diff options
author | jamie <jamie@FreeBSD.org> | 2014-01-31 17:39:51 +0000 |
---|---|---|
committer | jamie <jamie@FreeBSD.org> | 2014-01-31 17:39:51 +0000 |
commit | 64b15ec174b0b7a8dd798f25c0299df5c577d2fa (patch) | |
tree | f0132e664e1ee614f56db3268dbd52de2c26d511 /usr.sbin/jail | |
parent | 16b6d5f86751ba0d7edce948c3d96f81505cf186 (diff) | |
download | FreeBSD-src-64b15ec174b0b7a8dd798f25c0299df5c577d2fa.zip FreeBSD-src-64b15ec174b0b7a8dd798f25c0299df5c577d2fa.tar.gz |
Back out r261266 pending security buy-in.
r261266:
Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.
Diffstat (limited to 'usr.sbin/jail')
-rw-r--r-- | usr.sbin/jail/jail.8 | 11 |
1 files changed, 0 insertions, 11 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index d5aa4d3..4a16e9a 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -573,17 +573,6 @@ with non-jailed parts of the system. Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that have not had jail functionality added to them. -.It Va allow.kmem -Jailed processes may access -.Pa /dev/kmem -and similar devices (e.g. io, dri) if they have sufficient permission -(via the usual file permissions). -Note that the device files must exist within the jail for this parameter -to be of any use; -the default devfs ruleset for jails does not include any such devices. -Giving a jail access to kernel memory obviates much of the security that -jails offer, but can still be useful for other purposes. -For example, this would allow the Xorg server to run inside a jail. .El .El .Pp |