Date: Thu, 17 Nov 2011 02:20:23 -0500 From: Jason Hellenthal <jhell@DataIX.net> To: ian ivy <sidetripping@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: Starting X11 with kernel secure level greater than -1/0. Message-ID: <20111117072023.GA94228@DataIX.net> In-Reply-To: <CAASvXNst0PXOjBjerx5wK5Qyf4AipQBbqt9Xxhx7-2FDYBdi7w@mail.gmail.com> References: <CAASvXNst0PXOjBjerx5wK5Qyf4AipQBbqt9Xxhx7-2FDYBdi7w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable If it is your objective to run an X server on your display then it would pr= obably suit you best to use MAC rather than securelevel. Opening /dev/(mem,= kmem,io) is a security vulnerability in itself which nearly scrathes any us= efulness of securelevel. In short form, what you think you are doing and wh= at you are actually doing are two very different things. See: mac_seeotheruids mac_bsdextended [ugidfw(8)] mac_partition And there are some sysctl values you can tune to not display as much inform= ation as well. Also don't forget to compile a kernel without BPF. ;) On Wed, Nov 16, 2011 at 02:22:55PM +0100, ian ivy wrote: > Hi, is there any chance (if yes, how to do this?) to use the xf86 > driver which "provides access to the memory and I/O ports of a > VGA board and to the PCI configuration registers for use by > the X servers when running with a kernel security level greater > than 0" in FreeBSD*? >=20 > Then it will be possible to start X environment with a kernel > secure level > 0, right? Normally it is impossible because of > /dev/kmem etc. access. It is default solution in OpenBSD, I guess. >=20 > Hmm, I see, that there is not xf86 in /dev directory, but... > I know, that there is already a couple of xf86 drivers (e.g. > xf86-video-nv, xf86-video-intel or libXxf86vm etc). > These drivers are not right/required/correct, right? >=20 > Of course I can change this level after system and X's start, > but it is not the point. Is there any solution? >=20 > Best regards! Ian. >=20 > __________________ > * source: OpenBSD XF86(4) man page. > http://www.marko.homeunix.org/cgi-bin/man-cgi?xf86+4 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJOxLW3AAoJEJBXh4mJ2FR+/4EH/0HoMHou4KgaoArw6QzcxxQM hnk3aqMkkOOLIxh8VbtU3MZ5U/OzJZoZ768Gbcx8/4Gc/+U8HlcctbGw4kT6OVgx nc/55NlfkJT6GcN75CAXzENcNq6bQ0GMpXNuAQkq2DVUy25UdGDtDmVnROPLhlHO 6Wi8cVfO4FbYPjd4+lUgfbZZdK3JRz9sbI1XQeWkfVImlKT8DMnGlV6NUY1+pes+ GtV2ofuTMqLzhwnldHrnUHd9GSK9mFJFMiq43iqBNExEkJ496fCgn3FHtazqX0fQ zuGivHAAMHqfXVG2/hRXII4+79RUyYaluo7QLaq2ebyPSz2hcWKu4dEAftnlyC4= =9yg1 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111117072023.GA94228>