On Fri, 31 Jan 2014 12:34:48 +0000 (GMT) Robert Watson <rwat...@freebsd.org> wrote:
> On Wed, 29 Jan 2014, Alexander Leidinger wrote: > > >> It does. I included a warning in jail.8 that this will pretty > >> much undo jail security. There are still reasons some may want to > >> do this, but it's definitely not for everyone or even most people. > > > > It only "unjails" (= basically the same security level as the > > jail-host with the added benefit of the flexibility of a jail like > > easy moving from one system to another) the jail which has this > > flag set. All other jails without the flag can not "escape" to the > > host. > > > > I also have to add that just setting this flag does not give access > > to the host, you also have to configure a non-default devfs rule > > for this jail (to have the devices appear in the jail). > > This is not correct: devices do not need to be delegated in devfs for > PRIV_IO to allow bypass of the Jail security model, due to sysarch() > and the Linux-emulated equivalent, which turn out direct I/O access > from a user process without use of a device node. Ok, then it is just the non-default flag, not the additional devfs part. I agree with your other post that we are better of to document better what it means if an admin allows kmem access for a specific jail. Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
