Subject: Re: kern/35004: Could an MI aperture driver be added to the web site's list of contrib projects?
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Pavel Cahyna <pavel@NetBSD.org>
List: netbsd-bugs
Date: 12/02/2006 00:00:04
The following reply was made to PR kern/35004; it has been noted by GNATS.

From: Pavel Cahyna <pavel@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/35004: Could an MI aperture driver be added to the web site's list of contrib projects?
Date: Sat, 2 Dec 2006 00:57:47 +0100

 On Tue, Nov 07, 2006 at 03:10:01AM +0000, blair.sadewitz@gmail.com wrote:
 > OpenBSD has a kernelized aperture to avoid having to run a suid X server
 > on i386, amd64, cats, and other ports.  While I am undoubtedly not
 > qualified to write this (or port OpenBSD's driver, whichever is easier),
 > perhaps someone else out there would like to take this up.  While I
 > realize that an apeture driver does not eliminate all security problems,
 > it sure would be nice to be able to run securelevel 1 and X
 > simultaneously.  Thus, I propose that this be mentioned in
 > www/contrib/projects.html.
 
 There is an aperture driver, see 
 http://www.netbsd.org/Ports/i386/faq.html#x_needs_insecure_kernel
 
 The fact that it is not in the base system is not an accident.
 See
 http://mail-index.netbsd.org/tech-kern/2006/11/09/0002.html
 And I suspect that a recent change to disable access to I/O ports if
 securelevel >= 1 broke X in securelevel 1 anyway.
 
 I propose to close this PR.