Index: sys/kern/kern_jail.c =================================================================== RCS file: /import/FreeBSD-CVS/src/sys/kern/kern_jail.c,v retrieving revision 1.80 diff -u -p -u -r1.80 kern_jail.c --- sys/kern/kern_jail.c 7 Jul 2008 20:53:49 -0000 1.80 +++ sys/kern/kern_jail.c 9 Jul 2008 06:04:46 -0000 @@ -79,6 +79,17 @@ SYSCTL_INT(_security_jail, OID_AUTO, mou &jail_mount_allowed, 0, "Processes in jail can mount/unmount jail-friendly file systems"); +static int jail_dev_io_access_allowed = 0; +SYSCTL_INT(_security_jail, OID_AUTO, dev_io_access_allowed, CTLFLAG_RW, + &jail_dev_io_access_allowed, 0, + "Processes in all jails can get access to /dev/io if available"); + +static char jail_dev_io_access_allowed_hostname[MAXHOSTNAMELEN] = ""; +SYSCTL_STRING(_security_jail, OID_AUTO, dev_io_access_allowed_hostname, + CTLFLAG_RW, jail_dev_io_access_allowed_hostname, + sizeof(jail_dev_io_access_allowed_hostname), + "Hostname of specific jail which can get access to /dev/io if available"); + /* allprison, lastprid, and prisoncount are protected by allprison_lock. */ struct prisonlist allprison; struct sx allprison_lock; @@ -750,6 +761,26 @@ prison_priv_check(struct ucred *cred, in case PRIV_NETINET_GETCRED: return (0); + /* + * Allow access to /dev/io in a jail if the non-jailed admin + * requests this and if /dev/io exists in the jail. This + * allows Xorg to probe a card. + */ + case PRIV_IO: + if (jail_dev_io_access_allowed) + return (0); + + { + char jail_hostname[MAXHOSTNAMELEN]; + + getcredhostname(cred, jail_hostname, MAXHOSTNAMELEN); + if (strncasecmp(jail_dev_io_access_allowed_hostname, + jail_hostname, MAXHOSTNAMELEN) == 0) + return (0); + } + + return (EPERM); + default: /* * In all remaining cases, deny the privilege request. This Index: usr.sbin/jail/jail.8 =================================================================== RCS file: /import/FreeBSD-CVS/src/usr.sbin/jail/jail.8,v retrieving revision 1.84 diff -u -p -u -r1.84 jail.8 --- usr.sbin/jail/jail.8 5 Apr 2007 21:17:52 -0000 1.84 +++ usr.sbin/jail/jail.8 10 Mar 2008 11:04:30 -0000 @@ -33,7 +33,7 @@ .\" .\" $FreeBSD: src/usr.sbin/jail/jail.8,v 1.84 2007/04/05 21:17:52 pjd Exp $ .\" -.Dd April 5, 2007 +.Dd March 10, 2008 .Dt JAIL 8 .Os .Sh NAME @@ -546,6 +546,38 @@ or clear system file flags; if non-zero, privileged, and may manipulate system file flags subject to the usual constraints on .Va kern.securelevel . +.It Va security.jail.dev_io_access_allowed +This MIB entry determines if a privileged user inside +.Va every +jail will be able to access +.Pa /dev/io +in case +.Xr devfs 8 +is used to show +.Pa /dev/io +in a jail. +The default value of 0 does not allow access even if +.Pa /dev/io +is visible in a jail. +A value of 1 allowes access in a jail. +This sysctl should not be used to give this access rights to only one +specific jail. +To give access to only one specific jail the sysctl +.Va security.jail.dev_io_access_allowed_hostname +should be used instead. +.It Va security.jail.dev_io_access_allowed_hostname +This MIB entry determines if a privileged user only inside the +.Va specified +jail will be able to access +.Pa /dev/io +in case +.Xr devfs 8 +is used to show +.Pa /dev/io +in a jail. +The string-value of this sysctl is compared case-insensitive with the hostname +of the jail. +Access is allowed if the string matches. .It Va security.jail.mount_allowed This MIB entry determines if a privileged user inside a jail will be able to mount and unmount file system types marked as jail-friendly.