Hello.
Has anyone here ever successfully set up a jail for X apps, connecting
to an external X server? I'm trying an experimental sandbox setup here.
I have a jail running on an aliased IP on my local machine and X
programs connect out of the jail to my local X server via an SSH
tunneled TCP connection. All other packets to and from the jail are
denied by the packet filter. The trouble I am having is that many
applications (all X apps so far and a few of the SSH tools) try to open
and read from /dev/tty, which clearly isn't going to happen:
96950 xterm RET sigprocmask 0
96950 xterm CALL open(0x807bdfc,0x2,0xbfbfe458)
96950 xterm NAMI "/dev/tty"
96950 xterm RET open -1 errno 16 Device busy
96950 xterm CALL setitimer(0,0xbfbfe380,0xbfbfe370)
96950 xterm RET setitimer 0
96950 xterm CALL sigaction(0xe,0xbfbfe360,0xbfbfe340)
96950 xterm RET sigaction 0
96950 xterm CALL write(0x2,0xbfbfdd70,0x1b)
96950 xterm GIO fd 2 wrote 27 bytes
"xterm: Error 14, errno 16: "
96950 xterm RET write 27/0x1b
96950 xterm CALL write(0x2,0xbfbfdd80,0xc)
96950 xterm GIO fd 2 wrote 12 bytes
"Device busy
"
96950 xterm RET write 12/0xc
96950 xterm CALL write(0x2,0xbfbfdd80,0x29)
96950 xterm GIO fd 2 wrote 41 bytes
"Reason: spawn: open() failed on /dev/tty
"
96950 xterm RET write 41/0x29
96950 xterm CALL close(0)
96950 xterm RET close 0
96950 xterm CALL chown(0x808f000,0,0)
I am seeing successful connections from the jail to my X server,
a white window is drawn where the X client will be spawned but this
flashes out of existence as soon as the above error is encountered.
<wishful thinking>
I'd love a TrustedBSD based sandboxing tool.
</wishful thinking>
Any ideas would be appreciated.
MC