because it can load kernel modules?
or because it can bypass the iommu?
It has iopl, firmware loading, ioperm, raw disk I/O, mknod, module loading
etc etc..
the point of the /dev/mem restrictions is to not allow things you
know
you don't need, while still allowing X to function where it can access
the crap it does. Now in Bernhard's case he DOES need them, so he
shouldn't use the restrictions.
I know what the point is, but it doesn't actually implement any
meaningful restriction to achieve that result, so it is worthless junk.
> There are proper ways to deal with X, modern video cards and
modern
> security models. They involve using framebuffer mappings off the PCI
> device node itself and DRI.
>
when X has this for all hw that matters /dev/mem could go away for the
people who then no longer have any need for it.
Why should it go away ? It's a matter of file permissions and security
rules as to who can access it. Trying to make it go away is just more
fake-security crap.
Alan