Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 456220

Summary: x11-base/xorg-server on hardened - X exits fatally upon failure to enable sys_iopl
Product: Gentoo Linux Reporter: Dave Armstrong <dave0x01>
Component: Current packagesAssignee: Gentoo X packagers <x11>
Status: RESOLVED FIXED    
Severity: normal CC: alexander, creideiki+gentoo-bugzilla, da_risk, hardened, wbrana
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Permit Xorg to function without iopl system call

Description Dave Armstrong 2013-02-08 20:29:10 UTC
Created attachment 338352 [details, diff]
Permit Xorg to function without iopl system call

The X server will normally exit with a fatal error during startup if the priveleged system calls sys_iopl and/or sys_ioperm are not available, even when they aren't needed. This effectively forces users to relax security policy beyond what should be necessary to run an X-based graphical environment.

This is of particularly relevence -- but by no means limited -- to the Gentoo Hardened project, because most users of Grsecurity/PAX kernels have had to disable an important security option in order to run a graphical X environment: i.e., "Disable privileged I/O" in Kconfig (kernel symbol CONFIG_GRKERNSEC_IO) This should no longer be necessary for most users (at least not for those using KMS).  The behavior was fixed by a patch written by Adam Jackson of RedHat, which I found on the Xorg development list.

Please see the following thread for a summary:
http://lists.x.org/archives/xorg-devel/2012-June/031978.html

It's a 3-part patch.  I merged them into a single patch and attached it to the bug report.  The patches can also be found in the author's git tree here:
http://cgit.freedesktop.org/~ajax/xserver/log/?h=ioperm

I don't what the current upstream status is, but as of =x11-base/xorg-server-1.13.2 (the most recent non-masked version in portage), the changes haven't been merged.  The patch applies cleanly to x11-base/xorg-server-1.13.2, and as an example, I'm now able to run X with the Intel integrated graphics driver with sys_iopl and sys_ioperm disabled with no ill-effect.

Hopefully it will get merged upstream soon.  Until then Gentoo may wish to consider carrying this patch. The change has no effect on users unaffected by the issue; i.e., it need not depend on "hardened".

Perhaps some of the hardened devs would like to chime in.
Comment 1 Frédéric Barthelery 2013-09-12 14:35:13 UTC
In >=x11-base/xorg-server-1.14.1, this patch seems to be merged by upstream
Comment 2 Magnus Granberg gentoo-dev 2013-11-23 22:13:05 UTC
(In reply to Frédéric Barthelery from comment #1)
> In >=x11-base/xorg-server-1.14.1, this patch seems to be merged by upstream
Then we can close this?