svn commit: r183915 - in user/netchild/deskjail/src: sys/kern
usr.sbin/jail
Alexander Leidinger
netchild at FreeBSD.org
Wed Oct 15 14:35:03 UTC 2008
Author: netchild
Date: Wed Oct 15 14:35:03 2008
New Revision: 183915
URL: http://svn.freebsd.org/changeset/base/183915
Log:
Add 2 sysctl's to allow access to /dev/io either in all jails, or in a
specific jail. Use at your own risk, it opens up the machine.
This allows to run a X server in a jail.
Modified:
user/netchild/deskjail/src/sys/kern/kern_jail.c
user/netchild/deskjail/src/usr.sbin/jail/jail.8
Modified: user/netchild/deskjail/src/sys/kern/kern_jail.c
==============================================================================
--- user/netchild/deskjail/src/sys/kern/kern_jail.c Wed Oct 15 14:32:43 2008 (r183914)
+++ user/netchild/deskjail/src/sys/kern/kern_jail.c Wed Oct 15 14:35:03 2008 (r183915)
@@ -80,6 +80,17 @@ SYSCTL_INT(_security_jail, OID_AUTO, mou
&jail_mount_allowed, 0,
"Processes in jail can mount/unmount jail-friendly file systems");
+static int jail_dev_io_access_allowed = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, dev_io_access_allowed, CTLFLAG_RW,
+ &jail_dev_io_access_allowed, 0,
+ "Processes in all jails can get access to /dev/io if available");
+
+static char jail_dev_io_access_allowed_hostname[MAXHOSTNAMELEN] = "";
+SYSCTL_STRING(_security_jail, OID_AUTO, dev_io_access_allowed_hostname,
+ CTLFLAG_RW, jail_dev_io_access_allowed_hostname,
+ sizeof(jail_dev_io_access_allowed_hostname),
+ "Hostname of specific jail which can get access to /dev/io if available");
+
/* allprison, lastprid, and prisoncount are protected by allprison_lock. */
struct prisonlist allprison;
struct sx allprison_lock;
@@ -752,6 +763,26 @@ prison_priv_check(struct ucred *cred, in
case PRIV_NETINET_GETCRED:
return (0);
+ /*
+ * Allow access to /dev/io in a jail if the non-jailed admin
+ * requests this and if /dev/io exists in the jail. This
+ * allows Xorg to probe a card.
+ */
+ case PRIV_IO:
+ if (jail_dev_io_access_allowed)
+ return (0);
+
+ {
+ char jail_hostname[MAXHOSTNAMELEN];
+
+ getcredhostname(cred, jail_hostname, MAXHOSTNAMELEN);
+ if (strncasecmp(jail_dev_io_access_allowed_hostname,
+ jail_hostname, MAXHOSTNAMELEN) == 0)
+ return (0);
+ }
+
+ return (EPERM);
+
default:
/*
* In all remaining cases, deny the privilege request. This
Modified: user/netchild/deskjail/src/usr.sbin/jail/jail.8
==============================================================================
--- user/netchild/deskjail/src/usr.sbin/jail/jail.8 Wed Oct 15 14:32:43 2008 (r183914)
+++ user/netchild/deskjail/src/usr.sbin/jail/jail.8 Wed Oct 15 14:35:03 2008 (r183915)
@@ -33,7 +33,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd April 5, 2007
+.Dd March 10, 2008
.Dt JAIL 8
.Os
.Sh NAME
@@ -546,6 +546,38 @@ or clear system file flags; if non-zero,
privileged, and may manipulate system file flags subject to the usual
constraints on
.Va kern.securelevel .
+.It Va security.jail.dev_io_access_allowed
+This MIB entry determines if a privileged user inside
+.Va every
+jail will be able to access
+.Pa /dev/io
+in case
+.Xr devfs 8
+is used to show
+.Pa /dev/io
+in a jail.
+The default value of 0 does not allow access even if
+.Pa /dev/io
+is visible in a jail.
+A value of 1 allowes access in a jail.
+This sysctl should not be used to give this access rights to only one
+specific jail.
+To give access to only one specific jail the sysctl
+.Va security.jail.dev_io_access_allowed_hostname
+should be used instead.
+.It Va security.jail.dev_io_access_allowed_hostname
+This MIB entry determines if a privileged user only inside the
+.Va specified
+jail will be able to access
+.Pa /dev/io
+in case
+.Xr devfs 8
+is used to show
+.Pa /dev/io
+in a jail.
+The string-value of this sysctl is compared case-insensitive with the hostname
+of the jail.
+Access is allowed if the string matches.
.It Va security.jail.mount_allowed
This MIB entry determines if a privileged user inside a jail will be
able to mount and unmount file system types marked as jail-friendly.
More information about the svn-src-user
mailing list