xserver: Branch 'XACE-SELINUX' - 2 commits
Eamon Walsh
ewalsh at kemper.freedesktop.org
Thu Aug 2 15:23:28 PDT 2007
Xext/XSELinuxConfig | 182 +++++++---------
Xext/xselinux.c | 591 ++--------------------------------------------------
2 files changed, 116 insertions(+), 657 deletions(-)
New commits:
diff-tree 32c0dcc8c0d1edba5d7e418fd2dc916847a4f069 (from 2030e9e5395be43bd8eab15b65c21ca4c2f1e619)
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Jun 21 15:39:19 2007 -0400
xselinux: adjust the config file format to that expected by libselinux.
This file will eventually be moved out of the X source tree.
diff --git a/Xext/XSELinuxConfig b/Xext/XSELinuxConfig
index 38b7831..66f93c5 100644
--- a/Xext/XSELinuxConfig
+++ b/Xext/XSELinuxConfig
@@ -3,141 +3,131 @@
#
#
-# The nonlocal_context rule defines a context to be used for all clients
-# connecting to the server from a remote host. The nonlocal context must
-# be defined, and it must be a valid context according to the SELinux
-# security policy. Only one nonlocal_context rule may be defined.
-#
-nonlocal_context system_u:object_r:remote_xclient_t:s0
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client * system_u:object_r:remote_xclient_t:s0
#
-# Property rules map a property name to a SELinux type. The type must
-# be valid according to the SELinux security policy. There can be any
-# number of property rules. Additionally, a default property type can be
-# defined for all properties not explicitly listed. The default
-# property type may not be omitted. The default rule may appear in
-# any position (it need not be the last property rule listed).
+# Property rules map a property name to a context. A default property
+# rule indicated by an asterisk should follow all other property rules.
#
# Properties set by typical clients: WM, _NET_WM, etc.
-property WM_NAME client_xproperty_t
-property WM_CLASS client_xproperty_t
-property WM_ICON_NAME client_xproperty_t
-property WM_HINTS client_xproperty_t
-property WM_NORMAL_HINTS client_xproperty_t
-property WM_COMMAND client_xproperty_t
-property WM_CLIENT_MACHINE client_xproperty_t
-property WM_LOCALE_NAME client_xproperty_t
-property WM_CLIENT_LEADER client_xproperty_t
-property WM_STATE client_xproperty_t
-property WM_PROTOCOLS client_xproperty_t
-property WM_WINDOW_ROLE client_xproperty_t
-property WM_TRANSIENT_FOR client_xproperty_t
-property _NET_WM_NAME client_xproperty_t
-property _NET_WM_ICON client_xproperty_t
-property _NET_WM_ICON_NAME client_xproperty_t
-property _NET_WM_PID client_xproperty_t
-property _NET_WM_STATE client_xproperty_t
-property _NET_WM_DESKTOP client_xproperty_t
-property _NET_WM_SYNC_REQUEST_COUNTER client_xproperty_t
-property _NET_WM_WINDOW_TYPE client_xproperty_t
-property _NET_WM_USER_TIME client_xproperty_t
-property _MOTIF_DRAG_RECEIVER_INFO client_xproperty_t
-property XdndAware client_xproperty_t
+property WM_NAME system_u:object_r:client_xproperty_t:s0
+property WM_CLASS system_u:object_r:client_xproperty_t:s0
+property WM_ICON_NAME system_u:object_r:client_xproperty_t:s0
+property WM_HINTS system_u:object_r:client_xproperty_t:s0
+property WM_NORMAL_HINTS system_u:object_r:client_xproperty_t:s0
+property WM_COMMAND system_u:object_r:client_xproperty_t:s0
+property WM_CLIENT_MACHINE system_u:object_r:client_xproperty_t:s0
+property WM_LOCALE_NAME system_u:object_r:client_xproperty_t:s0
+property WM_CLIENT_LEADER system_u:object_r:client_xproperty_t:s0
+property WM_STATE system_u:object_r:client_xproperty_t:s0
