This repository has been archived by the owner on Apr 23, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfreebsd_11.0_xjails.patch
106 lines (100 loc) · 3.35 KB
/
freebsd_11.0_xjails.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
Index: sys/dev/drm/drmP.h
===================================================================
--- sys/dev/drm/drmP.h (revision 312856)
+++ sys/dev/drm/drmP.h (working copy)
@@ -219,7 +219,7 @@
#define PAGE_ALIGN(addr) round_page(addr)
/* DRM_SUSER returns true if the user is superuser */
-#define DRM_SUSER(p) (priv_check(p, PRIV_DRIVER) == 0)
+#define DRM_SUSER(p) (priv_check(p, PRIV_KMEM_WRITE) == 0)
#define DRM_AGP_FIND_DEVICE() agp_find_device()
#define DRM_MTRR_WC MDF_WRITECOMBINE
#define jiffies ticks
Index: sys/kern/kern_jail.c
===================================================================
--- sys/kern/kern_jail.c (revision 312856)
+++ sys/kern/kern_jail.c (working copy)
@@ -207,6 +207,7 @@
"allow.mount.fdescfs",
"allow.mount.linprocfs",
"allow.mount.linsysfs",
+ "allow.kmem",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
@@ -226,6 +227,7 @@
"allow.mount.nofdescfs",
"allow.mount.nolinprocfs",
"allow.mount.nolinsysfs",
+ "allow.nokmem",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
@@ -4070,6 +4072,27 @@
case PRIV_PROC_SETLOGINCLASS:
return (0);
+ /*
+ * Allow access to /dev/io in a jail if the non-jailed admin
+ * requests this and if /dev/io exists in the jail. This
+ * allows Xorg to probe a card.
+ */
+ case PRIV_IO:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM)
+ return (0);
+ else
+ return (EPERM);
+
+ /*
+ * Allow low level access to KMEM-like devices (e.g. to
+ * allow Xorg to use DRI).
+ */
+ case PRIV_KMEM_WRITE:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM)
+ return (0);
+ else
+ return (EPERM);
+
default:
/*
* In all remaining cases, deny the privilege request. This
@@ -4538,6 +4561,8 @@
"B", "Jail may mount the tmpfs file system");
SYSCTL_JAIL_PARAM(_allow_mount, zfs, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may mount the zfs file system");
+SYSCTL_JAIL_PARAM(_allow, kmem, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may access kmem-like devices (io, dri) if they exist");
#ifdef RACCT
void
Index: sys/sys/jail.h
===================================================================
--- sys/sys/jail.h (revision 312856)
+++ sys/sys/jail.h (working copy)
@@ -230,7 +230,8 @@
#define PR_ALLOW_MOUNT_FDESCFS 0x1000
#define PR_ALLOW_MOUNT_LINPROCFS 0x2000
#define PR_ALLOW_MOUNT_LINSYSFS 0x4000
-#define PR_ALLOW_ALL 0x7fff
+#define PR_ALLOW_KMEM 0x8000
+#define PR_ALLOW_ALL 0xffff
/*
* OSD methods
Index: usr.sbin/jail/jail.8
===================================================================
--- usr.sbin/jail/jail.8 (revision 312856)
+++ usr.sbin/jail/jail.8 (working copy)
@@ -611,6 +611,17 @@
Sockets within a jail are normally restricted to IPv4, IPv6, local
(UNIX), and route. This allows access to other protocol stacks that
have not had jail functionality added to them.
+.It Va allow.kmem
+Jailed processes may access
+.Pa /dev/kmem
+and similar devices (e.g. io, dri) if they have sufficient permission
+(via the usual file permissions).
+Note that the device files must exist within the jail for this parameter
+to be of any use;
+the default devfs ruleset for jails does not include any such devices.
+Giving a jail access to kernel memory obviates much of the security that
+jails offer, but can still be useful for other purposes.
+For example, this would allow the Xorg server to run inside a jail.
.El
.El
.Pp