Date: Thu, 17 Nov 2011 02:20:23 -0500 From: Jason Hellenthal <jhell@DataIX.net> To: ian ivy <sidetripping@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: Starting X11 with kernel secure level greater than -1/0. Message-ID: <20111117072023.GA94228@DataIX.net> In-Reply-To: <CAASvXNst0PXOjBjerx5wK5Qyf4AipQBbqt9Xxhx7-2FDYBdi7w@mail.gmail.com> References: <CAASvXNst0PXOjBjerx5wK5Qyf4AipQBbqt9Xxhx7-2FDYBdi7w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] If it is your objective to run an X server on your display then it would probably suit you best to use MAC rather than securelevel. Opening /dev/(mem,kmem,io) is a security vulnerability in itself which nearly scrathes any usefulness of securelevel. In short form, what you think you are doing and what you are actually doing are two very different things. See: mac_seeotheruids mac_bsdextended [ugidfw(8)] mac_partition And there are some sysctl values you can tune to not display as much information as well. Also don't forget to compile a kernel without BPF. ;) On Wed, Nov 16, 2011 at 02:22:55PM +0100, ian ivy wrote: > Hi, is there any chance (if yes, how to do this?) to use the xf86 > driver which "provides access to the memory and I/O ports of a > VGA board and to the PCI configuration registers for use by > the X servers when running with a kernel security level greater > than 0" in FreeBSD*? > > Then it will be possible to start X environment with a kernel > secure level > 0, right? Normally it is impossible because of > /dev/kmem etc. access. It is default solution in OpenBSD, I guess. > > Hmm, I see, that there is not xf86 in /dev directory, but... > I know, that there is already a couple of xf86 drivers (e.g. > xf86-video-nv, xf86-video-intel or libXxf86vm etc). > These drivers are not right/required/correct, right? > > Of course I can change this level after system and X's start, > but it is not the point. Is there any solution? > > Best regards! Ian. > > __________________ > * source: OpenBSD XF86(4) man page. > http://www.marko.homeunix.org/cgi-bin/man-cgi?xf86+4 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJOxLW3AAoJEJBXh4mJ2FR+/4EH/0HoMHou4KgaoArw6QzcxxQM hnk3aqMkkOOLIxh8VbtU3MZ5U/OzJZoZ768Gbcx8/4Gc/+U8HlcctbGw4kT6OVgx nc/55NlfkJT6GcN75CAXzENcNq6bQ0GMpXNuAQkq2DVUy25UdGDtDmVnROPLhlHO 6Wi8cVfO4FbYPjd4+lUgfbZZdK3JRz9sbI1XQeWkfVImlKT8DMnGlV6NUY1+pes+ GtV2ofuTMqLzhwnldHrnUHd9GSK9mFJFMiq43iqBNExEkJ496fCgn3FHtazqX0fQ zuGivHAAMHqfXVG2/hRXII4+79RUyYaluo7QLaq2ebyPSz2hcWKu4dEAftnlyC4= =9yg1 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111117072023.GA94228>