Hi, is there any chance (if yes, how to do this?) to use the xf86 driver which "provides access to the memory and I/O ports of a VGA board and to the PCI configuration registers for use by the X servers when running with a kernel security level greater than 0" in FreeBSD*? Then it will be possible to start X environment with a kernel secure level > 0, right? Normally it is impossible because of /dev/kmem etc. access. It is default solution in OpenBSD, I guess. Hmm, I see, that there is not xf86 in /dev directory, but... I know, that there is already a couple of xf86 drivers (e.g. xf86-video-nv, xf86-video-intel or libXxf86vm etc). These drivers are not right/required/correct, right? Of course I can change this level after system and X's start, but it is not the point. Is there any solution? Best regards! Ian. __________________ * source: OpenBSD XF86(4) man page. http://www.marko.homeunix.org/cgi-bin/man-cgi?xf86+4
Jason Hellenthal
2011-Nov-17 07:48 UTC
Starting X11 with kernel secure level greater than -1/0.
If it is your objective to run an X server on your display then it would probably suit you best to use MAC rather than securelevel. Opening /dev/(mem,kmem,io) is a security vulnerability in itself which nearly scrathes any usefulness of securelevel. In short form, what you think you are doing and what you are actually doing are two very different things. See: mac_seeotheruids mac_bsdextended [ugidfw(8)] mac_partition And there are some sysctl values you can tune to not display as much information as well. Also don't forget to compile a kernel without BPF. ;) On Wed, Nov 16, 2011 at 02:22:55PM +0100, ian ivy wrote:> Hi, is there any chance (if yes, how to do this?) to use the xf86 > driver which "provides access to the memory and I/O ports of a > VGA board and to the PCI configuration registers for use by > the X servers when running with a kernel security level greater > than 0" in FreeBSD*? > > Then it will be possible to start X environment with a kernel > secure level > 0, right? Normally it is impossible because of > /dev/kmem etc. access. It is default solution in OpenBSD, I guess. > > Hmm, I see, that there is not xf86 in /dev directory, but... > I know, that there is already a couple of xf86 drivers (e.g. > xf86-video-nv, xf86-video-intel or libXxf86vm etc). > These drivers are not right/required/correct, right? > > Of course I can change this level after system and X's start, > but it is not the point. Is there any solution? > > Best regards! Ian. > > __________________ > * source: OpenBSD XF86(4) man page. > http://www.marko.homeunix.org/cgi-bin/man-cgi?xf86+4 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 455 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20111117/b42e279d/attachment.pgp