Date: Sun, 9 Mar 2014 19:08:02 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: Tom Evans <tevans.uk@googlemail.com> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, "freebsd-x11@freebsd.org" <freebsd-x11@freebsd.org>, jamie@freebsd.org, uqs@FreeBSD.org Subject: Re: [PATCH] Xorg in a jail Message-ID: <20140309190802.00006452@unknown> In-Reply-To: <CAFHbX1JUzM%2BN9Zx=eCQdejvz1jAWcXNHepB2=5ZRuunu1gAG6g@mail.gmail.com> References: <CAFHbX1JUzM%2BN9Zx=eCQdejvz1jAWcXNHepB2=5ZRuunu1gAG6g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--MP_/AhBzelH+BDWZDQCUCcF+39Y Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline On Sun, 9 Mar 2014 01:26:40 +0000 Tom Evans <tevans.uk@googlemail.com> wrote: > I've been reinstalling my home server with 10-STABLE and wanted to > compartmentalise all the disparate tasks it does - file storage, DNS, > web servers and mplayer/xorg/media stuff in general - in to a separate > jail for each task. > > For the most part, this was quite straightforward, apart from with > xorg I found that it wasn't quite supported. I found Alexander's > patch, and the work Jamie did in part integrating it, allowing kmem > read, and reworked it for 10-STABLE. Seems you have an old one. Attached is what I was sending to jamie not long ago (but this is not in the FreeBSD tree due to the conclusion that such a huge impact on the security part should not be a simple allow.xxx switch). > From Jamie's emails it looked like he was working on a way of properly > integrating these permissions in a more unified way, but I had a > pressing need :) > > I've tested this on 10-STABLE r262457M, intel graphics (ivy bridge, > WITH_NEW_XORG), and everything seems to work just fine. I'm going to > try out radeonkms and nvidia tomorrow also. I use it with NVidia hardware (FreeBSD 11-current shortly after the switch to 11-current), I also have an old machine with a radeon card where the patch works too (with a very old 10-current). > Also please note that whilst I want things jailed for separation and > neatness concerns rather than security, it must be pointed out that > letting one jail read and write kernel memory of the whole machine is > not at all secure! Anyone with root in this xorg jail would be able to > break free of the jail. This is correct. > I'm not sure I did the jail allow parameters right, but it works for > me - I would appreciate someone more competent taking a look! Also, > dev_io_access should probably be renamed or using it to control access > to /dev/mem split out from it? Also, is the style right? vim: noet > sw=8 ts=8 is what I was using. The attached patch uses "allow.kmem_access" for both. > Cheers > > Tom > > PS: I haven't tested any input devices yet with this, let me know! > > Instructions: > > Apply patch, rebuild world and kernel, install and update > jails/basejails > > Create /etc/devfs.rules to unhide the pertinent devices and restart > devfs This is what I am using, it might be overkill... Some parts are not needed, you don't need the console, and with nvidia hardware you need the nvidia devices. It's also enough to have the tty you want to use Xorg on (by default ttyv8, my rules also have ttyv0, but I haven't tested if it is really needed... it's still "naturally grown" for ttyv0). > [devfsrules_unhide_xorg=8] > add include $devfsrules_hide_all > add include $devfsrules_unhide_basic > add include $devfsrules_unhide_login > add path agpgart unhide > add path console unhide > add path consolectl unhide > add path dri unhide > add path 'dri/*' unhide > add path io unhide > add path mem unhide > add path pci unhide > add path tty unhide > add path ttyv0 unhide > add path ttyv1 unhide > add path ttyv8 unhide See the attached rules. I have two desktop entries (the second one is for jails with zfs datasets) in there. Normally you want to have audio devices, a mouse and a keyboard for a desktop. There are some more permissions, I also give access to optical drives and USB memory sticks and a TV tuner, you may not want to give that broad permissions (remove the cuse/cam/usb part). > Set sysctls on jail host to allow jails to have permission granted to > them to access (in particular) /dev/mem, /dev/io and /dev/dri/* > > security.jail.dev_io_access=1 > security.jail.dev_dri_access=1 Do NOT use the sysctls in this patch, they allow all jails to access the devices, if the devfs rules are appropriate. The attached patch doesn't have them anymore. I had them in in the first implementation, then jamie introduced the allow.XXX and I transitioned to this but forgot to remove the sysctls after migrating my jail. I removed them recently before sending the patch to jamie after his kmem change. > Configure your chosen jail to use these devfs rules and allow them to > use the devices. I use ezjail, so for me this meant changing > /usr/local/etc/ezjail/<name_of_jail> and setting these lines: > > export jail_xorg_foo_com_devfs_ruleset="8" > export jail_xorg_foo_com_parameters="allow.dev_io_access=1 > allow.dev_dri_access=1" With the attached patch this is ="allow.dev_kmem_access" (you don't need the "=1" part). > Load any required kernel modules in the jail host - xorg in the jail > will not be able to load them for you. Therefore, make sure to load > i915kms, radeonkms or nvidia before hand. Correct. > Install and use xorg in the jail as you would normally. Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 --MP_/AhBzelH+BDWZDQCUCcF+39Y Content-Type: application/octet-stream; name=jail.diff Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=jail.diff SW5kZXg6IHN5cy9kZXYvZHJtL2RybVAuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMvZGV2L2RybS9kcm1Q LmgJKHJldmlzaW9uIDI2MDE1OSkKKysrIHN5cy9kZXYvZHJtL2RybVAuaAkod29ya2luZyBjb3B5 KQpAQCAtMjI4LDcgKzIyOCw3IEBACiAjZGVmaW5lIFBBR0VfQUxJR04oYWRkcikgcm91bmRfcGFn ZShhZGRyKQogLyogRFJNX1NVU0VSIHJldHVybnMgdHJ1ZSBpZiB0aGUgdXNlciBpcyBzdXBlcnVz ZXIgKi8KICNpZiBfX0ZyZWVCU0RfdmVyc2lvbiA+PSA3MDAwMDAKLSNkZWZpbmUgRFJNX1NVU0VS KHApCQkocHJpdl9jaGVjayhwLCBQUklWX0RSSVZFUikgPT0gMCkKKyNkZWZpbmUgRFJNX1NVU0VS KHApCQkocHJpdl9jaGVjayhwLCBQUklWX0tNRU1fV1JJVEUpID09IDApCiAjZWxzZQogI2RlZmlu ZSBEUk1fU1VTRVIocCkJCShzdXNlcihwKSA9PSAwKQogI2VuZGlmCkluZGV4OiBzeXMva2Vybi9r ZXJuX2phaWwuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09Ci0tLSBzeXMva2Vybi9rZXJuX2phaWwuYwkocmV2aXNpb24g MjYwMTU5KQorKysgc3lzL2tlcm4va2Vybl9qYWlsLmMJKHdvcmtpbmcgY29weSkKQEAgLTIwOCw2 ICsyMDgsNyBAQAogCSJhbGxvdy5tb3VudC56ZnMiLAogCSJhbGxvdy5tb3VudC5wcm9jZnMiLAog CSJhbGxvdy5tb3VudC50bXBmcyIsCisJImFsbG93LmttZW1fYWNjZXNzIiwKIH07CiBjb25zdCBz aXplX3QgcHJfYWxsb3dfbmFtZXNfc2l6ZSA9IHNpemVvZihwcl9hbGxvd19uYW1lcyk7CiAKQEAg LTIyNCw2ICsyMjUsNyBAQAogCSJhbGxvdy5tb3VudC5ub3pmcyIsCiAJImFsbG93Lm1vdW50Lm5v cHJvY2ZzIiwKIAkiYWxsb3cubW91bnQubm90bXBmcyIsCisJImFsbG93Lm5va21lbV9hY2Nlc3Mi LAogfTsKIGNvbnN0IHNpemVfdCBwcl9hbGxvd19ub25hbWVzX3NpemUgPSBzaXplb2YocHJfYWxs b3dfbm9uYW1lcyk7CiAKQEAgLTM5NTEsNiArMzk1MywyNyBAQAogCQlyZXR1cm4gKDApOwogCiAJ CS8qCisJCSAqIEFsbG93IGFjY2VzcyB0byAvZGV2L2lvIGluIGEgamFpbCBpZiB0aGUgbm9uLWph aWxlZCBhZG1pbgorCQkgKiByZXF1ZXN0cyB0aGlzIGFuZCBpZiAvZGV2L2lvIGV4aXN0cyBpbiB0 aGUgamFpbC4gVGhpcworCQkgKiBhbGxvd3MgWG9yZyB0byBwcm9iZSBhIGNhcmQuCisJCSAqLwor CWNhc2UgUFJJVl9JTzoKKwkJaWYgKGNyZWQtPmNyX3ByaXNvbi0+cHJfYWxsb3cgJiBQUl9BTExP V19LTUVNX0FDQ0VTUykKKwkJCXJldHVybiAoMCk7CisJCWVsc2UKKwkJCXJldHVybiAoRVBFUk0p OworCisJCS8qCisJCSAqIEFsbG93IGxvdyBsZXZlbCBhY2Nlc3MgdG8gS01FTS1saWtlIGRldmlj ZXMgKGUuZy4gdG8KKwkJICogYWxsb3cgWG9yZyB0byB1c2UgRFJJKS4KKwkJICovCisJY2FzZSBQ UklWX0tNRU1fV1JJVEU6CisJCWlmIChjcmVkLT5jcl9wcmlzb24tPnByX2FsbG93ICYgUFJfQUxM T1dfS01FTV9BQ0NFU1MpCisJCQlyZXR1cm4gKDApOworCQllbHNlCisJCQlyZXR1cm4gKEVQRVJN KTsKKworCQkvKgogCQkgKiBBbGxvdyBqYWlsZWQgcm9vdCB0byBzZXQgbG9naW5jbGFzcy4KIAkJ ICovCiAJY2FzZSBQUklWX1BST0NfU0VUTE9HSU5DTEFTUzoKQEAgLTQzODQsNiArNDQwNyw4IEBA CiAgICAgIkIiLCAiSmFpbCBtYXkgc2V0IGZpbGUgcXVvdGFzIik7CiBTWVNDVExfSkFJTF9QQVJB TShfYWxsb3csIHNvY2tldF9hZiwgQ1RMVFlQRV9JTlQgfCBDVExGTEFHX1JXLAogICAgICJCIiwg IkphaWwgbWF5IGNyZWF0ZSBzb2NrZXRzIG90aGVyIHRoYW4ganVzdCBVTklYL0lQdjQvSVB2Ni9y