[HEADS UP] WITH_NEW_XORG is now the default on FreeBSD 10 and 9 stable

[Tom Evans]

On Mon, May 12, 2014 at 9:39 PM, Fbsd8 <fbsd8 at a1poweruser.com> wrote:
> Tom Evans wrote:
>> No it isn't - the patch that allows xorg to access kmem and to give
>> access to the drm devices is the answer to running xorg in a jail.
>
>
> We all ready know that patch has been rejected as a security breach so its
> not a solution. So back to the new vt, can it be expanded and used to change
> the way xorg talks to the host console?

vt will not help you run xorg in a jail. Xorg needs read access to
/dev/mem - vt cannot help with that.

The patch works well for me and the other people who have expressed an
interest - my desktop and HTPC both run their Xorg in jails. As far as
I can see, it is not the security implications per se, but the naming
of the knob that allows the access.

>
> Is the upstream xorg project people aware of xorg not working in a jail?
> Is there something in the xorg port that can be changed in some way to make
> it work in a jail?

I don't know if they know or not, but I would doubt they would care
significantly - for it to work inside the jail without giving the jail
raw access would require a lot of rewriting and new APIs. Given that
jails only exist on BSD, and that very few people who run BSD run
desktops with BSD, and that very few of those people want to run Xorg
in a jail, it would not be worth it to make those really very large
changes.

> Looking for options here, have any ideas on how to get xorg in a jail?
>

Keep asking for the patch to be committed. John Baldwin's reply in the
thread I linked earlier implied that it couldn't be committed as
"allow.kmem_access", perhaps "allow.insecure_kmem_access" is
acceptable.

In the mean time, it is really not that hard to patch your sources and
recompile the kernel. This isn't Linux, there aren't hundreds of
complicated kernel choices, just patch and use a GENERIC kernel.

Cheers

Tom