svn commit: r261266 - in head: sys/dev/drm sys/kern sys/sys usr.sbin/jail
Alexander Leidinger
Alexander at Leidinger.net
Fri Jan 31 21:30:36 UTC 2014
On Fri, 31 Jan 2014 12:34:48 +0000 (GMT)
Robert Watson <rwatson at FreeBSD.org> wrote:
> On Wed, 29 Jan 2014, Alexander Leidinger wrote:
>
> >> It does. I included a warning in jail.8 that this will pretty
> >> much undo jail security. There are still reasons some may want to
> >> do this, but it's definitely not for everyone or even most people.
> >
> > It only "unjails" (= basically the same security level as the
> > jail-host with the added benefit of the flexibility of a jail like
> > easy moving from one system to another) the jail which has this
> > flag set. All other jails without the flag can not "escape" to the
> > host.
> >
> > I also have to add that just setting this flag does not give access
> > to the host, you also have to configure a non-default devfs rule
> > for this jail (to have the devices appear in the jail).
>
> This is not correct: devices do not need to be delegated in devfs for
> PRIV_IO to allow bypass of the Jail security model, due to sysarch()
> and the Linux-emulated equivalent, which turn out direct I/O access
> from a user process without use of a device node.
Ok, then it is just the non-default flag, not the additional devfs part.
I agree with your other post that we are better of to document better
what it means if an admin allows kmem access for a specific jail.
Bye,
Alexander.
--
http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
More information about the svn-src-all
mailing list