Jailed X applications

---

• From: "mal content" <artifact.one@xxxxxxxxxxxxxx>
• Date: Fri, 17 Aug 2007 06:10:39 +0100

---

Hello.

Has anyone here ever successfully set up a jail for X apps, connecting
to an external X server? I'm trying an experimental sandbox setup here.
I have a jail running on an aliased IP on my local machine and X
programs connect out of the jail to my local X server via an SSH
tunneled TCP connection. All other packets to and from the jail are
denied by the packet filter. The trouble I am having is that many
applications (all X apps so far and a few of the SSH tools) try to open
and read from /dev/tty, which clearly isn't going to happen:

96950 xterm RET sigprocmask 0
96950 xterm CALL open(0x807bdfc,0x2,0xbfbfe458)
96950 xterm NAMI "/dev/tty"
96950 xterm RET open -1 errno 16 Device busy
96950 xterm CALL setitimer(0,0xbfbfe380,0xbfbfe370)
96950 xterm RET setitimer 0
96950 xterm CALL sigaction(0xe,0xbfbfe360,0xbfbfe340)
96950 xterm RET sigaction 0
96950 xterm CALL write(0x2,0xbfbfdd70,0x1b)
96950 xterm GIO fd 2 wrote 27 bytes
"xterm: Error 14, errno 16: "
96950 xterm RET write 27/0x1b
96950 xterm CALL write(0x2,0xbfbfdd80,0xc)
96950 xterm GIO fd 2 wrote 12 bytes
"Device busy
"
96950 xterm RET write 12/0xc
96950 xterm CALL write(0x2,0xbfbfdd80,0x29)
96950 xterm GIO fd 2 wrote 41 bytes
"Reason: spawn: open() failed on /dev/tty
"
96950 xterm RET write 41/0x29
96950 xterm CALL close(0)
96950 xterm RET close 0
96950 xterm CALL chown(0x808f000,0,0)

I am seeing successful connections from the jail to my X server,
a white window is drawn where the X client will be spawned but this
flashes out of existence as soon as the above error is encountered.

<wishful thinking>
I'd love a TrustedBSD based sandboxing tool.
</wishful thinking>

Any ideas would be appreciated.
MC
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: Jailed X applications
    • From: Alexander Leidinger

• Prev by Date: Re: kern.chroot_allow_open_directories
• Next by Date: Re: Jailed X applications
• Previous by thread: Re: kern.chroot_allow_open_directories
• Next by thread: Re: Jailed X applications
• Index(es):
  • Date
  • Thread

---

Relevant Pages fun with old/new jails and xdm ... Running a 4.x based jail on a 6 or 5 based system. ... a remote xterminal using the 5.x supplied devfs in the jail. ... * Xdm shows a login window on the remote xterminal. ... Xdm fires up a xterm etc.. ... (freebsd-current) Re: fun with old/new jails and xdm ... > a remote xterminal using the 5.x supplied devfs in the jail. ... > * User logs in. ... > I'm guessing that xterm in 5.x was fixed to not require the existence ... (freebsd-current) Re: Commands updatedb and locate are unrecognized ... > server in the first place. ... when it came to selecting the applications. ... But there is an icon on the panel that gives me an xterm whenever ... The only other main distro I know of with "enterprise" in the name is by ... (comp.os.linux.misc) Re: DVD flickers ... > I am running on an ATI Radeon. ... X server, or the X server from XFree86? ... When you start xine in an xterm ... Which video output plugin was xine using before ... (comp.os.linux.hardware) Re: x terminal from a z/OS USS host ... xterm must be setuid root to use USS terminal ... There are useful workarounds for z/OS xterm. ... If you have a full blown X Windows server ... If you don't have an X Windows server, ... (bit.listserv.ibm-main)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2007-08