Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2018]
Grsecurity and Xorg
If we enable the “Disable privileged I/O” feature in the hardened kernel and reboot, we can’t start X server. That’s because Xorg uses privileged I/O operations. We might receive an error like this:
# startx xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)
If we would like to use Xorg, we must enable privileged I/O operations. That disables the “Disable privileged I/O” option in the hardened Linux kernel.
But if we want to have privileged I/O operations disabled, and use Xorg, we can apply a patch to the xorg-server, which can be obtained here. We can apply a custom patch in Gentoo by using the epatch_user function, which applies patches found in /etc/portage/patches/<category>/<package>[-<version>[-revision>]] to the source code of the package [8].
# mkdir -p /etc/portage/patches/x11-base/xorg-server # cd /etc/portage/patches/x11-base/xorg-server # wget <a href="https://raw.github.com/N8Fear/hvb-overlay/master/x11-base/xorg-server/files/xorg-nohwaccess.patch">https://raw.github.com/N8Fear/hvb-overlay/master/x11-base/xorg-server/files/xorg-nohwaccess.patch</a> # emerge xorg-server
When we activate the xorg-server, the /etc/portage/patches/x11-base/xorg-server patch will automatically be applied. Notice the line “Applying user patches from /etc/portage/patches//x11-base/xorg-server?” The next lines say that the xorg-nohwaccess.patch was applied, which was exactly the patch we downloaded from Github.
>>> Emerging (1 of 1) x11-base/xorg-server-1.13.4 * xorg-server-1.13.4.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking xorg-server-1.13.4.tar.bz2 to /var/tmp/portage/x11-base/xorg-server-1.13.4/work >>> Source unpacked in /var/tmp/portage/x11-base/xorg-server-1.13.4/work >>> Preparing source in /var/tmp/portage/x11-base/xorg-server-1.13.4/work/xorg-server-1.13.4 ... * Applying xorg-server-1.12-disable-acpi.patch ... * Applying xorg-server-1.13-ia64-asm.patch ... * Applying user patches from /etc/portage/patches//x11-base/xorg-server ... * xorg-nohwaccess.patch ... * Done with patching
After reactivating the system, we can rebuild the kernel and enable the “Disable privileged I/O” option. Then copy the newly built kernel to the /boot partition and restart the system. Xorg should then start without problems.
PaX Internals
When (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Dejan Lukan. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/0Q7d9aURmY4/
