On Sat, Jan 07, 2006 at 03:06:47PM -0500, Thor Lancelot Simon wrote:
> On Sat, Jan 07, 2006 at 08:39:45PM +0100, Pavel Cahyna wrote:
> > On Sat, Jan 07, 2006 at 02:18:12PM -0500, Thor Lancelot Simon wrote:
> > > On Sat, Jan 07, 2006 at 11:54:55AM +0100, Manuel Bouyer wrote:
> > > > int
> > > > i386_iopl(l, args, retval)
> > > > {
> > > > [...]
> > > > 	if (securelevel > 1)
> > > 
> > > Securelevel > 1?  That test should be securelevel >= 1.  It's a serious
> > > bug if it's not.
> > 
> > Without it, the "aperture" driver won't be useful at securelevel 1 (at
> > least if X need access to I/O space, which they probably do). Since the
> > aperture driver exists for a long time, I would call it a known feature.
> 
> We don't ship the aperture driver -- for good reason, it exists primarily
> to give users a false sense of security -- so it's certainly not "a known
> feature" _of NetBSD_.

I don't claim that the aperture driver is a feature _of NetBSD_. But the
ability to run such a driver can be considered a feature of NetBSD, and a
known one, because the driver is maintained by NetBSD developers and its
usage is suggested by the official web pages
(http://www.netbsd.org/Ports/i386/faq.html#x_needs_insecure_kernel).

As the aperture driver won't be useful without allowing i386_iopl in
securelevel 1, I would consider this as a known feature, too. (Or known
bug, if you prefer it.) Isn't it unlikely that this connection would stay
unnoticed?

(Yes I'm aware of the "false sense of security" that you correctly
point out.)

Pavel Cahyna