+property WM_PROTOCOLS system_u:object_r:client_xproperty_t:s0
+property WM_WINDOW_ROLE system_u:object_r:client_xproperty_t:s0
+property WM_TRANSIENT_FOR system_u:object_r:client_xproperty_t:s0
+property _NET_WM_NAME system_u:object_r:client_xproperty_t:s0
+property _NET_WM_ICON system_u:object_r:client_xproperty_t:s0
+property _NET_WM_ICON_NAME system_u:object_r:client_xproperty_t:s0
+property _NET_WM_PID system_u:object_r:client_xproperty_t:s0
+property _NET_WM_STATE system_u:object_r:client_xproperty_t:s0
+property _NET_WM_DESKTOP system_u:object_r:client_xproperty_t:s0
+property _NET_WM_SYNC_REQUEST_COUNTER system_u:object_r:client_xproperty_t:s0
+property _NET_WM_WINDOW_TYPE system_u:object_r:client_xproperty_t:s0
+property _NET_WM_USER_TIME system_u:object_r:client_xproperty_t:s0
+property _MOTIF_DRAG_RECEIVER_INFO system_u:object_r:client_xproperty_t:s0
+property XdndAware system_u:object_r:client_xproperty_t:s0
# Properties written by xrdb
-property RESOURCE_MANAGER rm_xproperty_t
-property SCREEN_RESOURCES rm_xproperty_t
+property RESOURCE_MANAGER system_u:object_r:rm_xproperty_t:s0
+property SCREEN_RESOURCES system_u:object_r:rm_xproperty_t:s0
# Properties written by window managers
-property _MIT_PRIORITY_COLORS wm_xproperty_t
+property _MIT_PRIORITY_COLORS system_u:object_r:wm_xproperty_t:s0
# Properties used for security labeling
-property _SELINUX_CLIENT_CONTEXT seclabel_xproperty_t
+property _SELINUX_CLIENT_CONTEXT system_u:object_r:seclabel_xproperty_t:s0
# Properties used to communicate screen information
-property XFree86_VT info_xproperty_t
-property XFree86_DDC_EDID1_RAWDATA info_xproperty_t
+property XFree86_VT system_u:object_r:info_xproperty_t:s0
+property XFree86_DDC_EDID1_RAWDATA system_u:object_r:info_xproperty_t:s0
# Clipboard and selection properties
-property CUT_BUFFER0 clipboard_xproperty_t
-property CUT_BUFFER1 clipboard_xproperty_t
-property CUT_BUFFER2 clipboard_xproperty_t
-property CUT_BUFFER3 clipboard_xproperty_t
-property CUT_BUFFER4 clipboard_xproperty_t
-property CUT_BUFFER5 clipboard_xproperty_t
-property CUT_BUFFER6 clipboard_xproperty_t
-property CUT_BUFFER7 clipboard_xproperty_t
-property _XT_SELECTION_0 clipboard_xproperty_t
+property CUT_BUFFER0 system_u:object_r:clipboard_xproperty_t:s0
+property CUT_BUFFER1 system_u:object_r:clipboard_xproperty_t:s0
+property CUT_BUFFER2 system_u:object_r:clipboard_xproperty_t:s0
+property CUT_BUFFER3 system_u:object_r:clipboard_xproperty_t:s0
+property CUT_BUFFER4 system_u:object_r:clipboard_xproperty_t:s0
+property CUT_BUFFER5 system_u:object_r:clipboard_xproperty_t:s0
+property CUT_BUFFER6 system_u:object_r:clipboard_xproperty_t:s0
+property CUT_BUFFER7 system_u:object_r:clipboard_xproperty_t:s0
+property _XT_SELECTION_0 system_u:object_r:clipboard_xproperty_t:s0
# Default fallback type
-property default unknown_xproperty_t
+property * system_u:object_r:unknown_xproperty_t:s0
#
-# Extension rules map an extension name to a SELinux type. The type must
-# be valid according to the SELinux security policy. There can be any
-# number of extension rules. Additionally, a default extension type can
-# be defined for all extensions not explicitly listed. The default
-# extension type may not be omitted. The default rule may appear in
-# any position (it need not be the last extension rule listed).
+# Extension rules map an extension name to a context. A default extension
+# rule indicated by an asterisk should follow all other extension rules.
