devd in jail
Alexander Leidinger
Alexander at leidinger.net
Mon Sep 18 13:32:38 UTC 2017
Quoting Giulio Ferro <auryn at zirakzigil.org> (from Mon, 18 Sep 2017
08:49:32 +0200):
> nope, even the old way I get:
>
> jail: xxx: unknown parameter: allow.kmem_access
>
>
> Has anyone else tried this in 11.1 stable?
As I'm creating the diff vs. 11.1 just for you: no.
Here an updated change (thanks to jamie@ for the cluebat). It's a full
patch vs 11.1.
http://www.Leidinger.net/FreeBSD/current-patches/x11_in_jail_releng_11_1.diff
The difference of what you have already are two lines:
---snip---
Index: sys/kern/kern_jail.c
===================================================================
--- sys/kern/kern_jail.c (revision 323230)
+++ sys/kern/kern_jail.c (working copy)
@@ -3788,6 +3806,8 @@
"B", "Jail may set file quotas");
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, kmem_access, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may access kmem-like devices (io, dri) if they exist");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount
permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
---snip---
I have validated this in -current, this is the missing piece. When
this is in the kernel, you should see kmem_access in the output of
sysctl security.jail.param.allow
This should then work with the jail.conf (and rc.conf) way of
configuring a jail.
Bye,
Alexander.
--
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild at FreeBSD.org : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20170918/9fa4fe6b/attachment.sig>
More information about the freebsd-hackers
mailing list