svn commit: r252841 - in head/sys: dev/mem kern sys
Jamie Gritton
jamie at FreeBSD.org
Fri Aug 30 18:03:55 UTC 2013
On 08/30/13 11:13, Jase Thew wrote:
> On 05/07/2013 22:31, Jamie Gritton wrote:
>> Author: jamie
>> Date: Fri Jul 5 21:31:16 2013
>> New Revision: 252841
>> URL: http://svnweb.freebsd.org/changeset/base/252841
>>
>> Log:
>> Add new privileges, PRIV_KMEM_READ and PRIV_KMEM_WRITE, used in
>> opening
>> /dev/kmem and /dev/mem (in addition to traditional file permission
>> checks).
>> PRIV_KMEM_READ is different from other PRIV_* checks in that it's
>> allowed
>> by default.
>>
>> Reviewed by: kib, mckusick
>>
>
> Hi Jamie,
>
> As a result of this commit (and r252845), it is no longer possible to
> access /dev/mem and /dev/kmem inside of a jail - is this behaviour
> intentional?
>
> # dd if=/dev/mem bs=64 count=1
> dd: /dev/mem: Operation not permitted
It's intentional, but it's not intended to be the full solution. I also
need to add a permission flag to jails to allow kmem access. However I
didn't intend to disrupt read permission, though clearly it does since
it now passes through prison_priv_check. So I ought to add some code in
prison_priv_check that mirrors the code in priv_check_cred to allow
PRIV_KMEM_READ by default.
- Jamie
More information about the svn-src-head
mailing list