Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
An ancient kernel hole is closed
Posted Aug 18, 2010 23:12 UTC (Wed) by arjan (subscriber, #36785)
ask your own distro why they don't do this yet I suppose...
Posted Aug 18, 2010 23:32 UTC (Wed) by cesarb (subscriber, #6266)
I wonder which restrictions xserver_t has on selinux. If it is restricted enough, it is possible that, even if you can inject code on Xorg running as root, you cannot do much without having to first do DMA tricks to break out of it.
It might be an interesting exercise to make Xorg drop even more permissions (by changing for instance to a xserver_kms_t which cannot touch the hardware) when kernel modesetting is enabled (while keeping the ability to run without kernel modesetting by simply not dropping the extra permissions).
Posted Aug 19, 2010 0:12 UTC (Thu) by HelloWorld (guest, #56129)
Posted Aug 19, 2010 8:45 UTC (Thu) by epa (subscriber, #39769)
Posted Aug 19, 2010 22:26 UTC (Thu) by nix (subscriber, #2304)
Posted Aug 20, 2010 0:11 UTC (Fri) by cmccabe (guest, #60281)
OpenBSD uses privilege separation in its port of X.org.
I wonder if, with kernel modesetting, a totally non-root X.org will ever be possible. Or an selinux-sandboxed one, for that matter.
Posted Aug 20, 2010 1:30 UTC (Fri) by drag (subscriber, #31333)
It's certainly and absolutely possible.
But it probably breaks most closed source drivers so development is going to continue to be painfully slow.
There are probably a lots of problems with it, like was mentioned above with input devices, but it's absolutely possible that at some time we can have a non-root-privileged X. But people do have it working in a more-or-less fashion.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds