Subject: Re: Integrate aperture driver?
To: Andrew Brown <atatat@atatdot.net>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: port-i386
Date: 06/13/2001 17:18:02
On Wed, Jun 13, 2001 at 04:55:23PM -0400, Andrew Brown wrote:
>
> >The aperture driver's limiting the number of open()s to 1 does zero good
> >whatsoever towards this end; you can just kill the X server that's got
> >the aperture device open, do your dirty work, and go home.
>
> yes, but i consider the x server a necessary evil. for me. on my
> machines that are not server. sort of a smaller insect compared to
> the idea of running with "options INSECURE" which is a large insect.
> aim for the lesser of two weevils.
I think you fail to understand. The inability to write to arbitrary
memory is essentially the keystone of the entire securelevel model. The
aperture driver makes it so that arbitrary memory can be written. You
might have to kill the X server first, but so what? You can do so, and
then write to arbitrary memory. Once you can go that, you can just
change the value of the "securelevel" global inside the kernel (trivial
to do) and do anything you like. In other words, you might as well run
with "options INSECURE" as use the aperture driver, because there's no
real difference at all.
--
Thor Lancelot Simon tls@rek.tjls.com
And now he couldn't remember when this passion had flown, leaving him so
foolish and bewildered and astray: can any man?
William Styron