Gentoo Wiki


Please improve it in any way that you see fit, and remove this notice {{Cleanup}} from the article. For tips on cleaning and formatting see Cleanup process



We will look at how to run proprietary applications (in userspace) using a lot of security features of some kernel patch and looking about virtual machines such as UML colinux Xen... I will explain why we won't look and can't cope with the kernel space

Userspace vs kernel space

I will explain the differences between the proprietary programs that run in userspace and in kernel space and why we should avoid the ones that run in kernel space


Programming the kernel is difficult:if you touch certain part such as the VFS you will have bugs elsewhere and it is much more difficult to figure out where the bugs comes from without the sources of the programs running in kernel mode Then if you don't have Free software drivers you will entirely depend on the manufacturer. An example is Ati with it's proprietary drivers - is well known for lying to people telling that they will fix that or include that but one year after they don't, their drivers are poorly written and you can't do anything about it An example of a (fixed i think) bug is that you had to disable AGP in order to have a correct sound from your sound card. Userspace programs can be badly written but it won't affect your system and others programs running and can be easily replaced or avoided if necessary

Full control of the computer

The driver running in kernel mode has full control of your computer,while there are at least unix permissions(others kind of permissions are possible such as selinux rsback grsecurity systrace-sources and there is also others mechanism such as BGCC PAX,) and a kernel preventing direct access to hardware but also things such as filesystem (useful for rootkit)

Security concern

With userspace utilities you can limit the damage when a program is compromised(Unix permissions,others kind of permissions are possible such as selinux rsback grsecurity systrace-sources and there others mecanism such as BGCC PAX need recompilation...) And a proprietary and binary program is easy to compromise because of the lack of generic protection such as PAX and BGCC and also because it is very easy to find security bugs because they aren't audited by the comunity(bugreport,code audit...) so some generic techniques such as fuzz testing or trying to find logic or strings bugs are easy to do

Dependance on binary comparibility

Then you will depend on a binary compatibility,and as said before it will prevent you from using some kind of securitymecanism that need recompilarion(BGCC PAX) another example is the recent Xorg 7.1 relase who wasn't compatible with previous relase,fortunately Nvidia and Ati had recompiled their drivers for Xorg 7.1 but what if the didn't or what if nvidia didn't do this for old cards?

Dependance on OS

Others OS such as FreeBSD and NetBSD use wrapper around the linux proprietary drivers but they need to make wrapper for each driver and this has some performance loss
Others Os such as OpenBSD FreeBSD (NetBSD?) OpenSolaris include some binary compatibility with linux and so you can automatically run all linux proprietary programs you want but with some performance loss,by the way you don't need a fixed amount of ram in order to do that
By the way some OS such as OpenBSD doesn't include any proprietary Driver so you won't be able to run them with full capabilities

Userspace programs

with this guide you will only be able to limit what a proprietary software can do(compromised or not),but you won't be able to prevent attack against them and you won't be able to cope with the dependency upon the provider of the software unless you stop using it or choose to use another software



Games are quite different from program because they need to have 3D aceleration. Most of the virtual machine can't have 3D acceleration, and as for Xen, it's still in developement, so games need to have access to the kernel. We can run it inside a chroot or use security mechanisms (selinux, rsback, grsecurity, systrace-sources, etc.)


verify: the text for ?

Retrieved from ""

Last modified: Sat, 22 Mar 2008 15:26:00 +0000 Hits: 7,899