xserver: Branch 'XACE-SELINUX'

[Eamon Walsh]

 Xext/xselinux.c |   42 ++++++++++++++++++++++++-
 Xext/xselinux.h |   93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+), 2 deletions(-)

New commits:
diff-tree 878cac71aa0018deee861b297638c0744dba631b (from 793470a8356976ddd427280a738dfb6e1c0e4e70)
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Mon Jun 11 14:19:37 2007 -0400

    xselinux: use new libselinux support for private Flask definitions.
    
    Removes indirect dependency on kernel headers.

diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 3cec21b..cdb3b33 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -22,8 +22,6 @@ CONNECTION WITH THE SOFTWARE OR THE USE 
  * All rights reserved.
  */
 
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
 #include <selinux/selinux.h>
 #include <selinux/context.h>
 #include <selinux/avc.h>
@@ -96,6 +94,42 @@ static char *XSELinuxNonlocalContextDefa
 extern Selection *CurrentSelections;
 extern int NumCurrentSelections;
 
+/* Dynamically allocated security classes and permissions */
+static struct security_class_mapping map[] = {
+    { "drawable",
+      { "create", "destroy", "draw", "copy", "getattr", NULL }},
+    { "window",
+      { "addchild", "create", "destroy", "map", "unmap", "chstack",
+	"chproplist", "chprop", "listprop", "getattr", "setattr", "setfocus",
+	"move", "chselection", "chparent", "ctrllife", "enumerate",
+	"transparent", "mousemotion", "clientcomevent", "inputevent",
+	"drawevent", "windowchangeevent", "windowchangerequest",
+	"serverchangeevent", "extensionevent", NULL }},
+    { "gc",
+      { "create", "free", "getattr", "setattr", NULL }},
+    { "font",
+      { "load", "free", "getattr", "use", NULL }},
+    { "colormap",
+      { "create", "free", "install", "uninstall", "list", "read", "store",
+	"getattr", "setattr", NULL }},
+    { "property",
+      { "create", "free", "read", "write", NULL }},
+    { "cursor",
+      { "create", "createglyph", "free", "assign", "setattr", NULL }},
+    { "xclient",
+      { "kill", NULL }},
+    { "xinput",
+      { "lookup", "getattr", "setattr", "setfocus", "warppointer",
+	"activegrab", "passivegrab", "ungrab", "bell", "mousemotion",
+	"relabelinput", NULL }},
+    { "xserver",
+      { "screensaver", "gethostlist", "sethostlist", "getfontpath",
+	"setfontpath", "getattr", "grab", "ungrab", NULL }},
+    { "xextension",
+      { "query", "use", NULL }},
+    { NULL }
+};
+
 /*
  * list of classes corresponding to SIDs in the
  * rsid array of the security state structure (below).
@@ -1851,6 +1885,10 @@ XSELinuxExtensionInit(INITARGS)
         return;
     }
 
+    if (selinux_set_mapping(map) < 0) {
+	FatalError("XSELinux: Failed to set up security class mapping\n");
+    }
+
     if (avc_init("xserver", NULL, &alc, NULL, NULL) < 0)
     {
 	FatalError("XSELinux: Couldn't initialize SELinux userspace AVC\n");
diff --git a/Xext/xselinux.h b/Xext/xselinux.h
index eff6db5..57fcbb2 100644
--- a/Xext/xselinux.h
+++ b/Xext/xselinux.h
@@ -20,10 +20,103 @@ CONNECTION WITH THE SOFTWARE OR THE USE 
 #ifndef _XSELINUX_H
 #define _XSELINUX_H
 
+/* Extension info */
 #define XSELINUX_EXTENSION_NAME		"SELinux"
 #define XSELINUX_MAJOR_VERSION		1
 #define XSELINUX_MINOR_VERSION		0
 #define XSELinuxNumberEvents		0
 #define XSELinuxNumberErrors		0
 
