[PATCH] Xorg in a jail

[Ulrich Spörlein]

2014-03-11 10:42 GMT+01:00 Tom Evans <tevans.uk at googlemail.com>:

> On Sun, Mar 9, 2014 at 6:08 PM, Alexander Leidinger
> <Alexander at leidinger.net> wrote:
> > Seems you have an old one. Attached is what I was sending to jamie not
> > long ago (but this is not in the FreeBSD tree due to the conclusion that
> > such a huge impact on the security part should not be a simple allow.xxx
> > switch).
>
> Yes, I can't actually find it from this computer, but it was a patch
> on your site. This newer patch you shared (thanks!) is much simpler
> and more correct.
>
> > Do NOT use the sysctls in this patch, they allow all jails to access the
> > devices, if the devfs rules are appropriate. The attached patch doesn't
> > have them anymore.
> >
> > I had them in in the first implementation, then jamie introduced the
> > allow.XXX and I transitioned to this but forgot to remove the sysctls
> > after migrating my jail. I removed them recently before sending the
> > patch to jamie after his kmem change.
>
> Right! I really wasn't sure what I was doing at that point, cargo cult
> programming until it worked.
>
> Thanks to you and Jamie for your hints.
>

Awesome stuff, I was porting Alex' old patch to 10-STABLE as well, just the
other day, but I couldn't yet get the right incantation going to let Xorg
boot up (it still complained about not being able to read /dev/mem and then
it found dri/card0 but kept probing and then died).

Anyway, I will be able to give the new patches a go next week and will
report back. I "only" want to get XBMC neatly installed in a jail (for pkg
pollution only) and bound to a specific IP (which might help my
zeroconf/upnp visibility problems).

Cheers,
Uli