From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 07:48:00 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24FAD106564A for ; Thu, 17 Nov 2011 07:48:00 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id CD28A8FC0C for ; Thu, 17 Nov 2011 07:47:59 +0000 (UTC) Received: by ywe9 with SMTP id 9so1047890ywe.13 for ; Wed, 16 Nov 2011 23:47:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=OyoLfIl60erDRVNxcpJrozDWffCTH1EhBgNEgY8i9dk=; b=vMUX0WmL9CLeNolVvytw5ZfQCHlaaYSm90R+Vlz4WYfRLvw4xmy84L6x0nBXd3t7tJ 1XYvNuKJBrYAmbYT+17Yazzse9Z1oSKeLC+AhOeonDjonmWQJQ8U2wxlq9yx5fczk1ji yp/+TVBDKo8eG0GwdTT1bwKdWkyfx1X1VCL1s= Received: by 10.236.153.3 with SMTP id e3mr6890122yhk.68.1321514429745; Wed, 16 Nov 2011 23:20:29 -0800 (PST) Received: from DataIX.net (adsl-99-35-12-148.dsl.klmzmi.sbcglobal.net. [99.35.12.148]) by mx.google.com with ESMTPS id k3sm93751498ann.0.2011.11.16.23.20.27 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 16 Nov 2011 23:20:27 -0800 (PST) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id pAH7KOgp003129 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Nov 2011 02:20:24 -0500 (EST) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id pAH7KNro003126; Thu, 17 Nov 2011 02:20:24 -0500 (EST) (envelope-from jhell@DataIX.net) Date: Thu, 17 Nov 2011 02:20:23 -0500 From: Jason Hellenthal To: ian ivy Message-ID: <20111117072023.GA94228@DataIX.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: Cc: freebsd-security@freebsd.org Subject: Re: Starting X11 with kernel secure level greater than -1/0. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 07:48:00 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable If it is your objective to run an X server on your display then it would pr= obably suit you best to use MAC rather than securelevel. Opening /dev/(mem,= kmem,io) is a security vulnerability in itself which nearly scrathes any us= efulness of securelevel. In short form, what you think you are doing and wh= at you are actually doing are two very different things. See: mac_seeotheruids mac_bsdextended [ugidfw(8)] mac_partition And there are some sysctl values you can tune to not display as much inform= ation as well. Also don't forget to compile a kernel without BPF. ;) On Wed, Nov 16, 2011 at 02:22:55PM +0100, ian ivy wrote: > Hi, is there any chance (if yes, how to do this?) to use the xf86 > driver which "provides access to the memory and I/O ports of a > VGA board and to the PCI configuration registers for use by > the X servers when running with a kernel security level greater > than 0" in FreeBSD*? >=20 > Then it will be possible to start X environment with a kernel > secure level > 0, right? Normally it is impossible because of > /dev/kmem etc. access. It is default solution in OpenBSD, I guess. >=20 > Hmm, I see, that there is not xf86 in /dev directory, but... > I know, that there is already a couple of xf86 drivers (e.g. > xf86-video-nv, xf86-video-intel or libXxf86vm etc). > These drivers are not right/required/correct, right? >=20 > Of course I can change this level after system and X's start, > but it is not the point. Is there any solution? >=20 > Best regards! Ian. >=20 > __________________ > * source: OpenBSD XF86(4) man page. > http://www.marko.homeunix.org/cgi-bin/man-cgi?xf86+4 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJOxLW3AAoJEJBXh4mJ2FR+/4EH/0HoMHou4KgaoArw6QzcxxQM hnk3aqMkkOOLIxh8VbtU3MZ5U/OzJZoZ768Gbcx8/4Gc/+U8HlcctbGw4kT6OVgx nc/55NlfkJT6GcN75CAXzENcNq6bQ0GMpXNuAQkq2DVUy25UdGDtDmVnROPLhlHO 6Wi8cVfO4FbYPjd4+lUgfbZZdK3JRz9sbI1XQeWkfVImlKT8DMnGlV6NUY1+pes+ GtV2ofuTMqLzhwnldHrnUHd9GSK9mFJFMiq43iqBNExEkJ496fCgn3FHtazqX0fQ zuGivHAAMHqfXVG2/hRXII4+79RUyYaluo7QLaq2ebyPSz2hcWKu4dEAftnlyC4= =9yg1 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--