#
# Standard extensions
-extension BIG-REQUESTS std_xext_t
-extension DOUBLE-BUFFER std_xext_t
-extension Extended-Visual-Information std_xext_t
-extension MIT-SUNDRY-NONSTANDARD std_xext_t
-extension SHAPE std_xext_t
-extension SYNC std_xext_t
-extension XC-MISC std_xext_t
-extension XFIXES std_xext_t
-extension XFree86-Misc std_xext_t
-extension XpExtension std_xext_t
+extension BIG-REQUESTS system_u:object_r:std_xext_t:s0
+extension DOUBLE-BUFFER system_u:object_r:std_xext_t:s0
+extension Extended-Visual-Information system_u:object_r:std_xext_t:s0
+extension MIT-SUNDRY-NONSTANDARD system_u:object_r:std_xext_t:s0
+extension SHAPE system_u:object_r:std_xext_t:s0
+extension SYNC system_u:object_r:std_xext_t:s0
+extension XC-MISC system_u:object_r:std_xext_t:s0
+extension XFIXES system_u:object_r:std_xext_t:s0
+extension XFree86-Misc system_u:object_r:std_xext_t:s0
+extension XpExtension system_u:object_r:std_xext_t:s0
# Screen management and multihead extensions
-extension RANDR output_xext_t
-extension XINERAMA std_xext_t
+extension RANDR system_u:object_r:output_xext_t:s0
+extension XINERAMA system_u:object_r:std_xext_t:s0
# Input extensions
-extension XInputExtension input_xext_t
-extension XKEYBOARD input_xext_t
+extension XInputExtension system_u:object_r:input_xext_t:s0
+extension XKEYBOARD system_u:object_r:input_xext_t:s0
# Screensaver, power management extensions
-extension DPMS screensaver_xext_t
-extension MIT-SCREEN-SAVER screensaver_xext_t
+extension DPMS system_u:object_r:screensaver_xext_t:s0
+extension MIT-SCREEN-SAVER system_u:object_r:screensaver_xext_t:s0
# Fonting extensions
-extension FontCache font_xext_t
-extension XFree86-Bigfont font_xext_t
+extension FontCache system_u:object_r:font_xext_t:s0
+extension XFree86-Bigfont system_u:object_r:font_xext_t:s0
# Shared memory extensions
-extension MIT-SHM shmem_xext_t
+extension MIT-SHM system_u:object_r:shmem_xext_t:s0
# Accelerated graphics, OpenGL, direct rendering extensions
-extension DAMAGE accelgraphics_xext_t
-extension GLX accelgraphics_xext_t
-extension NV-CONTROL accelgraphics_xext_t
-extension NV-GLX accelgraphics_xext_t
-extension NVIDIA-GLX accelgraphics_xext_t
-extension RENDER std_xext_t
-extension XFree86-DGA accelgraphics_xext_t
+extension DAMAGE system_u:object_r:accelgraphics_xext_t:s0
+extension GLX system_u:object_r:accelgraphics_xext_t:s0
+extension NV-CONTROL system_u:object_r:accelgraphics_xext_t:s0
+extension NV-GLX system_u:object_r:accelgraphics_xext_t:s0
+extension NVIDIA-GLX system_u:object_r:accelgraphics_xext_t:s0
+extension RENDER system_u:object_r:std_xext_t:s0
+extension XFree86-DGA system_u:object_r:accelgraphics_xext_t:s0
# Debugging, testing, and recording extensions
-extension RECORD debug_xext_t
-extension X-Resource debug_xext_t
-extension XTEST debug_xext_t
+extension RECORD system_u:object_r:debug_xext_t:s0
+extension X-Resource system_u:object_r:debug_xext_t:s0
+extension XTEST system_u:object_r:debug_xext_t:s0
# Extensions just for window managers
-extension TOG-CUP windowmgr_xext_t
+extension TOG-CUP system_u:object_r:windowmgr_xext_t:s0
# Security-related extensions
-extension SECURITY security_xext_t
-extension SELinux security_xext_t
-extension XAccessControlExtension security_xext_t
-extension XC-APPGROUP security_xext_t
+extension SECURITY system_u:object_r:security_xext_t:s0
+extension SELinux system_u:object_r:security_xext_t:s0
+extension XAccessControlExtension system_u:object_r:security_xext_t:s0
+extension XC-APPGROUP system_u:object_r:security_xext_t:s0
# Video extensions
-extension XFree86-VidModeExtension video_xext_t
-extension XVideo video_xext_t
-extension XVideo-MotionCompensation video_xext_t
+extension XFree86-VidModeExtension system_u:object_r:video_xext_t:s0
+extension XVideo system_u:object_r:video_xext_t:s0
+extension XVideo-MotionCompensation system_u:object_r:video_xext_t:s0
# Default fallback type
-extension default unknown_xext_t
+extension * system_u:object_r:unknown_xext_t:s0
diff-tree 2030e9e5395be43bd8eab15b65c21ca4c2f1e619 (from e2a720c9a17dc860ee0a858c2b21fd71e86cdcd0)
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Jun 21 15:37:18 2007 -0400
xselinux: use new libselinux support for context labeling.
