Hhddh95YOteqHfmV7j1u8NWq16OPcsr4yDKsS/xFsoeB6A53Bbu2
HpQSvcWA5vIDDO/IPwMl23lQiiBlxQ7yAmLYqdFQb+LJ66Fd+NCW0w8uKe6AZLI5
liyr6faFmZmieXPBhl7s2T4XlaIKT8cnjdrPAdChNXC9CqHMb3LWM2uSFVKJnkNK
F1U5rTgUFONayYssx5PX
=RcPB
-----END PGP SIGNATURE-----

--=_ftI2LZ5H-mMGjTwCMPldQ0D--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170906221947.Horde.RITHvdc1wVE9v0-3nBavR0Z>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact