Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 23 Apr 2011 22:50:23 +0400
From: Michael Tokarev <mjt@....msk.ru>
To: owl-dev@...ts.openwall.com
Subject: Re: GSoC: overview of grsecurity and -ow patches

Just a quick note, may be only somewhat related to whole message.

23.04.2011 18:25, Vasiliy Kulikov wrote:
[]
> GRKERNSEC_KMEM [-]
> 	"Deny writing to /dev/kmem, /dev/mem, and /dev/port"
> GRKERNSEC_IO [-]
> 	"Disable privileged I/O"
> 
>     These look like a securelevel, which is not native in Linux.
>     /dev/kmem is already configurable via CONFIG_DEVKMEM.  X Server wants
>     ioperm anyway, and they are already limited in containers.

X server is very different nowadays, it does not program hardware
directly, only kernel component does that (kms aka kernel mode setting).
For major graphics cards (nvidia, radeon and intel) UMS (user mode
setting) is not supported anymore, it is only supported for old
obsolete graphics for which no KMS driver is written.

Basically,  with KMS, X server does not need any additional privileges.

But in 2.6.32 kernel graphics support is too limited still to
be useful for real X usage - for modern cards anyway.

JFYI.

/mjt

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