b3V0ZSIpOworU1lTQ1RMX0pBSUxfUEFSQU0oX2FsbG93LCBrbWVtX2FjY2VzcywgQ1RMVFlQRV9J TlQgfCBDVExGTEFHX1JXLAorICAgICJCIiwgIkphaWwgbWF5IGFjY2VzcyBrbWVtLWxpa2UgZGV2 aWNlcyAoaW8sIGRyaSkgaWYgdGhleSBleGlzdCIpOwogCiBTWVNDVExfSkFJTF9QQVJBTV9TVUJO T0RFKGFsbG93LCBtb3VudCwgIkphaWwgbW91bnQvdW5tb3VudCBwZXJtaXNzaW9uIGZsYWdzIik7 CiBTWVNDVExfSkFJTF9QQVJBTShfYWxsb3dfbW91bnQsICwgQ1RMVFlQRV9JTlQgfCBDVExGTEFH X1JXLApJbmRleDogc3lzL3N5cy9qYWlsLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc3lzL3N5cy9qYWlsLmgJ KHJldmlzaW9uIDI2MDE1OSkKKysrIHN5cy9zeXMvamFpbC5oCSh3b3JraW5nIGNvcHkpCkBAIC0y MjgsOCArMjI4LDEwIEBACiAjZGVmaW5lCVBSX0FMTE9XX01PVU5UX1pGUwkJMHgwMjAwCiAjZGVm aW5lCVBSX0FMTE9XX01PVU5UX1BST0NGUwkJMHgwNDAwCiAjZGVmaW5lCVBSX0FMTE9XX01PVU5U X1RNUEZTCQkweDA4MDAKLSNkZWZpbmUJUFJfQUxMT1dfQUxMCQkJMHgwZmZmCisjZGVmaW5lCVBS X0FMTE9XX0tNRU1fQUNDRVNTCQkweDEwMDAKKyNkZWZpbmUJUFJfQUxMT1dfQUxMCQkJMHgxZmZm CiAKKwogLyoKICAqIE9TRCBtZXRob2RzCiAgKi8K --MP_/AhBzelH+BDWZDQCUCcF+39Y Content-Type: application/octet-stream; name=devfs.rules Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=devfs.rules W2RldmZzcnVsZXNfdW5oaWRlX2F1ZGlvPTVdCmFkZCBwYXRoICdhdWRpbyonIHVuaGlkZQphZGQg cGF0aCAnZHNwKicgdW5oaWRlCmFkZCBwYXRoIG1pZGlzdGF0IHVuaGlkZQphZGQgcGF0aCAnbWl4 ZXIqJyB1bmhpZGUKYWRkIHBhdGggJ211c2ljKicgdW5oaWRlCmFkZCBwYXRoICdzZXF1ZW5jZXIq JyB1bmhpZGUKYWRkIHBhdGggc25kc3RhdCB1bmhpZGUKYWRkIHBhdGggc3BlYWtlciB1bmhpZGUK CltkZXZmc3J1bGVzX3VuaGlkZV9wcmludGVycz02XQphZGQgcGF0aCAnbHB0KicgdW5oaWRlCmFk ZCBwYXRoICd1bHB0KicgdW5oaWRlIHVzZXIgMTkzIGdyb3VwIDE5MwphZGQgcGF0aCAndW5scHQq JyB1bmhpZGUgdXNlciAxOTMgZ3JvdXAgMTkzCgpbZGV2ZnNydWxlc191bmhpZGVfaW5wdXQ9N10K YWRkIHBhdGggJ2F0a2JkKicgdW5oaWRlCmFkZCBwYXRoICdrYmQqJyB1bmhpZGUKYWRkIHBhdGgg J2pveSonIHVuaGlkZQphZGQgcGF0aCAncHNtKicgdW5oaWRlCmFkZCBwYXRoIHN5c21vdXNlIHVu aGlkZQphZGQgcGF0aCAndWtiZConIHVuaGlkZQphZGQgcGF0aCAndW1zKicgdW5oaWRlCgpbZGV2 ZnNydWxlc191bmhpZGVfeG9yZz04XQphZGQgcGF0aCBhZ3BnYXJ0IHVuaGlkZQojYWRkIHBhdGgg Y29uc29sZSB1bmhpZGUKYWRkIHBhdGggZHJpIHVuaGlkZQphZGQgcGF0aCAnZHJpKicgdW5oaWRl CmFkZCBwYXRoIG52aWRpYWN0bCB1bmhpZGUKYWRkIHBhdGggJ252aWRpYSonIHVuaGlkZQphZGQg cGF0aCBpbyB1bmhpZGUKYWRkIHBhdGggbWVtIHVuaGlkZQphZGQgcGF0aCBwY2kgdW5oaWRlCmFk ZCBwYXRoIHR0eSB1bmhpZGUKYWRkIHBhdGggdHR5djAgdW5oaWRlCiNhZGQgcGF0aCB0dHl2MSB1 bmhpZGUKYWRkIHBhdGggdHR5djggdW5oaWRlCgpbZGV2ZnNydWxlc191bmhpZGVfY2FtPTldCmFk ZCBwYXRoICdkYSonIHVuaGlkZQphZGQgcGF0aCAnY2QqJyB1bmhpZGUKYWRkIHBhdGggJ2NkKicg bW9kZSAwNjY2CmFkZCBwYXRoICdwYXNzKicgdW5oaWRlCmFkZCBwYXRoICd4cHQqJyB1bmhpZGUK CltkZXZmc3J1bGVzX3VuaGlkZV9hdGFjZD0xMF0KYWRkIHBhdGggJ2FjZConIHVuaGlkZQphZGQg cGF0aCAnYWNkKicgbW9kZSAwNjY2CgpbZGV2ZnNydWxlc191bmhpZGVfa21lbT0xMV0KYWRkIHBh dGgga21lbSB1bmhpZGUKCltkZXZmc3J1bGVzX3VuaGlkZV96ZnM9MTJdCmFkZCBwYXRoIHpmcyB1 