Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 456220 - x11-base/xorg-server on hardened - X exits fatally upon failure to enable sys_iopl
Summary: x11-base/xorg-server on hardened - X exits fatally upon failure to enable sys...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo X packagers
Keywords: PATCH
Depends on:
Reported: 2013-02-08 20:29 UTC by Dave Armstrong
Modified: 2013-11-26 21:38 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Permit Xorg to function without iopl system call (01-iopl-nonfatal.patch,8.00 KB, patch)
2013-02-08 20:29 UTC, Dave Armstrong
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dave Armstrong 2013-02-08 20:29:10 UTC
Created attachment 338352 [details, diff]
Permit Xorg to function without iopl system call

The X server will normally exit with a fatal error during startup if the priveleged system calls sys_iopl and/or sys_ioperm are not available, even when they aren't needed. This effectively forces users to relax security policy beyond what should be necessary to run an X-based graphical environment.

This is of particularly relevence -- but by no means limited -- to the Gentoo Hardened project, because most users of Grsecurity/PAX kernels have had to disable an important security option in order to run a graphical X environment: i.e., "Disable privileged I/O" in Kconfig (kernel symbol CONFIG_GRKERNSEC_IO) This should no longer be necessary for most users (at least not for those using KMS).  The behavior was fixed by a patch written by Adam Jackson of RedHat, which I found on the Xorg development list.

Please see the following thread for a summary:

It's a 3-part patch.  I merged them into a single patch and attached it to the bug report.  The patches can also be found in the author's git tree here:

I don't what the current upstream status is, but as of =x11-base/xorg-server-1.13.2 (the most recent non-masked version in portage), the changes haven't been merged.  The patch applies cleanly to x11-base/xorg-server-1.13.2, and as an example, I'm now able to run X with the Intel integrated graphics driver with sys_iopl and sys_ioperm disabled with no ill-effect.

Hopefully it will get merged upstream soon.  Until then Gentoo may wish to consider carrying this patch. The change has no effect on users unaffected by the issue; i.e., it need not depend on "hardened".

Perhaps some of the hardened devs would like to chime in.
Comment 1 Frédéric Barthelery 2013-09-12 14:35:13 UTC
In >=x11-base/xorg-server-1.14.1, this patch seems to be merged by upstream
Comment 2 Magnus Granberg gentoo-dev 2013-11-23 22:13:05 UTC
(In reply to Frédéric Barthelery from comment #1)
> In >=x11-base/xorg-server-1.14.1, this patch seems to be merged by upstream
Then we can close this?