+/* Private Flask definitions */
+#define SECCLASS_DRAWABLE		1
+#define DRAWABLE__CREATE		0x00000001UL
+#define DRAWABLE__DESTROY		0x00000002UL
+#define DRAWABLE__DRAW			0x00000004UL
+#define DRAWABLE__COPY			0x00000008UL
+#define DRAWABLE__GETATTR		0x00000010UL
+#define SECCLASS_WINDOW			2
+#define WINDOW__ADDCHILD		0x00000001UL
+#define WINDOW__CREATE			0x00000002UL
+#define WINDOW__DESTROY			0x00000004UL
+#define WINDOW__MAP			0x00000008UL
+#define WINDOW__UNMAP			0x00000010UL
+#define WINDOW__CHSTACK			0x00000020UL
+#define WINDOW__CHPROPLIST		0x00000040UL
+#define WINDOW__CHPROP			0x00000080UL
+#define WINDOW__LISTPROP		0x00000100UL
+#define WINDOW__GETATTR			0x00000200UL
+#define WINDOW__SETATTR			0x00000400UL
+#define WINDOW__SETFOCUS		0x00000800UL
+#define WINDOW__MOVE			0x00001000UL
+#define WINDOW__CHSELECTION		0x00002000UL
+#define WINDOW__CHPARENT		0x00004000UL
+#define WINDOW__CTRLLIFE		0x00008000UL
+#define WINDOW__ENUMERATE		0x00010000UL
+#define WINDOW__TRANSPARENT		0x00020000UL
+#define WINDOW__MOUSEMOTION		0x00040000UL
+#define WINDOW__CLIENTCOMEVENT		0x00080000UL
+#define WINDOW__INPUTEVENT		0x00100000UL
+#define WINDOW__DRAWEVENT		0x00200000UL
+#define WINDOW__WINDOWCHANGEEVENT	0x00400000UL
+#define WINDOW__WINDOWCHANGEREQUEST	0x00800000UL
+#define WINDOW__SERVERCHANGEEVENT	0x01000000UL
+#define WINDOW__EXTENSIONEVENT		0x02000000UL
+#define SECCLASS_GC			3
+#define GC__CREATE			0x00000001UL
+#define GC__FREE			0x00000002UL
+#define GC__GETATTR			0x00000004UL
+#define GC__SETATTR			0x00000008UL
+#define SECCLASS_FONT			4
+#define FONT__LOAD			0x00000001UL
+#define FONT__FREE			0x00000002UL
+#define FONT__GETATTR			0x00000004UL
+#define FONT__USE			0x00000008UL
+#define SECCLASS_COLORMAP		5
+#define COLORMAP__CREATE		0x00000001UL
+#define COLORMAP__FREE			0x00000002UL
+#define COLORMAP__INSTALL		0x00000004UL
+#define COLORMAP__UNINSTALL		0x00000008UL
+#define COLORMAP__LIST			0x00000010UL
+#define COLORMAP__READ			0x00000020UL
+#define COLORMAP__STORE			0x00000040UL
+#define COLORMAP__GETATTR		0x00000080UL
+#define COLORMAP__SETATTR		0x00000100UL
+#define SECCLASS_PROPERTY		6
+#define PROPERTY__CREATE		0x00000001UL
+#define PROPERTY__FREE			0x00000002UL
+#define PROPERTY__READ			0x00000004UL
+#define PROPERTY__WRITE			0x00000008UL
+#define SECCLASS_CURSOR			7
+#define CURSOR__CREATE			0x00000001UL
+#define CURSOR__CREATEGLYPH		0x00000002UL
+#define CURSOR__FREE			0x00000004UL
+#define CURSOR__ASSIGN			0x00000008UL
+#define CURSOR__SETATTR			0x00000010UL
+#define SECCLASS_XCLIENT		8
+#define XCLIENT__KILL			0x00000001UL
+#define SECCLASS_XINPUT			9
+#define XINPUT__LOOKUP			0x00000001UL
+#define XINPUT__GETATTR			0x00000002UL
+#define XINPUT__SETATTR			0x00000004UL
+#define XINPUT__SETFOCUS		0x00000008UL
+#define XINPUT__WARPPOINTER		0x00000010UL
+#define XINPUT__ACTIVEGRAB		0x00000020UL
+#define XINPUT__PASSIVEGRAB		0x00000040UL
+#define XINPUT__UNGRAB			0x00000080UL
+#define XINPUT__BELL			0x00000100UL
+#define XINPUT__MOUSEMOTION		0x00000200UL
+#define XINPUT__RELABELINPUT		0x00000400UL
+#define SECCLASS_XSERVER		10
+#define XSERVER__SCREENSAVER		0x00000001UL
+#define XSERVER__GETHOSTLIST		0x00000002UL
+#define XSERVER__SETHOSTLIST		0x00000004UL
+#define XSERVER__GETFONTPATH		0x00000008UL
+#define XSERVER__SETFONTPATH		0x00000010UL
+#define XSERVER__GETATTR		0x00000020UL
+#define XSERVER__GRAB			0x00000040UL
+#define XSERVER__UNGRAB			0x00000080UL
+#define SECCLASS_XEXTENSION		11
+#define XEXTENSION__QUERY		0x00000001UL
+#define XEXTENSION__USE			0x00000002UL
+
 #endif /* _XSELINUX_H */