diff options
-rw-r--r-- | sys/dev/drm/drmP.h | 4 | ||||
-rw-r--r-- | sys/kern/kern_jail.c | 25 | ||||
-rw-r--r-- | sys/sys/jail.h | 3 | ||||
-rw-r--r-- | usr.sbin/jail/jail.8 | 11 |
4 files changed, 41 insertions, 2 deletions
diff --git a/sys/dev/drm/drmP.h b/sys/dev/drm/drmP.h index bf5feed..6ea4af1 100644 --- a/sys/dev/drm/drmP.h +++ b/sys/dev/drm/drmP.h @@ -227,7 +227,9 @@ enum { #define PAGE_ALIGN(addr) round_page(addr) /* DRM_SUSER returns true if the user is superuser */ -#if __FreeBSD_version >= 700000 +#if __FreeBSD_version >= 1000000 +#define DRM_SUSER(p) (priv_check(p, PRIV_KMEM_WRITE) == 0) +#elif __FreeBSD_version >= 700000 #define DRM_SUSER(p) (priv_check(p, PRIV_DRIVER) == 0) #else #define DRM_SUSER(p) (suser(p) == 0) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 700b7d6..9e19acd 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -208,6 +208,7 @@ static char *pr_allow_names[] = { "allow.mount.zfs", "allow.mount.procfs", "allow.mount.tmpfs", + "allow.kmem", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -224,6 +225,7 @@ static char *pr_allow_nonames[] = { "allow.mount.nozfs", "allow.mount.noprocfs", "allow.mount.notmpfs", + "allow.nokmem", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -3951,6 +3953,27 @@ prison_priv_check(struct ucred *cred, int priv) return (0); /* + * Allow access to /dev/io in a jail if the non-jailed admin + * requests this and if /dev/io exists in the jail. This + * allows Xorg to probe a card. + */ + case PRIV_IO: + if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM) + return (0); + else + return (EPERM); + + /* + * Allow low level access to KMEM-like devices (e.g. to + * allow Xorg to use DRI). + */ + case PRIV_KMEM_WRITE: + if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM) + return (0); + else + return (EPERM); + + /* * Allow jailed root to set loginclass. */ case PRIV_PROC_SETLOGINCLASS: @@ -4384,6 +4407,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, kmem, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may access kmem-like devices (io, dri) if they exist"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 59d791c..b86186c 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -228,7 +228,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_ZFS 0x0200 #define PR_ALLOW_MOUNT_PROCFS 0x0400 #define PR_ALLOW_MOUNT_TMPFS 0x0800 -#define PR_ALLOW_ALL 0x0fff +#define PR_ALLOW_KMEM 0x1000 +#define PR_ALLOW_ALL 0x1fff /* * OSD methods diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 4a16e9a..d5aa4d3 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -573,6 +573,17 @@ with non-jailed parts of the system. Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that have not had jail functionality added to them. +.It Va allow.kmem +Jailed processes may access +.Pa /dev/kmem +and similar devices (e.g. io, dri) if they have sufficient permission +(via the usual file permissions). +Note that the device files must exist within the jail for this parameter +to be of any use; +the default devfs ruleset for jails does not include any such devices. +Giving a jail access to kernel memory obviates much of the security that +jails offer, but can still be useful for other purposes. +For example, this would allow the Xorg server to run inside a jail. .El .El .Pp |