Subject: Re: kern/35004: Could an MI aperture driver be added to the web site's list of contrib projects?
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Pavel Cahyna <pavel@NetBSD.org>
List: netbsd-bugs
Date: 12/02/2006 00:00:04
The following reply was made to PR kern/35004; it has been noted by GNATS.
From: Pavel Cahyna <pavel@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/35004: Could an MI aperture driver be added to the web site's list of contrib projects?
Date: Sat, 2 Dec 2006 00:57:47 +0100
On Tue, Nov 07, 2006 at 03:10:01AM +0000, blair.sadewitz@gmail.com wrote:
> OpenBSD has a kernelized aperture to avoid having to run a suid X server
> on i386, amd64, cats, and other ports. While I am undoubtedly not
> qualified to write this (or port OpenBSD's driver, whichever is easier),
> perhaps someone else out there would like to take this up. While I
> realize that an apeture driver does not eliminate all security problems,
> it sure would be nice to be able to run securelevel 1 and X
> simultaneously. Thus, I propose that this be mentioned in
> www/contrib/projects.html.
There is an aperture driver, see
http://www.netbsd.org/Ports/i386/faq.html#x_needs_insecure_kernel
The fact that it is not in the base system is not an accident.
See
http://mail-index.netbsd.org/tech-kern/2006/11/09/0002.html
And I suspect that a recent change to disable access to I/O ports if
securelevel >= 1 broke X in securelevel 1 anyway.
I propose to close this PR.