Index: sys/dev/drm/drmP.h =================================================================== --- sys/dev/drm/drmP.h (revision 303086) +++ sys/dev/drm/drmP.h (working copy) @@ -219,7 +219,7 @@ #define PAGE_ALIGN(addr) round_page(addr) /* DRM_SUSER returns true if the user is superuser */ -#define DRM_SUSER(p) (priv_check(p, PRIV_DRIVER) == 0) +#define DRM_SUSER(p) (priv_check(p, PRIV_KMEM_WRITE) == 0) #define DRM_AGP_FIND_DEVICE() agp_find_device() #define DRM_MTRR_WC MDF_WRITECOMBINE #define jiffies ticks Index: sys/kern/kern_jail.c =================================================================== --- sys/kern/kern_jail.c (revision 303086) +++ sys/kern/kern_jail.c (working copy) @@ -207,6 +207,7 @@ "allow.mount.fdescfs", "allow.mount.linprocfs", "allow.mount.linsysfs", + "allow.kmem", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -226,6 +227,7 @@ "allow.mount.nofdescfs", "allow.mount.nolinprocfs", "allow.mount.nolinsysfs", + "allow.nokmem", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); @@ -4065,6 +4067,27 @@ return (0); /* + * Allow access to /dev/io in a jail if the non-jailed admin + * requests this and if /dev/io exists in the jail. This + * allows Xorg to probe a card. + */ + case PRIV_IO: + if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM) + return (0); + else + return (EPERM); + + /* + * Allow low level access to KMEM-like devices (e.g. to + * allow Xorg to use DRI). + */ + case PRIV_KMEM_WRITE: + if (cred->cr_prison->pr_allow & PR_ALLOW_KMEM) + return (0); + else + return (EPERM); + + /* * Allow jailed root to set loginclass. */ case PRIV_PROC_SETLOGINCLASS: @@ -4372,6 +4395,10 @@ CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MOUNT_ZFS, sysctl_jail_default_allow, "I", "Processes in jail can mount the zfs file system (deprecated)"); +SYSCTL_PROC(_security_jail, OID_AUTO, kmem_allowed, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, + NULL, PR_ALLOW_KMEM, sysctl_jail_default_allow, "I", + "Processes in jail can access kmem"); static int sysctl_jail_default_level(SYSCTL_HANDLER_ARGS) @@ -4518,6 +4545,8 @@ "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, kmem, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may access kmem-like devices (io, dri) if they exist"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, Index: sys/sys/jail.h =================================================================== --- sys/sys/jail.h (revision 303086) +++ sys/sys/jail.h (working copy) @@ -230,7 +230,8 @@ #define PR_ALLOW_MOUNT_FDESCFS 0x1000 #define PR_ALLOW_MOUNT_LINPROCFS 0x2000 #define PR_ALLOW_MOUNT_LINSYSFS 0x4000 -#define PR_ALLOW_ALL 0x7fff +#define PR_ALLOW_KMEM 0x8000 +#define PR_ALLOW_ALL 0xffff /* * OSD methods Index: usr.sbin/jail/jail.8 =================================================================== --- usr.sbin/jail/jail.8 (revision 303086) +++ usr.sbin/jail/jail.8 (working copy) @@ -611,6 +611,17 @@ Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that have not had jail functionality added to them. +.It Va allow.kmem +Jailed processes may access +.Pa /dev/kmem +and similar devices (e.g. io, dri) if they have sufficient permission +(via the usual file permissions). +Note that the device files must exist within the jail for this parameter +to be of any use; +the default devfs ruleset for jails does not include any such devices. +Giving a jail access to kernel memory obviates much of the security that +jails offer, but can still be useful for other purposes. +For example, this would allow the Xorg server to run inside a jail. .El .El .Pp