A desk­top envi­ron­ment in a jail.

Yeah! Final­ly I got time to fin­ish my work to put a desk­top envi­ron­ment (in this case GNOME) into a jail. At least I have a proof of con­cept (I write this with fire­fox run­ning in my “desk­jail”). No, I don’t do this for addi­tion­al secu­ri­ty (there’s more secu­ri­ty than in a non-jailed set­up, but less secu­ri­ty than in an ordi­nary jail, as you have to allow access to a lot more devices than in an ordi­nary jail), I do this for addi­tion­al flex­i­bil­i­ty: Mov­ing my desk­top is now only the install of FreeB­SD on a new machine and rsync­ing the jail over to it. As the machine will also be a host of sev­er­al jails where I have some com­mon users with the same UID in each jail, I don’t pol­lute the jail-host with the desk­top stuff and I have every­thing nice­ly separated.

With­out a ker­nel patch and good devfs rules you will not get Xorg up and run­ning in a jail (at least I did­n’t man­aged to let it rec­og­nize my graph­ic card with­out the ker­nel patch). Now I have to beef up the patch a lit­tle bit and ask for review (it weak­ens up the secu­ri­ty a lit­tle bit like the sysctl security.jail.sysvipc_allowed=1 or security.jail.allow_raw_sockets=1).

But first I have to fin­ish the move of all my ser­vices I use at home to the jail-host now.