At least now (AFAIK) with KMS ioperm/iopl is not required, only propietary drivers need them (and having them running is per se a security bug).<br><br>Since now with CONFIG_STRICT_DEVMEM enabled every process is unable to access to any RAM memory (if not video one and even with CAP_SYS_RAWIO) I think it&#39;s a bit more secure approach.<br>
<br>I think is not obfuscation is a less privilege approach, only those proccess that need it should get it granted<br>
<br>RBAC can permit you to switch which device can Xorg access even with CAP_SYS_RAWIO (for example permit it in /dev/mem to access video memory, but forbid it to /dev/sda as lilo would need for example), dropping privileges isn&#39;t so important because is supposed that (at least with rsbac and I think that grsec is like this) root is untrusted and by this reason it&#39;s fully controlled.<br>

<br>I think openBSD great lack comes from here, even with dropping, the part that do ioperm is fully privileged and because of this vulnerable or risky because in openbsd root can do everything it want (openbsd just only check for uids, and uid 0 in particular).<br>

<br>GRKERNSEC_IO in resume forbids the use of iopl/ioperm to any userland application even for those running with CAP_SYS_RAWIO granted, I don&#39;t know if grsec rbac can control it without this switch running (I have not seen nothing in the grsec documentation wiki). <br>
<br>RSBAC controls it with two requests (GET_STATUS_DATA (read) and MODIFY_STATUS_DATA (write) against  SCD_IOPORTS, xorg if uses KMS only requires access to SCD_VIDEOMEM and neither IOPORTS neither SCD_MEM (global RAM)<br>
<br>Some roles (a user or a binary marked as role) could have both granted, others roles only one, and other ones not.<br><br><br><br><br><br><br><br><br><br><div class="gmail_quote">2011/11/7 Kevin Chadwick <span dir="ltr">&lt;<a href="mailto:ma1l1ists@yahoo.co.uk" target="_blank">ma1l1ists@yahoo.co.uk</a>&gt;</span><br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I&#39;ve been using OpenBSD for a while now which has priv dropping X and<br>
the machdep.allowaperture=[0|1|2]. Theo has said firefox also<br>
annoyingly uses it&#39;s own memory management.<br>
<br>
I have a few questions about Grsec that I&#39;d love some input on as I am<br>
struggling to find the answers to them at the moment.<br>
<br>
I&#39;ve read on the Gentoo-hardened archive and grsec config help that the<br>
iopl and ioperm should be protected with rbac if priviledged I/O is<br>
allowed.<br>
<br>
So you can disable the RAW_IO capability to all and sacrifice xrestarts.<br>
But if X already has all priviledges then I guess your just adding a<br>
hurdle which is made a bit higher with grsec, so obfuscation really<br>
and not complete security. Is there anything else you can do or is that<br>
what is meant by &quot;You should use RBAC if you allow priviledged I/O&quot;?<br>
<br>
The gentoo-handbook says something like the question of selinux|rbac|<br>
rsbac is a controversial one. It seems rsbac is the most secure but<br>
more difficult to use and has less starter policies around. Gentoo<br>
seems to have selinux policies. Does selinux have any more to offer than<br>
rbac for protecting X?<br>
<br>
Does CONFIG_PAX_MPROTECT_COMPAT have any effect on firefox and did<br>
mozilla refuse to patch their sources with the if !jit patch?<br>
<br>
Thanks<br>
<font color="#888888"><br>
Kc<br>
<br>
</font></blockquote></div><br>