Index: etc/rc.d/jail =================================================================== --- etc/rc.d/jail (Revision 202551) +++ etc/rc.d/jail (Arbeitskopie) @@ -41,7 +41,18 @@ eval _ip=\"\$jail_${_j}_ip\" eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" eval _exec=\"\$jail_${_j}_exec\" + eval _startparams=\"\$jail_${_j}_startparams\" + eval _jailname=\"\${jail_${_j}_jailname}\" + eval _securelevel=\"\$jail_${_j}_securelevel\" + if [ -n "$_jailname" ]; then + _jailname="name=${_jailname}" + fi + + if [ -n "$_securelevel" ]; then + _securelevel="securelevel=${_securelevel}" + fi + i=0 while : ; do eval _exec_prestart${i}=\"\${jail_${_j}_exec_prestart${i}:-\${jail_exec_prestart${i}}}\" @@ -132,6 +143,9 @@ debug "$_j procdir: $_procdir" debug "$_j ruleset: $_ruleset" debug "$_j fstab: $_fstab" + debug "$_j startparams: $_startparams" + debug "$_j jailname: $_jailname" + debug "$_j securelevel: $_securelevel" i=0 while : ; do @@ -327,14 +341,21 @@ # jail_mount_fstab() { - local _device _mountpt _rest + local _device _mountpt _field3 _field4 _field5 _field6 - while read _device _mountpt _rest; do - case ":${_device}" in - :#* | :) + while read _device _mountpt _field3 _field4 _field5 _field6; do + case ":${_device}:" in + :#*:|::) + # empty line or comment continue ;; esac + if [ -z "${_field5}" ]; then + # a fstab entry needs at least 5 fields + # everything else is suspicious + warn "${_device} ${_mountpt} ${_field3} ${_field4} ${_field5} ${_field6} not conforming to 5 or more whitespace separated fields" + return + fi if is_symlinked_mountpoint ${_mountpt}; then warn "${_mountpt} has symlink as parent - not mounting from ${_fstab}" return @@ -635,8 +656,10 @@ i=$((i + 1)) done - eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ - \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 + eval ${_setfib} jail ${_flags} -i -c ${_startparams} \ + ${_jailname} ${_securelevel} path=${_rootdir} \ + host.hostname=${_hostname} ip4.addr=\"${_addrl}\" \ + command=${_exec_start} > ${_tmp_jail} 2>&1 if [ "$?" -eq 0 ] ; then _jail_id=$(head -1 ${_tmp_jail}) Index: etc/defaults/rc.conf =================================================================== --- etc/defaults/rc.conf (Revision 202551) +++ etc/defaults/rc.conf (Arbeitskopie) @@ -661,6 +661,9 @@ #jail_example_mount_enable="NO" # mount/umount jail's fs #jail_example_fstab="" # fstab(5) for mount/umount #jail_example_flags="-l -U root" # flags for jail(8) +#jail_example_startparams="allow.statfs=2" # parameters for jail(8) +#jail_example_jailname="Example" # unique name for this jail +#jail_example_securelevel="0" # securelevel for this jail ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## Index: sys/dev/drm/drmP.h =================================================================== --- sys/dev/drm/drmP.h (Revision 202551) +++ sys/dev/drm/drmP.h (Arbeitskopie) @@ -205,7 +205,7 @@ #define PAGE_ALIGN(addr) round_page(addr) /* DRM_SUSER returns true if the user is superuser */ #if __FreeBSD_version >= 700000 -#define DRM_SUSER(p) (priv_check(p, PRIV_DRIVER) == 0) +#define DRM_SUSER(p) (priv_check(p, PRIV_DRI_DRIVER) == 0) #else #define DRM_SUSER(p) (suser(p) == 0) #endif Index: sys/kern/kern_jail.c =================================================================== --- sys/kern/kern_jail.c (Revision 202551) +++ sys/kern/kern_jail.c (Arbeitskopie) @@ -187,6 +187,8 @@ "allow.mount", "allow.quotas", "allow.socket_af", + "allow.dev_io_access", + "allow.dev_dri_access", }; static char *pr_allow_nonames[] = { @@ -197,6 +199,8 @@ "allow.nomount", "allow.noquotas", "allow.nosocket_af", + "allow.nodev_io_access", + "allow.nodev_dri_access", }; #define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME @@ -3863,6 +3867,26 @@ case PRIV_NETINET_GETCRED: return (0); + /* + * Allow access to /dev/io in a jail if the non-jailed admin + * requests this and if /dev/io exists in the jail. This + * allows Xorg to probe a card. + */ + case PRIV_IO: + if (cred->cr_prison->pr_allow & PR_ALLOW_DEV_IO_ACCESS) + return (0); + else + return (EPERM); + + /* + * Allow low level access to DRI. This allows Xorgs to use DRI. + */ + case PRIV_DRI_DRIVER: + if (cred->cr_prison->pr_allow & PR_ALLOW_DEV_DRI_ACCESS) + return (0); + else + return (EPERM); + default: /* * In all remaining cases, deny the privilege request. This @@ -4245,8 +4269,11 @@ "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, dev_io_access, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may access /dev/io if it exists"); +SYSCTL_JAIL_PARAM(_allow, dev_drm_access, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may access /dev/drm if it exists"); - #ifdef DDB static void Index: sys/sys/jail.h =================================================================== --- sys/sys/jail.h (Revision 202551) +++ sys/sys/jail.h (Arbeitskopie) @@ -211,8 +211,11 @@ #define PR_ALLOW_MOUNT 0x0010 #define PR_ALLOW_QUOTAS 0x0020 #define PR_ALLOW_SOCKET_AF 0x0040 -#define PR_ALLOW_ALL 0x007f +#define PR_ALLOW_DEV_IO_ACCESS 0x0080 +#define PR_ALLOW_DEV_DRI_ACCESS 0x0100 +#define PR_ALLOW_ALL 0x01ff + /* * OSD methods */ Index: sys/sys/priv.h =================================================================== --- sys/sys/priv.h (Revision 202551) +++ sys/sys/priv.h (Arbeitskopie) @@ -482,9 +482,14 @@ #define PRIV_AFS_DAEMON 661 /* Can become the AFS daemon. */ /* + * Direct Rendering Infrastructure privileges. + */ +#define PRIV_DRI_DRIVER 670 + +/* * Track end of privilege list. */ -#define _PRIV_HIGHEST 662 +#define _PRIV_HIGHEST 671 /* * Validate that a named privilege is known by the privilege system. Invalid