Starting X11 with kernel secure level greater than -1/0.
Jason Hellenthal
jhell at DataIX.net
Thu Nov 17 07:48:00 UTC 2011
If it is your objective to run an X server on your display then it would probably suit you best to use MAC rather than securelevel. Opening /dev/(mem,kmem,io) is a security vulnerability in itself which nearly scrathes any usefulness of securelevel. In short form, what you think you are doing and what you are actually doing are two very different things.
See:
mac_seeotheruids
mac_bsdextended [ugidfw(8)]
mac_partition
And there are some sysctl values you can tune to not display as much information as well. Also don't forget to compile a kernel without BPF. ;)
On Wed, Nov 16, 2011 at 02:22:55PM +0100, ian ivy wrote:
> Hi, is there any chance (if yes, how to do this?) to use the xf86
> driver which "provides access to the memory and I/O ports of a
> VGA board and to the PCI configuration registers for use by
> the X servers when running with a kernel security level greater
> than 0" in FreeBSD*?
>
> Then it will be possible to start X environment with a kernel
> secure level > 0, right? Normally it is impossible because of
> /dev/kmem etc. access. It is default solution in OpenBSD, I guess.
>
> Hmm, I see, that there is not xf86 in /dev directory, but...
> I know, that there is already a couple of xf86 drivers (e.g.
> xf86-video-nv, xf86-video-intel or libXxf86vm etc).
> These drivers are not right/required/correct, right?
>
> Of course I can change this level after system and X's start,
> but it is not the point. Is there any solution?
>
> Best regards! Ian.
>
> __________________
> * source: OpenBSD XF86(4) man page.
> http://www.marko.homeunix.org/cgi-bin/man-cgi?xf86+4
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20111117/b42e279d/attachment.pgp
More information about the freebsd-security
mailing list