svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys usr.sbin/jail

[James Gritton]

On 1/31/2014 5:34 AM, Robert Watson wrote:
> On Wed, 29 Jan 2014, Alexander Leidinger wrote:
>
>>> It does.  I included a warning in jail.8 that this will pretty much 
>>> undo jail security.  There are still reasons some may want to do 
>>> this, but it's definitely not for everyone or even most people.
>>
>> It only "unjails" (= basically the same security level as the 
>> jail-host with the added benefit of the flexibility of a jail like 
>> easy moving from one system to another) the jail which has this flag 
>> set. All other jails without the flag can not "escape" to the host.
>>
>> I also have to add that just setting this flag does not give access 
>> to the host, you also have to configure a non-default devfs rule for 
>> this jail (to have the devices appear in the jail).
>
> This is not correct: devices do not need to be delegated in devfs for 
> PRIV_IO to allow bypass of the Jail security model, due to sysarch() 
> and the Linux-emulated equivalent, which turn out direct I/O access 
> from a user process without use of a device node.
>
> Frankly, I'd like to see this backed out and not reintroduced.  If it 
> must be retained, then it needs a much more clear warning that 
> enabling this feature disables Jail's security model.  Don't use the 
> word 'obviate', instead explicitly state that root within the jail can 
> escape the jail.
>
> Robert

I'll do at least the next-best thing: back it out and hope to 
re-introduce it.  Clearly it could use some further discussion.

- Jamie