Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2018]

Grsecurity and Xorg

If we enable the “Disable privileged I/O” feature in the hardened kernel and reboot, we can’t start X server. That’s because Xorg uses privileged I/O operations. We might receive an error like this:

# startx
xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)

If we would like to use Xorg, we must enable privileged I/O operations. That disables the “Disable privileged I/O” option in the hardened Linux kernel.

But if we want to have privileged I/O operations disabled, and use Xorg, we can apply a patch to the xorg-server, which can be obtained here. We can apply a custom patch in Gentoo by using the epatch_user function, which applies patches found in /etc/portage/patches/<category>/<package>[-<version>[-revision>]] to the source code of the package [8].

# mkdir -p /etc/portage/patches/x11-base/xorg-server
# cd /etc/portage/patches/x11-base/xorg-server
# wget <a href="https://raw.github.com/N8Fear/hvb-overlay/master/x11-base/xorg-server/files/xorg-nohwaccess.patch">https://raw.github.com/N8Fear/hvb-overlay/master/x11-base/xorg-server/files/xorg-nohwaccess.patch</a>
# emerge xorg-server

When we activate the xorg-server, the /etc/portage/patches/x11-base/xorg-server patch will automatically be applied. Notice the line “Applying user patches from /etc/portage/patches//x11-base/xorg-server?” The next lines say that the xorg-nohwaccess.patch was applied, which was exactly the patch we downloaded from Github.

&gt;&gt;&gt; Emerging (1 of 1) x11-base/xorg-server-1.13.4
* xorg-server-1.13.4.tar.bz2 SHA256 SHA512 WHIRLPOOL size 😉 ... [ ok ]
&gt;&gt;&gt; Unpacking source...
&gt;&gt;&gt; Unpacking xorg-server-1.13.4.tar.bz2 to /var/tmp/portage/x11-base/xorg-server-1.13.4/work
&gt;&gt;&gt; Source unpacked in /var/tmp/portage/x11-base/xorg-server-1.13.4/work
&gt;&gt;&gt; Preparing source in /var/tmp/portage/x11-base/xorg-server-1.13.4/work/xorg-server-1.13.4 ...
* Applying xorg-server-1.12-disable-acpi.patch ...
* Applying xorg-server-1.13-ia64-asm.patch ...
* Applying user patches from /etc/portage/patches//x11-base/xorg-server ...
* xorg-nohwaccess.patch ...
* Done with patching

After reactivating the system, we can rebuild the kernel and enable the “Disable privileged I/O” option. Then copy the newly built kernel to the /boot partition and restart the system. Xorg should then start without problems.

PaX Internals

When (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Dejan Lukan. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/0Q7d9aURmY4/