xserver: Branch 'XACE-SELINUX'
Eamon Walsh
ewalsh at kemper.freedesktop.org
Mon Jun 11 14:33:23 PDT 2007
Xext/xselinux.c | 42 ++++++++++++++++++++++++-
Xext/xselinux.h | 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 133 insertions(+), 2 deletions(-)
New commits:
diff-tree 878cac71aa0018deee861b297638c0744dba631b (from 793470a8356976ddd427280a738dfb6e1c0e4e70)
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Mon Jun 11 14:19:37 2007 -0400
xselinux: use new libselinux support for private Flask definitions.
Removes indirect dependency on kernel headers.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 3cec21b..cdb3b33 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -22,8 +22,6 @@ CONNECTION WITH THE SOFTWARE OR THE USE
* All rights reserved.
*/
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <selinux/avc.h>
@@ -96,6 +94,42 @@ static char *XSELinuxNonlocalContextDefa
extern Selection *CurrentSelections;
extern int NumCurrentSelections;
+/* Dynamically allocated security classes and permissions */
+static struct security_class_mapping map[] = {
+ { "drawable",
+ { "create", "destroy", "draw", "copy", "getattr", NULL }},
+ { "window",
+ { "addchild", "create", "destroy", "map", "unmap", "chstack",
+ "chproplist", "chprop", "listprop", "getattr", "setattr", "setfocus",
+ "move", "chselection", "chparent", "ctrllife", "enumerate",
+ "transparent", "mousemotion", "clientcomevent", "inputevent",
+ "drawevent", "windowchangeevent", "windowchangerequest",
+ "serverchangeevent", "extensionevent", NULL }},
+ { "gc",
+ { "create", "free", "getattr", "setattr", NULL }},
+ { "font",
+ { "load", "free", "getattr", "use", NULL }},
+ { "colormap",
+ { "create", "free", "install", "uninstall", "list", "read", "store",
+ "getattr", "setattr", NULL }},
+ { "property",
+ { "create", "free", "read", "write", NULL }},
+ { "cursor",
+ { "create", "createglyph", "free", "assign", "setattr", NULL }},
+ { "xclient",
+ { "kill", NULL }},
+ { "xinput",
+ { "lookup", "getattr", "setattr", "setfocus", "warppointer",
+ "activegrab", "passivegrab", "ungrab", "bell", "mousemotion",
+ "relabelinput", NULL }},
+ { "xserver",
+ { "screensaver", "gethostlist", "sethostlist", "getfontpath",
+ "setfontpath", "getattr", "grab", "ungrab", NULL }},
+ { "xextension",
+ { "query", "use", NULL }},
+ { NULL }
+};
+
/*
* list of classes corresponding to SIDs in the
* rsid array of the security state structure (below).
@@ -1851,6 +1885,10 @@ XSELinuxExtensionInit(INITARGS)
return;
}
+ if (selinux_set_mapping(map) < 0) {
+ FatalError("XSELinux: Failed to set up security class mapping\n");
+ }
+
if (avc_init("xserver", NULL, &alc, NULL, NULL) < 0)
{
FatalError("XSELinux: Couldn't initialize SELinux userspace AVC\n");
diff --git a/Xext/xselinux.h b/Xext/xselinux.h
index eff6db5..57fcbb2 100644
--- a/Xext/xselinux.h
+++ b/Xext/xselinux.h
@@ -20,10 +20,103 @@ CONNECTION WITH THE SOFTWARE OR THE USE
#ifndef _XSELINUX_H
#define _XSELINUX_H
+/* Extension info */
#define XSELINUX_EXTENSION_NAME "SELinux"
#define XSELINUX_MAJOR_VERSION 1
#define XSELINUX_MINOR_VERSION 0
#define XSELinuxNumberEvents 0
#define XSELinuxNumberErrors 0
+/* Private Flask definitions */
+#define SECCLASS_DRAWABLE 1
+#define DRAWABLE__CREATE 0x00000001UL
+#define DRAWABLE__DESTROY 0x00000002UL
+#define DRAWABLE__DRAW 0x00000004UL
