Bug 456220

Created attachment 338352 [details, diff]
Permit Xorg to function without iopl system call

The X server will normally exit with a fatal error during startup if the priveleged system calls sys_iopl and/or sys_ioperm are not available, even when they aren't needed. This effectively forces users to relax security policy beyond what should be necessary to run an X-based graphical environment.

This is of particularly relevence -- but by no means limited -- to the Gentoo Hardened project, because most users of Grsecurity/PAX kernels have had to disable an important security option in order to run a graphical X environment: i.e., "Disable privileged I/O" in Kconfig (kernel symbol CONFIG_GRKERNSEC_IO) This should no longer be necessary for most users (at least not for those using KMS).  The behavior was fixed by a patch written by Adam Jackson of RedHat, which I found on the Xorg development list.

Please see the following thread for a summary:
http://lists.x.org/archives/xorg-devel/2012-June/031978.html

It's a 3-part patch.  I merged them into a single patch and attached it to the bug report.  The patches can also be found in the author's git tree here:
http://cgit.freedesktop.org/~ajax/xserver/log/?h=ioperm

I don't what the current upstream status is, but as of =x11-base/xorg-server-1.13.2 (the most recent non-masked version in portage), the changes haven't been merged.  The patch applies cleanly to x11-base/xorg-server-1.13.2, and as an example, I'm now able to run X with the Intel integrated graphics driver with sys_iopl and sys_ioperm disabled with no ill-effect.

Hopefully it will get merged upstream soon.  Until then Gentoo may wish to consider carrying this patch. The change has no effect on users unaffected by the issue; i.e., it need not depend on "hardened".

Perhaps some of the hardened devs would like to chime in.