From owner-freebsd-hackers@FreeBSD.ORG Tue Mar 11 18:54:51 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3E9C0E48; Tue, 11 Mar 2014 18:54:51 +0000 (UTC) Received: from mail-vc0-x232.google.com (mail-vc0-x232.google.com [IPv6:2607:f8b0:400c:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C4085F7D; Tue, 11 Mar 2014 18:54:50 +0000 (UTC) Received: by mail-vc0-f178.google.com with SMTP id im17so2134403vcb.9 for ; Tue, 11 Mar 2014 11:54:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=8TyiiKcaQb90AxJTwxfUj3l6mtEJuc/Bk1Li+fmLwqc=; b=FgPIlkiuLdvycb9kN36pXlzxoBJDFd4A5LGIXnTl1IrtfkzcDzFWD3xpCq6yneZgTx XKz5oMFlKPHE7w6qj3G/xLZJGTnIowflOiR7SG3BdHkmQmSXWTBmXwc3OtUHV47lzLBQ H2Ss208fvmYivDW6yVeDZ5bfcQLMUUQO57TLwzQTnLqJF6BYj9abE0no241l16bZ1/O+ tnL0a4f3nHB27if4te2PZzFA+rvJ42y8MbQ4fRvPp9XqOZF6h4P6FhOhQFsvo9oLuPjm kwlc89VZFN6G6ApqfUPTvZhNqe2jsgy0OGr/ezEjzJ7/to5BtxyG/K9UxzdMIG2MAwf1 XfJQ== MIME-Version: 1.0 X-Received: by 10.220.106.84 with SMTP id w20mr28955349vco.18.1394564089901; Tue, 11 Mar 2014 11:54:49 -0700 (PDT) Sender: uspoerlein@gmail.com Received: by 10.58.209.225 with HTTP; Tue, 11 Mar 2014 11:54:49 -0700 (PDT) In-Reply-To: References: <20140309190802.00006452@unknown> Date: Tue, 11 Mar 2014 19:54:49 +0100 X-Google-Sender-Auth: 5sRDOUwnBF4H3g3Fh9pQLhn80cU Message-ID: Subject: Re: [PATCH] Xorg in a jail From: =?UTF-8?Q?Ulrich_Sp=C3=B6rlein?= To: Tom Evans Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: Alexander Leidinger , "freebsd-x11@freebsd.org" , jamie@freebsd.org, "freebsd-hackers@freebsd.org" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 18:54:51 -0000 2014-03-11 10:42 GMT+01:00 Tom Evans : > On Sun, Mar 9, 2014 at 6:08 PM, Alexander Leidinger > wrote: > > Seems you have an old one. Attached is what I was sending to jamie not > > long ago (but this is not in the FreeBSD tree due to the conclusion that > > such a huge impact on the security part should not be a simple allow.xxx > > switch). > > Yes, I can't actually find it from this computer, but it was a patch > on your site. This newer patch you shared (thanks!) is much simpler > and more correct. > > > Do NOT use the sysctls in this patch, they allow all jails to access the > > devices, if the devfs rules are appropriate. The attached patch doesn't > > have them anymore. > > > > I had them in in the first implementation, then jamie introduced the > > allow.XXX and I transitioned to this but forgot to remove the sysctls > > after migrating my jail. I removed them recently before sending the > > patch to jamie after his kmem change. > > Right! I really wasn't sure what I was doing at that point, cargo cult > programming until it worked. > > Thanks to you and Jamie for your hints. > Awesome stuff, I was porting Alex' old patch to 10-STABLE as well, just the other day, but I couldn't yet get the right incantation going to let Xorg boot up (it still complained about not being able to read /dev/mem and then it found dri/card0 but kept probing and then died). Anyway, I will be able to give the new patches a go next week and will report back. I "only" want to get XBMC neatly installed in a jail (for pkg pollution only) and bound to a specific IP (which might help my zeroconf/upnp visibility problems). Cheers, Uli