Yeah! Finally I got time to finish my work to put a desktop environment (in this case GNOME) into a jail. At least I have a proof of concept (I write this with firefox running in my “deskjail”). No, I don’t do this for additional security (there’s more security than in a non-jailed setup, but less security than in an ordinary jail, as you have to allow access to a lot more devices than in an ordinary jail), I do this for additional flexibility: Moving my desktop is now only the install of FreeBSD on a new machine and rsyncing the jail over to it. As the machine will also be a host of several jails where I have some common users with the same UID in each jail, I don’t pollute the jail-host with the desktop stuff and I have everything nicely separated.
Without a kernel patch and good devfs rules you will not get Xorg up and running in a jail (at least I didn’t managed to let it recognize my graphic card without the kernel patch). Now I have to beef up the patch a little bit and ask for review (it weakens up the security a little bit like the sysctl security.jail.sysvipc_allowed=1 or security.jail.allow_raw_sockets=1).
But first I have to finish the move of all my services I use at home to the jail-host now.
Hi, Alexander I spoke with Dru Lavigne about “Translators are volunteers who are interested” I interests in that. He send a email about that.
Best regards,
You can at least run a headless X listening for XDM requests in a jail, I just tried it.
Hi Alexander,
I’m currently testing also a X desktop environment in a jail (without tcp forwarding).
I’m fighting with devfs.rules.
Have you a link for kernel patch ?
Have a look at http://www.leidinger.net/FreeBSD/current-patches/ and at the jail-mailinglist, I wrote about the devfs.rules which are needed there.