Remove all the config file parsing code and use the new lookup interface
instead.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index cdb3b33..038ec59 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -23,7 +23,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE
*/
#include <selinux/selinux.h>
-#include <selinux/context.h>
+#include <selinux/label.h>
#include <selinux/avc.h>
#include <libaudit.h>
@@ -69,27 +69,13 @@ typedef struct {
char *extension; /* extension name, if any */
} XSELinuxAuditRec;
-/*
- * Table of SELinux types for property names.
- */
-static char **propertyTypes = NULL;
-static int propertyTypesCount = 0;
-char *XSELinuxPropertyTypeDefault = NULL;
-
-/*
- * Table of SELinux types for each extension.
- */
-static char **extensionTypes = NULL;
-static int extensionTypesCount = 0;
-static char *XSELinuxExtensionTypeDefault = NULL;
+/* labeling handle */
+static struct selabel_handle *label_hnd;
/* Atoms for SELinux window labeling properties */
Atom atom_ctx;
Atom atom_client_ctx;
-/* security context for non-local clients */
-static char *XSELinuxNonlocalContextDefault = NULL;
-
/* Selection stuff from dix */
extern Selection *CurrentSelections;
extern int NumCurrentSelections;
@@ -325,41 +311,22 @@ IDPerm(ClientPtr sclient,
static security_id_t
GetPropertySID(security_context_t base, const char *name)
{
- security_context_t new, result;
- context_t con;
+ security_context_t con, result;
security_id_t sid = NULL;
- char **ptr, *type = NULL;
-
- /* make a new context-manipulation object */
- con = context_new(base);
- if (!con)
- goto out;
/* look in the mappings of names to types */
- for (ptr = propertyTypes; *ptr; ptr+=2)
- if (!strcmp(*ptr, name))
- break;
- type = ptr[1];
-
- /* set the role and type in the context (user unchanged) */
- if (context_type_set(con, type) ||
- context_role_set(con, "object_r"))
- goto out2;
-
- /* get a context string from the context-manipulation object */
- new = context_str(con);
- if (!new)
- goto out2;
+ if (selabel_lookup(label_hnd, &con, name, SELABEL_X_PROP) < 0)
+ goto out;
/* perform a transition to obtain the final context */
- if (security_compute_create(base, new, SECCLASS_PROPERTY, &result) < 0)
+ if (security_compute_create(base, con, SECCLASS_PROPERTY, &result) < 0)
goto out2;
/* get a SID for the context */
avc_context_to_sid(result, &sid);
freecon(result);
out2:
- context_free(con);
+ freecon(con);
out:
return sid;
}
@@ -375,41 +342,26 @@ GetPropertySID(security_context_t base,
static security_id_t
GetExtensionSID(const char *name)
{
- security_context_t base, new;
- context_t con;
+ security_context_t base, con, result;
security_id_t sid = NULL;
- char **ptr, *type = NULL;
/* get server context */
if (getcon(&base) < 0)
goto out;
- /* make a new context-manipulation object */
- con = context_new(base);
- if (!con)
- goto out2;
-
/* look in the mappings of names to types */
- for (ptr = extensionTypes; *ptr; ptr+=2)
- if (!strcmp(*ptr, name))
- break;
- type = ptr[1];
-
- /* set the role and type in the context (user unchanged) */
- if (context_type_set(con, type) ||
- context_role_set(con, "object_r"))
- goto out3;
+ if (selabel_lookup(label_hnd, &con, name, SELABEL_X_EXT) < 0)
