svn commit: r183915 - in user/netchild/deskjail/src: sys/kern usr.sbin/jail

[Alexander Leidinger]

Author: netchild
Date: Wed Oct 15 14:35:03 2008
New Revision: 183915
URL: http://svn.freebsd.org/changeset/base/183915

Log:
  Add 2 sysctl's to allow access to /dev/io either in all jails, or in a
  specific jail. Use at your own risk, it opens up the machine.
  
  This allows to run a X server in a jail.

Modified:
  user/netchild/deskjail/src/sys/kern/kern_jail.c
  user/netchild/deskjail/src/usr.sbin/jail/jail.8

Modified: user/netchild/deskjail/src/sys/kern/kern_jail.c
==============================================================================
--- user/netchild/deskjail/src/sys/kern/kern_jail.c	Wed Oct 15 14:32:43 2008	(r183914)
+++ user/netchild/deskjail/src/sys/kern/kern_jail.c	Wed Oct 15 14:35:03 2008	(r183915)
@@ -80,6 +80,17 @@ SYSCTL_INT(_security_jail, OID_AUTO, mou
     &jail_mount_allowed, 0,
     "Processes in jail can mount/unmount jail-friendly file systems");
 
+static int	jail_dev_io_access_allowed = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, dev_io_access_allowed, CTLFLAG_RW,
+    &jail_dev_io_access_allowed, 0,
+    "Processes in all jails can get access to /dev/io if available");
+
+static char	jail_dev_io_access_allowed_hostname[MAXHOSTNAMELEN] = "";
+SYSCTL_STRING(_security_jail, OID_AUTO, dev_io_access_allowed_hostname,
+    CTLFLAG_RW, jail_dev_io_access_allowed_hostname,
+    sizeof(jail_dev_io_access_allowed_hostname),
+    "Hostname of specific jail which can get access to /dev/io if available");
+
 /* allprison, lastprid, and prisoncount are protected by allprison_lock. */
 struct	prisonlist allprison;
 struct	sx allprison_lock;
@@ -752,6 +763,26 @@ prison_priv_check(struct ucred *cred, in
 	case PRIV_NETINET_GETCRED:
 		return (0);
 
+		/*
+		 * Allow access to /dev/io in a jail if the non-jailed admin
+		 * requests this and if /dev/io exists in the jail. This
+		 * allows Xorg to probe a card.
+		 */
+	case PRIV_IO:
+		if (jail_dev_io_access_allowed)
+			return (0);
+
+		{
+			char jail_hostname[MAXHOSTNAMELEN];
+
+			getcredhostname(cred, jail_hostname, MAXHOSTNAMELEN);
+			if (strncasecmp(jail_dev_io_access_allowed_hostname,
+			    jail_hostname, MAXHOSTNAMELEN) == 0)
+				return (0);
+		}
+
+		return (EPERM);
+
 	default:
 		/*
 		 * In all remaining cases, deny the privilege request.  This

Modified: user/netchild/deskjail/src/usr.sbin/jail/jail.8
==============================================================================
--- user/netchild/deskjail/src/usr.sbin/jail/jail.8	Wed Oct 15 14:32:43 2008	(r183914)
+++ user/netchild/deskjail/src/usr.sbin/jail/jail.8	Wed Oct 15 14:35:03 2008	(r183915)
@@ -33,7 +33,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd April 5, 2007
+.Dd March 10, 2008
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -546,6 +546,38 @@ or clear system file flags; if non-zero,
 privileged, and may manipulate system file flags subject to the usual
 constraints on
 .Va kern.securelevel .
+.It Va security.jail.dev_io_access_allowed
+This MIB entry determines if a privileged user inside
+.Va every
+jail will be able to access
+.Pa /dev/io
+in case
+.Xr devfs 8
+is used to show
+.Pa /dev/io
+in a jail.
+The default value of 0 does not allow access even if
+.Pa /dev/io
+is visible in a jail.
+A value of 1 allowes access in a jail.
+This sysctl should not be used to give this access rights to only one
+specific jail.
+To give access to only one specific jail the sysctl
+.Va security.jail.dev_io_access_allowed_hostname
+should be used instead.
+.It Va security.jail.dev_io_access_allowed_hostname
+This MIB entry determines if a privileged user only inside the
+.Va specified
+jail will be able to access
+.Pa /dev/io
+in case
+.Xr devfs 8
+is used to show
+.Pa /dev/io
+in a jail.
+The string-value of this sysctl is compared case-insensitive with the hostname
+of the jail.
+Access is allowed if the string matches.
 .It Va security.jail.mount_allowed
 This MIB entry determines if a privileged user inside a jail will be
 able to mount and unmount file system types marked as jail-friendly.