diff options
| author | jamie <jamie@FreeBSD.org> | 2014-01-31 17:39:51 +0000 |
|---|---|---|
| committer | jamie <jamie@FreeBSD.org> | 2014-01-31 17:39:51 +0000 |
| commit | 64b15ec174b0b7a8dd798f25c0299df5c577d2fa (patch) | |
| tree | f0132e664e1ee614f56db3268dbd52de2c26d511 /sys/kern | |
| parent | 16b6d5f86751ba0d7edce948c3d96f81505cf186 (diff) | |
| download | FreeBSD-src-64b15ec174b0b7a8dd798f25c0299df5c577d2fa.zip FreeBSD-src-64b15ec174b0b7a8dd798f25c0299df5c577d2fa.tar.gz | |
Back out r261266 pending security buy-in.
r261266:
Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/kern_jail.c | 25 |
1 files changed, 0 insertions, 25 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 9e19acd..700b7d6 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -208,7 +208,6 @@ static char *pr_allow_names[] = { "allow.mount.zfs", "allow.mount.procfs", "allow.mount.tmpfs", - "allow.kmem", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -225,7 +224,6 @@ static char *pr_allow_nonames[] = { "allow.mount.nozfs", "allow.mount.noprocfs", "allow.mount.notmpfs", - "allow.nokmem", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -3953,27 +3951,6 @@ prison_priv_check(struct ucred *cred, int priv) return (0); /* - * Allow access to /dev/io in a jail if the non-jailed admin - * requests this and if /dev/io exists in the jail. This - * allows Xorg to probe a card. - */ - case PRIV_IO: - if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM) - return (0); - else - return (EPERM); - - /* - * Allow low level access to KMEM-like devices (e.g. to - * allow Xorg to use DRI). - */ - case PRIV_KMEM_WRITE: - if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM) - return (0); - else - return (EPERM); - - /* * Allow jailed root to set loginclass. */ case PRIV_PROC_SETLOGINCLASS: @@ -4407,8 +4384,6 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); -SYSCTL_JAIL_PARAM(_allow, kmem, CTLTYPE_INT | CTLFLAG_RW, - "B", "Jail may access kmem-like devices (io, dri) if they exist"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, |