+ goto out2;
- /* get a context string from the context-manipulation object */
- new = context_str(con);
- if (!new)
+ /* perform a transition to obtain the final context */
+ if (security_compute_create(base, con, SECCLASS_XEXTENSION, &result) < 0)
goto out3;
/* get a SID for the context */
- avc_context_to_sid(new, &sid);
-
+ avc_context_to_sid(result, &sid);
+ freecon(result);
out3:
- context_free(con);
+ freecon(con);
out2:
freecon(base);
out:
@@ -467,7 +419,7 @@ AssignServerState(void)
static void
AssignClientState(ClientPtr client)
{
- int i, needToFree = 0;
+ int i;
security_context_t basectx, objctx;
XSELinuxClientStateRec *state;
@@ -481,11 +433,12 @@ AssignClientState(ClientPtr client)
if (getpeercon(fd, &basectx) < 0)
FatalError("Client %d: couldn't get context from socket\n",
client->index);
- needToFree = 1;
}
else
/* for remote clients, need to use a default context */
- basectx = XSELinuxNonlocalContextDefault;
+ if (selabel_lookup(label_hnd, &basectx, NULL, SELABEL_X_CLIENT) < 0)
+ FatalError("Client %d: couldn't get default remote connection context\n",
+ client->index);
/* get a SID from the context */
if (avc_context_to_sid(basectx, &state->sid) < 0)
@@ -506,10 +459,9 @@ AssignClientState(ClientPtr client)
freecon(objctx);
}
- /* mark as set up, free base context if necessary, and return */
+ /* mark as set up, free base context, and return */
state->haveState = TRUE;
- if (needToFree)
- freecon(basectx);
+ freecon(basectx);
}
/*
@@ -1294,509 +1246,26 @@ XSELinuxResourceState(CallbackListPtr *p
FatalError("XSELinux: Failed to set context property on window!\n");
} /* XSELinuxResourceState */
-static char *XSELinuxKeywords[] = {
-#define XSELinuxKeywordComment 0
- "#",
-#define XSELinuxKeywordProperty 1
- "property",
-#define XSELinuxKeywordExtension 2
- "extension",
-#define XSELinuxKeywordNonlocalContext 3
- "nonlocal_context",
-#define XSELinuxKeywordDefault 4
- "default"
-};
-
-#define NUMKEYWORDS (sizeof(XSELinuxKeywords) / sizeof(char *))
-
-#ifndef __UNIXOS2__
-#define XSELinuxIsWhitespace(c) ( (c == ' ') || (c == '\t') || (c == '\n') )
-#else
-#define XSELinuxIsWhitespace(c) ( (c == ' ') || (c == '\t') || (c == '\n') || (c == '\r') )
-#endif
-
-static char *
-XSELinuxSkipWhitespace(
- char *p)
-{
- while (XSELinuxIsWhitespace(*p))
- p++;
- return p;
-} /* XSELinuxSkipWhitespace */
-
-static char *
-XSELinuxParseString(
- char **rest)
-{
- char *startOfString;
- char *s = *rest;
- char endChar = 0;
-
- s = XSELinuxSkipWhitespace(s);
-
- if (*s == '"' || *s == '\'')
- {
- endChar = *s++;
- startOfString = s;
- while (*s && (*s != endChar))
- s++;
- }
- else
- {
- startOfString = s;
- while (*s && !XSELinuxIsWhitespace(*s))
- s++;
- }
- if (*s)
- {
- *s = '\0';
- *rest = s + 1;
- return startOfString;
- }
- else
- {
- *rest = s;
- return (endChar) ? NULL : startOfString;
- }
-} /* XSELinuxParseString */
-
-static int
-XSELinuxParseKeyword(
- char **p)
-{
- int i;
- char *s = *p;
- s = XSELinuxSkipWhitespace(s);
- for (i = 0; i < NUMKEYWORDS; i++)
- {
- int len = strlen(XSELinuxKeywords[i]);
- if (strncmp(s, XSELinuxKeywords[i], len) == 0)
- {
- *p = s + len;
- return (i);
- }
- }
