xserver: Branch 'XACE-SELINUX' - 6 commits
Eamon Walsh
ewalsh at kemper.freedesktop.org
Mon Nov 5 14:21:31 PST 2007
Xext/xselinux.c | 226 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
Xext/xselinux.h | 121 ++++++++++++++++++++++++++++-
dix/events.c | 10 ++
dix/registry.c | 2
4 files changed, 337 insertions(+), 22 deletions(-)
New commits:
commit c7e18beb3c87eb1ada9b21c4ffacd11c1939c087
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Mon Nov 5 15:01:13 2007 -0500
xselinux: Register SELinux extension protocol names.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 946e5b9..f6d1dcd 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -1395,4 +1395,28 @@ XSELinuxExtensionInit(INITARGS)
/* Label objects that were created before we could register ourself */
SELinuxLabelInitial();
+
+ /* Add names to registry */
+ RegisterRequestName(X_SELinuxQueryVersion, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxQueryVersion");
+ RegisterRequestName(X_SELinuxSetSelectionManager, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxSetSelectionManager");
+ RegisterRequestName(X_SELinuxGetSelectionManager, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxGetSelectionManager");
+ RegisterRequestName(X_SELinuxSetDeviceContext, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxSetDeviceContext");
+ RegisterRequestName(X_SELinuxGetDeviceContext, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxGetDeviceContext");
+ RegisterRequestName(X_SELinuxSetPropertyCreateContext, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxSetPropertyCreateContext");
+ RegisterRequestName(X_SELinuxGetPropertyCreateContext, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxGetPropertyCreateContext");
+ RegisterRequestName(X_SELinuxGetPropertyContext, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxGetPropertyContext");
+ RegisterRequestName(X_SELinuxSetWindowCreateContext, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxSetWindowCreateContext");
+ RegisterRequestName(X_SELinuxGetWindowCreateContext, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxGetWindowCreateContext");
+ RegisterRequestName(X_SELinuxGetWindowContext, 0,
+ XSELINUX_EXTENSION_NAME ":SELinuxGetWindowContext");
}
commit 3b7af72fe315c7c26c89838c0c5dacbe58765d0f
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Fri Oct 26 20:32:10 2007 -0400
xselinux: Add a SetDeviceContext request and stubs for more requests.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index bacbe6e..946e5b9 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -985,10 +985,6 @@ static int
ProcSELinuxQueryVersion(ClientPtr client)
{
SELinuxQueryVersionReply rep;
- /*
- REQUEST(SELinuxQueryVersionReq);
- REQUEST_SIZE_MATCH (SELinuxQueryVersionReq);
- */
rep.type = X_Reply;
rep.length = 0;
@@ -1009,10 +1005,10 @@ ProcSELinuxQueryVersion(ClientPtr client)
static int
ProcSELinuxSetSelectionManager(ClientPtr client)
{
- REQUEST(SELinuxSetSelectionManagerReq);
WindowPtr pWin;
int rc;
+ REQUEST(SELinuxSetSelectionManagerReq);
REQUEST_SIZE_MATCH(SELinuxSetSelectionManagerReq);
if (stuff->window == None) {
@@ -1032,6 +1028,98 @@ ProcSELinuxSetSelectionManager(ClientPtr client)
}
static int
+ProcSELinuxGetSelectionManager(ClientPtr client)
+{
+ SELinuxGetSelectionManagerReply rep;
+
+ rep.type = X_Reply;
+ rep.length = 0;
+ rep.sequenceNumber = client->sequence;
+ rep.window = selectionWindow;
+ if (client->swapped) {
+ int n;
+ swaps(&rep.sequenceNumber, n);
+ swapl(&rep.length, n);
+ swapl(&rep.window, n);
+ }
+ WriteToClient(client, sizeof(rep), (char *)&rep);
+ return (client->noClientException);
+}
+
+static int
+ProcSELinuxSetDeviceContext(ClientPtr client)
+{
+ char *ctx;
+ security_id_t sid;
+ DeviceIntPtr dev;
+ SELinuxStateRec *state;
+ int rc;
+
+ REQUEST(SELinuxSetContextReq);
+ REQUEST_FIXED_SIZE(SELinuxSetContextReq, stuff->context_len);
+
+ ctx = (char *)(stuff + 1);