bmhpZGUKCltkZXZmc3J1bGVzX3VuaGlkZV9jdXNlPTEzXQphZGQgcGF0aCBjdXNlIHVuaGlkZQph ZGQgcGF0aCB2aWRlbyB1bmhpZGUKYWRkIHBhdGggJ3ZpZGVvKicgdW5oaWRlCmFkZCBwYXRoIGR2 YiB1bmhpZGUKYWRkIHBhdGggJ2R2YionIHVuaGlkZQphZGQgcGF0aCAnYWRhcHRlcionIHVuaGlk ZQphZGQgcGF0aCBpbnB1dCB1bmhpZGUKYWRkIHBhdGggJ2lucHV0KicgdW5oaWRlCgpbZGV2ZnNy dWxlc191bmhpZGVfdXNiPTE0XQphZGQgcGF0aCAndXNiJyB1bmhpZGUKYWRkIHBhdGggJ3VzYion IHVuaGlkZQphZGQgcGF0aCAndWdlbionIHVuaGlkZQoKIwojIFRoaXMgYWxsb3dzIHRvIHJ1biBh IGRlc2t0b3Agc3lzdGVtIGluIGEgamFpbC4gIFRoaW5rIGFib3V0IHdoYXQgeW91IHdhbnQgdG8K IyBhY2hpZXZlIGJlZm9yZSB5b3UgdXNlIHRoaXMsIGl0IG9wZW5zIHVwIHRoZSBlbnRpcmUgbWFj aGluZSB0byBhY2Nlc3MgZnJvbQojIHRoaXMgamFpbCB0byBhbnkgc29waGlzdGljYXRlZCBwcm9n cmFtLgojCltkZXZmc3J1bGVzX2phaWxfZGVza3RvcD0xNV0KYWRkIGluY2x1ZGUgJGRldmZzcnVs ZXNfaGlkZV9hbGwKYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNfdW5oaWRlX2Jhc2ljCmFkZCBpbmNs dWRlICRkZXZmc3J1bGVzX3VuaGlkZV9sb2dpbgphZGQgaW5jbHVkZSAkZGV2ZnNydWxlc191bmhp ZGVfYXVkaW8KYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNfdW5oaWRlX2lucHV0CmFkZCBpbmNsdWRl ICRkZXZmc3J1bGVzX3VuaGlkZV94b3JnCmFkZCBpbmNsdWRlICRkZXZmc3J1bGVzX3VuaGlkZV9j YW0KYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNfdW5oaWRlX2ttZW0KYWRkIGluY2x1ZGUgJGRldmZz cnVsZXNfdW5oaWRlX2N1c2UKYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNfdW5oaWRlX3VzYgoKW2Rl dmZzcnVsZXNfamFpbF9wcmludHNlcnZlcj0xNl0KYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNfaGlk ZV9hbGwKYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNfdW5oaWRlX2Jhc2ljCmFkZCBpbmNsdWRlICRk ZXZmc3J1bGVzX3VuaGlkZV9sb2dpbgphZGQgaW5jbHVkZSAkZGV2ZnNydWxlc191bmhpZGVfcHJp bnRlcnMKYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNfdW5oaWRlX3pmcwoKW2RldmZzcnVsZXNfamFp bF93aXRoemZzPTE3XQphZGQgaW5jbHVkZSAkZGV2ZnNydWxlc19oaWRlX2FsbAphZGQgaW5jbHVk ZSAkZGV2ZnNydWxlc191bmhpZGVfYmFzaWMKYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNfdW5oaWRl X2xvZ2luCmFkZCBpbmNsdWRlICRkZXZmc3J1bGVzX3VuaGlkZV96ZnMKCltkZXZmc3J1bGVzX2ph aWxfZGVza3RvcF93aXRoemZzPTE4XQphZGQgaW5jbHVkZSAkZGV2ZnNydWxlc19oaWRlX2FsbAph ZGQgaW5jbHVkZSAkZGV2ZnNydWxlc191bmhpZGVfYmFzaWMKYWRkIGluY2x1ZGUgJGRldmZzcnVs ZXNfdW5oaWRlX2xvZ2luCmFkZCBpbmNsdWRlICRkZXZmc3J1bGVzX3VuaGlkZV9hdWRpbwphZGQg aW5jbHVkZSAkZGV2ZnNydWxlc191bmhpZGVfaW5wdXQKYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNf dW5oaWRlX3hvcmcKYWRkIGluY2x1ZGUgJGRldmZzcnVsZXNfdW5oaWRlX2NhbQphZGQgaW5jbHVk ZSAkZGV2ZnNydWxlc191bmhpZGVfa21lbQphZGQgaW5jbHVkZSAkZGV2ZnNydWxlc191bmhpZGVf Y3VzZQphZGQgaW5jbHVkZSAkZGV2ZnNydWxlc191bmhpZGVfdXNiCmFkZCBpbmNsdWRlICRkZXZm c3J1bGVzX3VuaGlkZV96ZnMKCg== --MP_/AhBzelH+BDWZDQCUCcF+39Y--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140309190802.00006452>