- *p = s;
- return -1;
-} /* XSELinuxParseKeyword */
-
-static Bool
-XSELinuxTypeIsValid(char *typename)
-{
- security_context_t base, new;
- context_t con;
- Bool ret = FALSE;
-
- /* get the server's context */
- if (getcon(&base) < 0)
- goto out;
-
- /* make a new context-manipulation object */
- con = context_new(base);
- if (!con)
- goto out_free;
-
- /* set the role */
- if (context_role_set(con, "object_r"))
- goto out_free2;
-
- /* set the type */
- if (context_type_set(con, typename))
- goto out_free2;
-
- /* get a context string - note: context_str() returns a pointer
- * to the string inside the context; the returned pointer should
- * not be freed
- */
- new = context_str(con);
- if (!new)
- goto out_free2;
-
- /* finally, check to see if it's valid */
- if (security_check_context(new) == 0)
- ret = TRUE;
-
-out_free2:
- context_free(con);
-out_free:
- freecon(base);
-out:
- return ret;
-}
-
-static Bool
-XSELinuxParsePropertyTypeRule(char *p)
-{
- int keyword;
- char *propname = NULL, *propcopy = NULL;
- char *typename = NULL, *typecopy = NULL;
- char **newTypes;
- Bool defaultPropertyType = FALSE;
-
- /* get property name */
- keyword = XSELinuxParseKeyword(&p);
- if (keyword == XSELinuxKeywordDefault)
- {
- defaultPropertyType = TRUE;
- }
- else
- {
- propname = XSELinuxParseString(&p);
- if (!propname || (strlen(propname) == 0))
- {
- return FALSE;
- }
- }
-
- /* get the SELinux type corresponding to the property */
- typename = XSELinuxParseString(&p);
- if (!typename || (strlen(typename) == 0))
- return FALSE;
-
- /* validate the type */
- if (XSELinuxTypeIsValid(typename) != TRUE)
- return FALSE;
-
- /* if it's the default property, save it to append to the end of the
- * property types list
- */
- if (defaultPropertyType == TRUE)
- {
- if (XSELinuxPropertyTypeDefault != NULL)
- {
- return FALSE;
- }
- else
- {
- XSELinuxPropertyTypeDefault = (char *)xalloc(strlen(typename)+1);
- if (!XSELinuxPropertyTypeDefault)
- {
- ErrorF("XSELinux: out of memory\n");
- return FALSE;
- }
- strcpy(XSELinuxPropertyTypeDefault, typename);
- return TRUE;
- }
- }
-
- /* insert the property and type into the propertyTypes array */
- propcopy = (char *)xalloc(strlen(propname)+1);
- if (!propcopy)
- {
- ErrorF("XSELinux: out of memory\n");
- return FALSE;
- }
- strcpy(propcopy, propname);
-
- typecopy = (char *)xalloc(strlen(typename)+1);
- if (!typecopy)
- {
- ErrorF("XSELinux: out of memory\n");
- xfree(propcopy);
- return FALSE;
- }
- strcpy(typecopy, typename);
-
- newTypes = (char **)xrealloc(propertyTypes, sizeof (char *) * ((propertyTypesCount+1) * 2));
- if (!newTypes)
- {
- ErrorF("XSELinux: out of memory\n");
- xfree(propcopy);
- xfree(typecopy);
- return FALSE;
- }
-
- propertyTypesCount++;
-
- newTypes[propertyTypesCount*2 - 2] = propcopy;
- newTypes[propertyTypesCount*2 - 1] = typecopy;
-
- propertyTypes = newTypes;
-
- return TRUE;
-} /* XSELinuxParsePropertyTypeRule */
-
-static Bool
-XSELinuxParseExtensionTypeRule(char *p)
-{
- int keyword;
- char *extname = NULL, *extcopy = NULL;
- char *typename = NULL, *typecopy = NULL;
- char **newTypes;
- Bool defaultExtensionType = FALSE;
-
- /* get extension name */
