Date: Sat, 08 Mar 2014 21:41:55 -0700 From: James Gritton <jamie@freebsd.org> To: Tom Evans <tevans.uk@googlemail.com>, "freebsd-x11@freebsd.org" <freebsd-x11@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Cc: Alexander Leidinger <Alexander@leidinger.net> Subject: Re: [PATCH] Xorg in a jail Message-ID: <531BF113.7060704@freebsd.org> In-Reply-To: <CAFHbX1JUzM%2BN9Zx=eCQdejvz1jAWcXNHepB2=5ZRuunu1gAG6g@mail.gmail.com> References: <CAFHbX1JUzM%2BN9Zx=eCQdejvz1jAWcXNHepB2=5ZRuunu1gAG6g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/8/2014 6:26 PM, Tom Evans wrote: > I've been reinstalling my home server with 10-STABLE and wanted to > compartmentalise all the disparate tasks it does - file storage, DNS, > web servers and mplayer/xorg/media stuff in general - in to a separate > jail for each task. > > For the most part, this was quite straightforward, apart from with > xorg I found that it wasn't quite supported. I found Alexander's > patch, and the work Jamie did in part integrating it, allowing kmem > read, and reworked it for 10-STABLE. > > From Jamie's emails it looked like he was working on a way of properly > integrating these permissions in a more unified way, but I had a > pressing need :) > > I've tested this on 10-STABLE r262457M, intel graphics (ivy bridge, > WITH_NEW_XORG), and everything seems to work just fine. I'm going to > try out radeonkms and nvidia tomorrow also. > > Also please note that whilst I want things jailed for separation and > neatness concerns rather than security, it must be pointed out that > letting one jail read and write kernel memory of the whole machine is > not at all secure! Anyone with root in this xorg jail would be able to > break free of the jail. The work to "properly integrate" the permissions got the kibosh for just that reason. The kmem permission thing can stand on it's own, but it's not going to be jail-triggered except in an unofficial patch. There's theoretically a "right way" to do this, that would allow an X11-enabled jail to remain secure, but that right way involves rewriting the graphics drivers not to use any direct kernel/dev memory access, and is so way out of scope as not to be considered (at least by anyone I know). - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?531BF113.7060704>