Created attachment 338352 [details, diff]
Permit Xorg to function without iopl system call
The X server will normally exit with a fatal error during startup if the priveleged system calls sys_iopl and/or sys_ioperm are not available, even when they aren't needed. This effectively forces users to relax security policy beyond what should be necessary to run an X-based graphical environment.
This is of particularly relevence -- but by no means limited -- to the Gentoo Hardened project, because most users of Grsecurity/PAX kernels have had to disable an important security option in order to run a graphical X environment: i.e., "Disable privileged I/O" in Kconfig (kernel symbol CONFIG_GRKERNSEC_IO) This should no longer be necessary for most users (at least not for those using KMS). The behavior was fixed by a patch written by Adam Jackson of RedHat, which I found on the Xorg development list.
Please see the following thread for a summary:
It's a 3-part patch. I merged them into a single patch and attached it to the bug report. The patches can also be found in the author's git tree here:
I don't what the current upstream status is, but as of =x11-base/xorg-server-1.13.2 (the most recent non-masked version in portage), the changes haven't been merged. The patch applies cleanly to x11-base/xorg-server-1.13.2, and as an example, I'm now able to run X with the Intel integrated graphics driver with sys_iopl and sys_ioperm disabled with no ill-effect.
Hopefully it will get merged upstream soon. Until then Gentoo may wish to consider carrying this patch. The change has no effect on users unaffected by the issue; i.e., it need not depend on "hardened".
Perhaps some of the hardened devs would like to chime in.
In >=x11-base/xorg-server-1.14.1, this patch seems to be merged by upstream
(In reply to Frédéric Barthelery from comment #1)
> In >=x11-base/xorg-server-1.14.1, this patch seems to be merged by upstream
Then we can close this?