diff options
author | Jamie Gritton <jamie@FreeBSD.org> | 2014-01-31 17:39:51 +0000 |
---|---|---|
committer | Jamie Gritton <jamie@FreeBSD.org> | 2014-01-31 17:39:51 +0000 |
commit | f15444cc977d70060461b6709c9cfac4bed6857c (patch) | |
tree | f0132e664e1ee614f56db3268dbd52de2c26d511 /usr.sbin/jail | |
parent | 54239186df9ec32c5ac189440994edc64be12c79 (diff) | |
download | src-f15444cc977d70060461b6709c9cfac4bed6857c.tar.gz src-f15444cc977d70060461b6709c9cfac4bed6857c.zip |
Back out r261266 pending security buy-in.
r261266:
Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.
Notes
Notes:
svn path=/head/; revision=261326
Diffstat (limited to 'usr.sbin/jail')
-rw-r--r-- | usr.sbin/jail/jail.8 | 11 |
1 files changed, 0 insertions, 11 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index d5aa4d3382e8..4a16e9aba5e8 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -573,17 +573,6 @@ with non-jailed parts of the system. Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that have not had jail functionality added to them. -.It Va allow.kmem -Jailed processes may access -.Pa /dev/kmem -and similar devices (e.g. io, dri) if they have sufficient permission -(via the usual file permissions). -Note that the device files must exist within the jail for this parameter -to be of any use; -the default devfs ruleset for jails does not include any such devices. -Giving a jail access to kernel memory obviates much of the security that -jails offer, but can still be useful for other purposes. -For example, this would allow the Xorg server to run inside a jail. .El .El .Pp |