diff options
author | jamie <jamie@FreeBSD.org> | 2014-01-29 13:41:13 +0000 |
---|---|---|
committer | jamie <jamie@FreeBSD.org> | 2014-01-29 13:41:13 +0000 |
commit | 223bb594b09819bfd78eb66789663caf2d2dcf1e (patch) | |
tree | d79e3027ae743cd4ba199f8f56f0f1752df2c6d5 /sys/kern | |
parent | 3dc25be505d107528cf27e8a95bfb0b2f10723a7 (diff) | |
download | FreeBSD-src-223bb594b09819bfd78eb66789663caf2d2dcf1e.zip FreeBSD-src-223bb594b09819bfd78eb66789663caf2d2dcf1e.tar.gz |
Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.
Submitted by: netchild
MFC after: 1 week
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_jail.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 700b7d6..9e19acd 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -208,6 +208,7 @@ static char *pr_allow_names[] = { "allow.mount.zfs", "allow.mount.procfs", "allow.mount.tmpfs", + "allow.kmem", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -224,6 +225,7 @@ static char *pr_allow_nonames[] = { "allow.mount.nozfs", "allow.mount.noprocfs", "allow.mount.notmpfs", + "allow.nokmem", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -3951,6 +3953,27 @@ prison_priv_check(struct ucred *cred, int priv) return (0); /* + * Allow access to /dev/io in a jail if the non-jailed admin + * requests this and if /dev/io exists in the jail. This + * allows Xorg to probe a card. + */ + case PRIV_IO: + if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM) + return (0); + else + return (EPERM); + + /* + * Allow low level access to KMEM-like devices (e.g. to + * allow Xorg to use DRI). + */ + case PRIV_KMEM_WRITE: + if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM) + return (0); + else + return (EPERM); + + /* * Allow jailed root to set loginclass. */ case PRIV_PROC_SETLOGINCLASS: @@ -4384,6 +4407,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, kmem, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may access kmem-like devices (io, dri) if they exist"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, |