+ if (ctx[stuff->context_len - 1])
+ return BadLength;
+
+ rc = dixLookupDevice(&dev, stuff->id, client, DixManageAccess);
+ if (rc != Success)
+ return rc;
+
+ rc = avc_context_to_sid(ctx, &sid);
+ if (rc != Success)
+ return BadValue;
+
+ state = dixLookupPrivate(&dev->devPrivates, stateKey);
+ sidput(state->sid);
+ state->sid = sid;
+ ErrorF("I really, actually did relabel a device to %s\n", ctx);
+ return Success;
+}
+
+static int
+ProcSELinuxGetDeviceContext(ClientPtr client)
+{
+ return Success;
+}
+
+static int
+ProcSELinuxSetPropertyCreateContext(ClientPtr client)
+{
+ return Success;
+}
+
+static int
+ProcSELinuxGetPropertyCreateContext(ClientPtr client)
+{
+ return Success;
+}
+
+static int
+ProcSELinuxGetPropertyContext(ClientPtr client)
+{
+ return Success;
+}
+
+static int
+ProcSELinuxSetWindowCreateContext(ClientPtr client)
+{
+ return Success;
+}
+
+static int
+ProcSELinuxGetWindowCreateContext(ClientPtr client)
+{
+ return Success;
+}
+
+static int
+ProcSELinuxGetWindowContext(ClientPtr client)
+{
+ return Success;
+}
+
+static int
ProcSELinuxDispatch(ClientPtr client)
{
REQUEST(xReq);
@@ -1040,6 +1128,24 @@ ProcSELinuxDispatch(ClientPtr client)
return ProcSELinuxQueryVersion(client);
case X_SELinuxSetSelectionManager:
return ProcSELinuxSetSelectionManager(client);
+ case X_SELinuxGetSelectionManager:
+ return ProcSELinuxGetSelectionManager(client);
+ case X_SELinuxSetDeviceContext:
+ return ProcSELinuxSetDeviceContext(client);
+ case X_SELinuxGetDeviceContext:
+ return ProcSELinuxGetDeviceContext(client);
+ case X_SELinuxSetPropertyCreateContext:
+ return ProcSELinuxSetPropertyCreateContext(client);
+ case X_SELinuxGetPropertyCreateContext:
+ return ProcSELinuxGetPropertyCreateContext(client);
+ case X_SELinuxGetPropertyContext:
+ return ProcSELinuxGetPropertyContext(client);
+ case X_SELinuxSetWindowCreateContext:
+ return ProcSELinuxSetWindowCreateContext(client);
+ case X_SELinuxGetWindowCreateContext:
+ return ProcSELinuxGetWindowCreateContext(client);
+ case X_SELinuxGetWindowContext:
+ return ProcSELinuxGetWindowContext(client);
default:
return BadRequest;
}
@@ -1069,6 +1175,60 @@ SProcSELinuxSetSelectionManager(ClientPtr client)
}
static int
+SProcSELinuxGetSelectionManager(ClientPtr client)
+{
+ return ProcSELinuxGetSelectionManager(client);
+}
+
+static int
+SProcSELinuxSetDeviceContext(ClientPtr client)
+{
+ return ProcSELinuxSetDeviceContext(client);
+}
+
+static int
+SProcSELinuxGetDeviceContext(ClientPtr client)
+{
+ return ProcSELinuxGetDeviceContext(client);
+}
+
+static int
+SProcSELinuxSetPropertyCreateContext(ClientPtr client)
+{
+ return ProcSELinuxSetPropertyCreateContext(client);
+}
+
+static int
+SProcSELinuxGetPropertyCreateContext(ClientPtr client)
+{
+ return ProcSELinuxGetPropertyCreateContext(client);
+}
+
+static int
+SProcSELinuxGetPropertyContext(ClientPtr client)
+{
+ return ProcSELinuxGetPropertyContext(client);
+}
+
+static int
+SProcSELinuxSetWindowCreateContext(ClientPtr client)
+{
+ return ProcSELinuxSetWindowCreateContext(client);
+}
+
+static int
+SProcSELinuxGetWindowCreateContext(ClientPtr client)
+{
+ return ProcSELinuxGetWindowCreateContext(client);
+}
+
+static int
+SProcSELinuxGetWindowContext(ClientPtr client)
+{
+ return ProcSELinuxGetWindowContext(client);
+}
+
+static int
SProcSELinuxDispatch(ClientPtr client)
{
REQUEST(xReq);
@@ -1080,7 +1240,25 @@ SProcSELinuxDispatch(ClientPtr client)
case X_SELinuxQueryVersion:
return SProcSELinuxQueryVersion(client);
case X_SELinuxSetSelectionManager:
- return SProcSELinuxSetSelectionManager(client);
+ return SProcSELinuxSetSelectionManager(client);
+ case X_SELinuxGetSelectionManager:
+ return SProcSELinuxGetSelectionManager(client);
+ case X_SELinuxSetDeviceContext:
+ return SProcSELinuxSetDeviceContext(client);
+ case X_SELinuxGetDeviceContext:
+ return SProcSELinuxGetDeviceContext(client);
+ case X_SELinuxSetPropertyCreateContext:
+ return SProcSELinuxSetPropertyCreateContext(client);
+ case X_SELinuxGetPropertyCreateContext:
+ return SProcSELinuxGetPropertyCreateContext(client);
+ case X_SELinuxGetPropertyContext:
+ return SProcSELinuxGetPropertyContext(client);
+ case X_SELinuxSetWindowCreateContext:
+ return SProcSELinuxSetWindowCreateContext(client);
+ case X_SELinuxGetWindowCreateContext:
+ return SProcSELinuxGetWindowCreateContext(client);
+ case X_SELinuxGetWindowContext:
+ return SProcSELinuxGetWindowContext(client);
default:
return BadRequest;
}
diff --git a/Xext/xselinux.h b/Xext/xselinux.h
index 691154d..50838d7 100644
--- a/Xext/xselinux.h
+++ b/Xext/xselinux.h
@@ -30,10 +30,19 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#define XSELinuxNumberErrors 0
/* Extension protocol */
-#define X_SELinuxQueryVersion 0
-#define X_SELinuxSetSelectionManager 1
+#define X_SELinuxQueryVersion 0
+#define X_SELinuxSetSelectionManager 1
+#define X_SELinuxGetSelectionManager 2
+#define X_SELinuxSetDeviceContext 3
+#define X_SELinuxGetDeviceContext 4
+#define X_SELinuxSetPropertyCreateContext 5
+#define X_SELinuxGetPropertyCreateContext 6
+#define X_SELinuxGetPropertyContext 7
+#define X_SELinuxSetWindowCreateContext 8
+#define X_SELinuxGetWindowCreateContext 9
+#define X_SELinuxGetWindowContext 10
-typedef struct _SELinuxQueryVersion {
+typedef struct {
CARD8 reqType;
CARD8 SELinuxReqType;
CARD16 length;
@@ -41,7 +50,6 @@ typedef struct _SELinuxQueryVersion {
CARD8 client_minor;
CARD16 unused;
} SELinuxQueryVersionReq;
-#define sz_SELinuxQueryVersionReq 8
typedef struct {
CARD8 type;
@@ -56,15 +64,114 @@ typedef struct {
CARD32 pad5;
CARD32 pad6;
} SELinuxQueryVersionReply;
-#define sz_SELinuxQueryVersionReply 32
-typedef struct _SELinuxSetSelectionManager {
+typedef struct {
CARD8 reqType;
CARD8 SELinuxReqType;
CARD16 length;
CARD32 window;
} SELinuxSetSelectionManagerReq;
-#define sz_SELinuxSetSelectionManagerReq 8
+
+typedef struct {
+ CARD8 reqType;
+ CARD8 SELinuxReqType;
+ CARD16 length;
+} SELinuxGetSelectionManagerReq;
+
+typedef struct {
+ CARD8 type;
+ CARD8 pad1;
+ CARD16 sequenceNumber;
+ CARD32 length;
+ CARD32 window;
+ CARD32 pad2;
+ CARD32 pad3;
+ CARD32 pad4;
+ CARD32 pad5;
+ CARD32 pad6;
+} SELinuxGetSelectionManagerReply;
+
+typedef struct {
+ CARD8 reqType;
+ CARD8 SELinuxReqType;
+ CARD16 length;
+ CARD8 permanent;
+ CARD8 unused;
+ CARD16 context_len;
+} SELinuxSetCreateContextReq;
+
+typedef struct {
+ CARD8 reqType;
+ CARD8 SELinuxReqType;
+ CARD16 length;
+} SELinuxGetCreateContextReq;
+
+typedef struct {
+ CARD8 type;
+ CARD8 permanent;
+ CARD16 sequenceNumber;
+ CARD32 length;
+ CARD16 context_len;
+ CARD16 pad1;
+ CARD32 pad2;
+ CARD32 pad3;
+ CARD32 pad4;
+ CARD32 pad5;
+ CARD32 pad6;
+} SELinuxGetCreateContextReply;
+
+typedef struct {
+ CARD8 reqType;
+ CARD8 SELinuxReqType;
+ CARD16 length;
+ CARD32 id;
+ CARD16 unused;
+ CARD16 context_len;
+} SELinuxSetContextReq;
+
+typedef struct {
+ CARD8 reqType;
+ CARD8 SELinuxReqType;
+ CARD16 length;
+ CARD32 id;
+} SELinuxGetContextReq;
+
+typedef struct {
+ CARD8 type;
+ CARD8 pad1;
+ CARD16 sequenceNumber;
+ CARD32 length;
+ CARD16 context_len;
+ CARD16 pad2;
+ CARD32 pad3;
+ CARD32 pad4;
+ CARD32 pad5;
+ CARD32 pad6;
+ CARD32 pad7;
+} SELinuxGetContextReply;
+
+typedef struct {
+ CARD8 reqType;
+ CARD8 SELinuxReqType;
+ CARD16 length;
+ CARD32 window;
+ CARD32 property;
+} SELinuxGetPropertyContextReq;
+
+typedef struct {
+ CARD8 type;
+ CARD8 pad1;
+ CARD16 sequenceNumber;
+ CARD32 length;
+ CARD16 context_len;
+ CARD16 pad2;
+ CARD32 pad3;
+ CARD32 pad4;
+ CARD32 pad5;
+ CARD32 pad6;
+ CARD32 pad7;
+} SELinuxGetPropertyContextReply;
+
/* Private Flask definitions */
#define SECCLASS_X_DRAWABLE 1
commit 5f9095f0d29bac0190d82c87a09cf32d6a34c17c
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Oct 25 19:02:03 2007 -0400
registry: Remove synthetic bit from event types in lookup function.
