[PATCH] Xorg in a jail

John Baldwin jhb at freebsd.org
Mon Mar 10 19:02:02 UTC 2014


On Saturday, March 08, 2014 11:41:55 pm James Gritton wrote:
> On 3/8/2014 6:26 PM, Tom Evans wrote:
> > I've been reinstalling my home server with 10-STABLE and wanted to
> > compartmentalise all the disparate tasks it does - file storage, DNS,
> > web servers and mplayer/xorg/media stuff in general - in to a separate
> > jail for each task.
> >
> > For the most part, this was quite straightforward, apart from with
> > xorg I found that it wasn't quite supported. I found Alexander's
> > patch, and the work Jamie did in part integrating it, allowing kmem
> > read, and reworked it for 10-STABLE.
> >
> >  From Jamie's emails it looked like he was working on a way of properly
> > integrating these permissions in a more unified way, but I had a
> > pressing need :)
> >
> > I've tested this on 10-STABLE r262457M, intel graphics (ivy bridge,
> > WITH_NEW_XORG), and everything seems to work just fine. I'm going to
> > try out radeonkms and nvidia tomorrow also.
> >
> > Also please note that whilst I want things jailed for separation and
> > neatness concerns rather than security, it must be pointed out that
> > letting one jail read and write kernel memory of the whole machine is
> > not at all secure! Anyone with root in this xorg jail would be able to
> > break free of the jail.
> 
> The work to "properly integrate" the permissions got the kibosh for
> just that reason.  The kmem permission thing can stand on it's own,
> but it's not going to be jail-triggered except in an unofficial patch.
> 
> There's theoretically a "right way" to do this, that would allow an
> X11-enabled jail to remain secure, but that right way involves
> rewriting the graphics drivers not to use any direct kernel/dev memory
> access, and is so way out of scope as not to be considered (at least
> by anyone I know).

I think it's more that a flag whose name implied "no security checks"
would be fine, but that 'allow_kmem' was a bit too inocuous-looking for
a jail flag.

-- 
John Baldwin


More information about the freebsd-x11 mailing list