X.org in a jail, testers wanted

Alexander Leidinger Alexander at Leidinger.net
Tue Mar 18 10:02:07 UTC 2008 

Quoting Alexander Leidinger <Alexander at Leidinger.net> (from Mon, 10  
Mar 2008 12:28:29 +0100):

I've read in some web based discussions some stuff about this. I would  
like to clarify some things here in the official place.

> You also need to setup /etc/devfs.rules (this is a copy of my one, it
> contains more than is needed to run the X server, so you can trim this
> if you want):
> ---snip---
> [devfsrules_unhide_audio=5]
> add path 'audio*' unhide
> add path 'dsp*' unhide
> add path midistat unhide
> add path 'mixer*' unhide
> add path 'music*' unhide
> add path 'sequencer*' unhide
> add path sndstat unhide
> add path speaker unhide

Those are needed if you want to use audio in the jail. Normally they  
are not visible in a jail. If they are visible in a jail, you can use  
them (no usage restrictions). My desktop should be able to play some  
audio, so I add them for my desktop.

> [devfsrules_unhide_printers=6]
> add path 'lpt*' unhide
> add path 'ulpt*' unhide
> add path 'unlpt*' unhide

I also want access to my printer, the same comments as for the audio stuff.

> [devfsrules_unhide_input=7]
> add path 'atkbd*' unhide
> add path 'kbd*' unhide
> add path 'joy*' unhide
> add path 'psm*' unhide
> add path sysmouse unhide
> add path 'ukbd*' unhide
> add path 'ums*' unhide

And again: the same as above.

> [devfsrules_unhide_xorg=8]
> add path agpgart unhide

Needed by X.

> #add path console unhide
> add path dri unhide
> add path 'dri*' unhide

dri is needed too, but I haven't really tested it.

> add path io unhide

io can be unhide in a jail, but in the kernel there's an access  
restriction for it and you can not access it if you are jailed. My  
patch adds a systctl which allows the admin to give access to either  
all jails (if io is made visible in the jail with devfs), or only by  
one jail.

> add path mem unhide

mem is not visible by default. If you make it visible, a jail can  
access it. There are no additional access restrictions in the kernel  
like for io. I don't know why there's is one for io but not for mem.  
It's not symmetric, and I would expect either a check for both or not  
check at all. My patch is not supposed to make it symmetric, nor do I  
want to remove the priv check for io.

Yes, if you give access to this your system will be "insecure", so  
don't expect any big benefits. The reason I do this is:
  - it raises the bar (an attacker not only has to get root
    access in my desktop to make everything he wants, he also
    has to know how to use mem/io to get access to the entire
    machine, so the security is somewhere between a desktop
    on the bare metal, and a real jail without access to mem/io)
  - virtualisation of my desktop (I can move it to a different
    machine if I want)
  - because I can do it

> #add path pci unhide
> add path tty unhide
> add path ttyv0 unhide
> add path ttyv1 unhide
> add path ttyv8 unhide

My X server is running on ttyv8 (explicitly configured in the X  
config). During my testing I also had to give access to other ttys,  
but I don't remember if it was before or after the hardcoding of the  
tty in the config.

> [devfsrules_unhide_cam=9]
> add path 'da*' unhide
> add path 'cd*' unhide

I play around with access to the CD and some USB mass storage from my desktop.

> [devfsrules_unhide_kmem=10]
> add path kmem unhide

Needed by the X server.

> #
> # This allows to run a desktop system in a jail.  Think about what   
> you want to
> # achieve before you use this, it opens up the entire machine to access from
> # this jail to any sophisticated program.

To all those which think this patch will open up access to the system  
(to someone who has root access in the jail and knows how to get out  
of /dev/mem, /dev/kmem and /dev/io what he wants): you are right, as  
explicitly told here and in the man page, so don't complain please (if  
you use this, you should know what you are doing).

Bye,
Alexander.

-- 
FORTUNE'S FUN FACTS TO KNOW AND TELL: #8

	Idaho state law makes it illegal for a man to give his sweetheart
a box of candy weighing less than fifty pounds.

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137

More information about the freebsd-jail mailing list