- keyword = XSELinuxParseKeyword(&p);
- if (keyword == XSELinuxKeywordDefault)
- {
- defaultExtensionType = TRUE;
- }
- else
- {
- extname = XSELinuxParseString(&p);
- if (!extname || (strlen(extname) == 0))
- {
- return FALSE;
- }
- }
-
- /* get the SELinux type corresponding to the extension */
- typename = XSELinuxParseString(&p);
- if (!typename || (strlen(typename) == 0))
- return FALSE;
-
- /* validate the type */
- if (XSELinuxTypeIsValid(typename) != TRUE)
- return FALSE;
-
- /* if it's the default extension, save it to append to the end of the
- * extension types list
- */
- if (defaultExtensionType == TRUE)
- {
- if (XSELinuxExtensionTypeDefault != NULL)
- {
- return FALSE;
- }
- else
- {
- XSELinuxExtensionTypeDefault = (char *)xalloc(strlen(typename)+1);
- if (!XSELinuxExtensionTypeDefault)
- {
- ErrorF("XSELinux: out of memory\n");
- return FALSE;
- }
- strcpy(XSELinuxExtensionTypeDefault, typename);
- return TRUE;
- }
- }
-
- /* insert the extension and type into the extensionTypes array */
- extcopy = (char *)xalloc(strlen(extname)+1);
- if (!extcopy)
- {
- ErrorF("XSELinux: out of memory\n");
- return FALSE;
- }
- strcpy(extcopy, extname);
-
- typecopy = (char *)xalloc(strlen(typename)+1);
- if (!typecopy)
- {
- ErrorF("XSELinux: out of memory\n");
- xfree(extcopy);
- return FALSE;
- }
- strcpy(typecopy, typename);
-
- newTypes = (char **)xrealloc(extensionTypes, sizeof(char *) *( (extensionTypesCount+1) * 2));
- if (!newTypes)
- {
- ErrorF("XSELinux: out of memory\n");
- xfree(extcopy);
- xfree(typecopy);
- return FALSE;
- }
-
- extensionTypesCount++;
-
- newTypes[extensionTypesCount*2 - 2] = extcopy;
- newTypes[extensionTypesCount*2 - 1] = typecopy;
-
- extensionTypes = newTypes;
-
- return TRUE;
-} /* XSELinuxParseExtensionTypeRule */
-
-static Bool
-XSELinuxParseNonlocalContext(char *p)
-{
- char *context;
-
- context = XSELinuxParseString(&p);
- if (!context || (strlen(context) == 0))
- {
- return FALSE;
- }
-
- if (XSELinuxNonlocalContextDefault != NULL)
- {
- return FALSE;
- }
-
- /* validate the context */
- if (security_check_context(context))
- {
- return FALSE;
- }
-
- XSELinuxNonlocalContextDefault = (char *)xalloc(strlen(context)+1);
- if (!XSELinuxNonlocalContextDefault)
- {
- ErrorF("XSELinux: out of memory\n");
- return FALSE;
- }
- strcpy(XSELinuxNonlocalContextDefault, context);
-
- return TRUE;
-} /* XSELinuxParseNonlocalContext */
-
static Bool
XSELinuxLoadConfigFile(void)
{
- FILE *f;
- int lineNumber = 0;
- char **newTypes;
- Bool ret = FALSE;
+ struct selinux_opt options[] = {
+ { SELABEL_OPT_PATH, XSELINUXCONFIGFILE },
+ { SELABEL_OPT_VALIDATE, (char *)1 },
+ };
if (!XSELINUXCONFIGFILE)
return FALSE;
- /* some initial bookkeeping */
- propertyTypesCount = extensionTypesCount = 0;
- propertyTypes = extensionTypes = NULL;
- XSELinuxPropertyTypeDefault = XSELinuxExtensionTypeDefault = NULL;
- XSELinuxNonlocalContextDefault = NULL;
-
-#ifndef __UNIXOS2__
- f = fopen(XSELINUXCONFIGFILE, "r");
-#else
- f = fopen((char*)__XOS2RedirRoot(XSELINUXCONFIGFILE), "r");
-#endif
- if (!f)
- {
- ErrorF("Error opening XSELinux policy file %s\n", XSELINUXCONFIGFILE);
- return FALSE;
- }
-
- while (!feof(f))
- {
- char buf[200];