+#define DRAWABLE__COPY 0x00000008UL
+#define DRAWABLE__GETATTR 0x00000010UL
+#define SECCLASS_WINDOW 2
+#define WINDOW__ADDCHILD 0x00000001UL
+#define WINDOW__CREATE 0x00000002UL
+#define WINDOW__DESTROY 0x00000004UL
+#define WINDOW__MAP 0x00000008UL
+#define WINDOW__UNMAP 0x00000010UL
+#define WINDOW__CHSTACK 0x00000020UL
+#define WINDOW__CHPROPLIST 0x00000040UL
+#define WINDOW__CHPROP 0x00000080UL
+#define WINDOW__LISTPROP 0x00000100UL
+#define WINDOW__GETATTR 0x00000200UL
+#define WINDOW__SETATTR 0x00000400UL
+#define WINDOW__SETFOCUS 0x00000800UL
+#define WINDOW__MOVE 0x00001000UL
+#define WINDOW__CHSELECTION 0x00002000UL
+#define WINDOW__CHPARENT 0x00004000UL
+#define WINDOW__CTRLLIFE 0x00008000UL
+#define WINDOW__ENUMERATE 0x00010000UL
+#define WINDOW__TRANSPARENT 0x00020000UL
+#define WINDOW__MOUSEMOTION 0x00040000UL
+#define WINDOW__CLIENTCOMEVENT 0x00080000UL
+#define WINDOW__INPUTEVENT 0x00100000UL
+#define WINDOW__DRAWEVENT 0x00200000UL
+#define WINDOW__WINDOWCHANGEEVENT 0x00400000UL
+#define WINDOW__WINDOWCHANGEREQUEST 0x00800000UL
+#define WINDOW__SERVERCHANGEEVENT 0x01000000UL
+#define WINDOW__EXTENSIONEVENT 0x02000000UL
+#define SECCLASS_GC 3
+#define GC__CREATE 0x00000001UL
+#define GC__FREE 0x00000002UL
+#define GC__GETATTR 0x00000004UL
+#define GC__SETATTR 0x00000008UL
+#define SECCLASS_FONT 4
+#define FONT__LOAD 0x00000001UL
+#define FONT__FREE 0x00000002UL
+#define FONT__GETATTR 0x00000004UL
+#define FONT__USE 0x00000008UL
+#define SECCLASS_COLORMAP 5
+#define COLORMAP__CREATE 0x00000001UL
+#define COLORMAP__FREE 0x00000002UL
+#define COLORMAP__INSTALL 0x00000004UL
+#define COLORMAP__UNINSTALL 0x00000008UL
+#define COLORMAP__LIST 0x00000010UL
+#define COLORMAP__READ 0x00000020UL
+#define COLORMAP__STORE 0x00000040UL
+#define COLORMAP__GETATTR 0x00000080UL
+#define COLORMAP__SETATTR 0x00000100UL
+#define SECCLASS_PROPERTY 6
+#define PROPERTY__CREATE 0x00000001UL
+#define PROPERTY__FREE 0x00000002UL
+#define PROPERTY__READ 0x00000004UL
+#define PROPERTY__WRITE 0x00000008UL
+#define SECCLASS_CURSOR 7
+#define CURSOR__CREATE 0x00000001UL
+#define CURSOR__CREATEGLYPH 0x00000002UL
+#define CURSOR__FREE 0x00000004UL
+#define CURSOR__ASSIGN 0x00000008UL
+#define CURSOR__SETATTR 0x00000010UL
+#define SECCLASS_XCLIENT 8
+#define XCLIENT__KILL 0x00000001UL
+#define SECCLASS_XINPUT 9
+#define XINPUT__LOOKUP 0x00000001UL
+#define XINPUT__GETATTR 0x00000002UL
+#define XINPUT__SETATTR 0x00000004UL
+#define XINPUT__SETFOCUS 0x00000008UL
+#define XINPUT__WARPPOINTER 0x00000010UL
+#define XINPUT__ACTIVEGRAB 0x00000020UL
+#define XINPUT__PASSIVEGRAB 0x00000040UL
+#define XINPUT__UNGRAB 0x00000080UL
+#define XINPUT__BELL 0x00000100UL
+#define XINPUT__MOUSEMOTION 0x00000200UL
+#define XINPUT__RELABELINPUT 0x00000400UL
+#define SECCLASS_XSERVER 10
+#define XSERVER__SCREENSAVER 0x00000001UL
+#define XSERVER__GETHOSTLIST 0x00000002UL
+#define XSERVER__SETHOSTLIST 0x00000004UL
+#define XSERVER__GETFONTPATH 0x00000008UL
+#define XSERVER__SETFONTPATH 0x00000010UL
+#define XSERVER__GETATTR 0x00000020UL
+#define XSERVER__GRAB 0x00000040UL
+#define XSERVER__UNGRAB 0x00000080UL
+#define SECCLASS_XEXTENSION 11
+#define XEXTENSION__QUERY 0x00000001UL
+#define XEXTENSION__USE 0x00000002UL
+
#endif /* _XSELINUX_H */
More information about the xorg-commit
mailing list