> because it can load kernel modules? > or because it can bypass the iommu? It has iopl, firmware loading, ioperm, raw disk I/O, mknod, module loading etc etc.. > the point of the /dev/mem restrictions is to not allow things you know > you don't need, while still allowing X to function where it can access > the crap it does. Now in Bernhard's case he DOES need them, so he > shouldn't use the restrictions. I know what the point is, but it doesn't actually implement any meaningful restriction to achieve that result, so it is worthless junk. > > There are proper ways to deal with X, modern video cards and modern > > security models. They involve using framebuffer mappings off the PCI > > device node itself and DRI. > > > when X has this for all hw that matters /dev/mem could go away for the > people who then no longer have any need for it. Why should it go away ? It's a matter of file permissions and security rules as to who can access it. Trying to make it go away is just more fake-security crap. Alan -- Crash-utility mailing list Crash-utility@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/crash-utility