diff --git a/dix/registry.c b/dix/registry.c
index 48e1b5d..1cf7fa5 100644
--- a/dix/registry.c
+++ b/dix/registry.c
@@ -134,6 +134,7 @@ LookupRequestName(int major, int minor)
const char *
LookupEventName(int event)
{
+ event &= 127;
if (event >= nevent)
return XREGISTRY_UNKNOWN;
@@ -153,7 +154,6 @@ const char *
LookupResourceName(RESTYPE resource)
{
resource &= TypeMask;
-
if (resource >= nresource)
return XREGISTRY_UNKNOWN;
commit 8c6923018c7d71cd15d9cf4ef9e8528ef5ec7c2e
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Oct 25 19:01:29 2007 -0400
xace: Add a "manage" access check when setting the Redirect event bits.
diff --git a/dix/events.c b/dix/events.c
index 24de947..e13e290 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -3330,6 +3330,8 @@ ProcessPointerEvent (xEvent *xE, DeviceIntPtr mouse, int count)
#define AtMostOneClient \
(SubstructureRedirectMask | ResizeRedirectMask | ButtonPressMask)
+#define ManagerMask \
+ (SubstructureRedirectMask | ResizeRedirectMask)
/**
* Recalculate which events may be deliverable for the given window.
@@ -3418,12 +3420,20 @@ EventSelectForWindow(WindowPtr pWin, ClientPtr client, Mask mask)
{
Mask check;
OtherClients * others;
+ int rc;
if (mask & ~AllEventMasks)
{
client->errorValue = mask;
return BadValue;
}
+ check = (mask & ManagerMask);
+ if (check) {
+ rc = XaceHook(XACE_RESOURCE_ACCESS, client, pWin->drawable.id,
+ RT_WINDOW, pWin, RT_NONE, NULL, DixManageAccess);
+ if (rc != Success)
+ return rc;
+ }
check = (mask & AtMostOneClient);
if (check & (pWin->eventMask|wOtherEventMasks(pWin)))
{ /* It is illegal for two different
commit 7d14ca59c5b942c09feaa2429c394cde9d8d3fd1
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Oct 25 19:00:50 2007 -0400
xselinux: Don't include the client in the receive hook audit messages.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index b780170..bacbe6e 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -545,7 +545,7 @@ SELinuxReceive(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceReceiveAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj;
- SELinuxAuditRec auditdata = { .client = rec->client };
+ SELinuxAuditRec auditdata = { .client = NULL };
int rc, i;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
commit 40de9fcf18930811dd5ae355c83275af887a9f83
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Oct 25 12:35:01 2007 -0400
xselinux: Label the default device directly with the process context.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index cb62cb9..b780170 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -486,13 +486,9 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
if (rec->access_mode & DixCreateAccess) {
sidput(obj->sid);
- /* Perform a transition to obtain the final SID */
- if (avc_compute_create(subj->sid, subj->sid, SECCLASS_X_DEVICE,
- &obj->sid) < 0) {
- ErrorF("XSELinux: a compute_create call failed!\n");
- rec->status = BadValue;
- return;
- }
+ /* Label the device directly with the process SID */
+ sidget(subj->sid);
+ obj->sid = subj->sid;
}
rc = SELinuxDoCheck(rec->client->index, subj, obj, SECCLASS_X_DEVICE,
More information about the xorg-commit
mailing list