diff options
author | jamie <jamie@FreeBSD.org> | 2014-01-29 13:41:13 +0000 |
---|---|---|
committer | jamie <jamie@FreeBSD.org> | 2014-01-29 13:41:13 +0000 |
commit | 223bb594b09819bfd78eb66789663caf2d2dcf1e (patch) | |
tree | d79e3027ae743cd4ba199f8f56f0f1752df2c6d5 /usr.sbin/jail | |
parent | 3dc25be505d107528cf27e8a95bfb0b2f10723a7 (diff) | |
download | FreeBSD-src-223bb594b09819bfd78eb66789663caf2d2dcf1e.zip FreeBSD-src-223bb594b09819bfd78eb66789663caf2d2dcf1e.tar.gz |
Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.
Submitted by: netchild
MFC after: 1 week
Diffstat (limited to 'usr.sbin/jail')
-rw-r--r-- | usr.sbin/jail/jail.8 | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 4a16e9a..d5aa4d3 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -573,6 +573,17 @@ with non-jailed parts of the system. Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that have not had jail functionality added to them. +.It Va allow.kmem +Jailed processes may access +.Pa /dev/kmem +and similar devices (e.g. io, dri) if they have sufficient permission +(via the usual file permissions). +Note that the device files must exist within the jail for this parameter +to be of any use; +the default devfs ruleset for jails does not include any such devices. +Giving a jail access to kernel memory obviates much of the security that +jails offer, but can still be useful for other purposes. +For example, this would allow the Xorg server to run inside a jail. .El .El .Pp |