gabriel rosenkoetter on Thu, 11 Oct 2001 15:24:27 -0400 |
On Thu, Oct 11, 2001 at 02:03:55PM -0400, Kevin Brosius wrote: > Very few XFree86 drivers have access to DMA (and of the _one_ I can > think of, it only does that on Linux.) What did you really mean to say? What you say is contradicted by http://www.xfree86.org/4.1.0/NetBSD7.html: By default NetBSD include the BSD 4.4 kernel security feature that disable access to the /dev/mem device when in multi-users mode. But XFree86 servers can take advantage (or require) linear access to the display memory. >>Most XFree86 4.1.0 card drivers require linear memory access. There are two ways to allow XFree86 to access linear memory: The first way is to disable the kernel security feature by adding ``option INSECURE'' in the kernel configuration file and build a new kernel. It's most obvious in NetBSD merely as a result of any (secure) 4.4 BSD kernel's securelevel feature. It is necessary to leave the kernel in securelevel 0 (linear access to memory in order to get blit images to the graphic card's DMA quickly, so not *precisely* what I said, but the point is the same) in order for XF86 to work. They go on to suggest that the other option is to use their aperature driver (a kernel module) which allows only one process to have linear memory access at a time, but this is tantamount to the same thing as a userland process can take over the console extremely easily, relative to how easily it can get kernel-level access to memory when the kernel is at securelevel 1 (it's impossible to do so without finding a buffer overflow in a syscall exported by the kernel, and it'd be pretty damn hard even then). And don't even get me started on how I feel about adding third-party LKMs to my kernel as a "security measure". It should be noted that it is *not* necessary to open this security hole in order to run X11R6. None of the Xmac68k, Xsparc[64], Xsgimips, and Xmacppc servers (all internally developed for NetBSD) need this. The fact that Linux doesn't have securelevels doesn't mean it doesn't have this problem; it means there's no way for it *not* to have this problem. Linear access to memory from userland (which *includes* root) is bad, the reasons for which I hope are obvious. (Think about unlocked private keys, in-transit IPSec sessions, do I need to go on?) -- ~ g r @ eclipsed.net Attachment:
pgpv7lIErtJib.pgp
|
|