- Bool validLine;
- char *p;
-
- if (!(p = fgets(buf, sizeof(buf), f)))
- break;
- lineNumber++;
-
- switch (XSELinuxParseKeyword(&p))
- {
- case XSELinuxKeywordComment:
- validLine = TRUE;
- break;
-
- case XSELinuxKeywordProperty:
- validLine = XSELinuxParsePropertyTypeRule(p);
- break;
-
- case XSELinuxKeywordExtension:
- validLine = XSELinuxParseExtensionTypeRule(p);
- break;
-
- case XSELinuxKeywordNonlocalContext:
- validLine = XSELinuxParseNonlocalContext(p);
- break;
-
- default:
- validLine = (*p == '\0');
- break;
- }
-
- if (!validLine)
- {
- ErrorF("XSELinux: Line %d of %s is invalid\n",
- lineNumber, XSELINUXCONFIGFILE);
- goto out;
- }
- }
-
- /* check to make sure the default types and the nonlocal context
- * were specified
- */
- if (XSELinuxPropertyTypeDefault == NULL)
- {
- ErrorF("XSELinux: No default property type specified\n");
- goto out;
- }
- else if (XSELinuxExtensionTypeDefault == NULL)
- {
- ErrorF("XSELinux: No default extension type specified\n");
- goto out;
- }
- else if (XSELinuxNonlocalContextDefault == NULL)
- {
- ErrorF("XSELinux: No default context for non-local clients specified\n");
- goto out;
- }
-
- /* Finally, append the default property and extension types to the
- * bottoms of the propertyTypes and extensionTypes arrays, respectively.
- * The 'name' of the property / extension is NULL.
- */
- newTypes = (char **)xrealloc(propertyTypes, sizeof(char *) *((propertyTypesCount+1) * 2));
- if (!newTypes)
- {
- ErrorF("XSELinux: out of memory\n");
- goto out;
- }
- propertyTypesCount++;
- newTypes[propertyTypesCount*2 - 2] = NULL;
- newTypes[propertyTypesCount*2 - 1] = XSELinuxPropertyTypeDefault;
- propertyTypes = newTypes;
-
- newTypes = (char **)xrealloc(extensionTypes, sizeof(char *) *((extensionTypesCount+1) * 2));
- if (!newTypes)
- {
- ErrorF("XSELinux: out of memory\n");
- goto out;
- }
- extensionTypesCount++;
- newTypes[extensionTypesCount*2 - 2] = NULL;
- newTypes[extensionTypesCount*2 - 1] = XSELinuxExtensionTypeDefault;
- extensionTypes = newTypes;
-
- ret = TRUE;
-
-out:
- fclose(f);
- return ret;
+ label_hnd = selabel_open(SELABEL_CTX_X, options, 2);
+ return !!label_hnd;
} /* XSELinuxLoadConfigFile */
static void
XSELinuxFreeConfigData(void)
{
- char **ptr;
-
- /* Free all the memory in the table until we reach the NULL, then
- * skip one past the NULL and free the default type. Then take care
- * of some bookkeeping.
- */
- for (ptr = propertyTypes; *ptr; ptr++)
- xfree(*ptr);
- ptr++;
- xfree(*ptr);
-
- XSELinuxPropertyTypeDefault = NULL;
- propertyTypesCount = 0;
-
- xfree(propertyTypes);
- propertyTypes = NULL;
-
- /* ... and the same for the extension type table */
- for (ptr = extensionTypes; *ptr; ptr++)
- xfree(*ptr);
- ptr++;
- xfree(*ptr);
-
- XSELinuxExtensionTypeDefault = NULL;
- extensionTypesCount = 0;
-
- xfree(extensionTypes);
- extensionTypes = NULL;
-
- /* finally, take care of the context for non-local connections */
- xfree(XSELinuxNonlocalContextDefault);
- XSELinuxNonlocalContextDefault = NULL;
+ selabel_close(label_hnd);
+ label_hnd = NULL;
} /* XSELinuxFreeConfigData */
/* Extension dispatch functions */
More information about the xorg-commit
mailing list