xserver: Branch 'XACE-SELINUX' - 3 commits
Eamon Walsh
ewalsh at kemper.freedesktop.org
Thu Nov 8 14:05:44 PST 2007
.gitignore | 2
Xext/Makefile.am | 7
Xext/SecurityPolicy | 86 --
Xext/security.c | 1344 ++++++++++-----------------------------------
Xext/securitysrv.h | 4
configure.ac | 4
doc/Makefile.am | 2
doc/SecurityPolicy.man.pre | 258 --------
doc/Xserver.man.pre | 13
os/utils.c | 12
10 files changed, 312 insertions(+), 1420 deletions(-)
New commits:
commit 1c6cb353f77747c101ce47716ff1fa055fbf85a4
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Nov 8 16:46:49 2007 -0500
Restore the XC-SECURITY option in configure.ac, but disabled by default.
diff --git a/configure.ac b/configure.ac
index 278dcac..84b24cf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -514,8 +514,8 @@ AC_ARG_ENABLE(xf86vidmode, AS_HELP_STRING([--disable-xf86vidmode], [Build XF8
AC_ARG_ENABLE(xf86misc, AS_HELP_STRING([--disable-xf86misc], [Build XF86Misc extension (default: auto)]), [XF86MISC=$enableval], [XF86MISC=auto])
AC_ARG_ENABLE(xace, AS_HELP_STRING([--disable-xace], [Build X-ACE extension (default: enabled)]), [XACE=$enableval], [XACE=yes])
AC_ARG_ENABLE(xselinux, AS_HELP_STRING([--disable-xselinux], [Build SELinux extension (default: disabled)]), [XSELINUX=$enableval], [XSELINUX=no])
-AC_ARG_ENABLE(xcsecurity, AS_HELP_STRING([--disable-xcsecurity], [Build Security extension (TEMPORARILY DISABLED)]), [XCSECURITY=no], [XCSECURITY=no])
-AC_ARG_ENABLE(appgroup, AS_HELP_STRING([--disable-appgroup], [Build XC-APPGROUP extension (default: enabled)]), [APPGROUP=$enableval], [APPGROUP=$XCSECURITY])
+AC_ARG_ENABLE(xcsecurity, AS_HELP_STRING([--disable-xcsecurity], [Build Security extension (default: disabled)]), [XCSECURITY=$enableval], [XCSECURITY=no])
+AC_ARG_ENABLE(appgroup, AS_HELP_STRING([--disable-appgroup], [Build XC-APPGROUP extension (default: disabled)]), [APPGROUP=$enableval], [APPGROUP=$XCSECURITY])
AC_ARG_ENABLE(xcalibrate, AS_HELP_STRING([--enable-xcalibrate], [Build XCalibrate extension (default: disabled)]), [XCALIBRATE=$enableval], [XCALIBRATE=no])
AC_ARG_ENABLE(tslib, AS_HELP_STRING([--enable-tslib], [Build kdrive tslib touchscreen support (default: disabled)]), [TSLIB=$enableval], [TSLIB=no])
AC_ARG_ENABLE(xevie, AS_HELP_STRING([--disable-xevie], [Build XEvIE extension (default: enabled)]), [XEVIE=$enableval], [XEVIE=yes])
commit 9d03cad1446c27b397c198cf6247e71e46bc9e6d
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Nov 8 16:41:47 2007 -0500
Remove SecurityPolicy file and associated references in the manpages.
diff --git a/.gitignore b/.gitignore
index 27132c0..1213d99 100644
--- a/.gitignore
+++ b/.gitignore
@@ -92,8 +92,6 @@ cfb32/cfbzerarcG.c
cfb32/cfbzerarcX.c
doc/Xserver.1x
doc/Xserver.man
-doc/SecurityPolicy.5
-doc/SecurityPolicy.man
hw/dmx/Xdmx
hw/dmx/Xdmx.1x
hw/dmx/config/dmxtodmx
diff --git a/Xext/Makefile.am b/Xext/Makefile.am
index 6fe1c34..f57e599 100644
--- a/Xext/Makefile.am
+++ b/Xext/Makefile.am
@@ -33,9 +33,6 @@ MODULE_SRCS = \
sync.c \
xcmisc.c
-# Extra configuration files ship with some extensions
-SERVERCONFIG_DATA =
-
# Optional sources included if extension enabled by configure.ac rules
# MIT Shared Memory extension
@@ -86,9 +83,6 @@ endif
XCSECURITY_SRCS = security.c securitysrv.h
if XCSECURITY
BUILTIN_SRCS += $(XCSECURITY_SRCS)
-
-SERVERCONFIG_DATA += SecurityPolicy
-AM_CFLAGS += -DDEFAULTPOLICYFILE=\"$(SERVERCONFIGdir)/SecurityPolicy\"
endif
XCALIBRATE_SRCS = xcalibrate.c
@@ -166,7 +160,6 @@ libXextmodule_la_SOURCES = $(MODULE_SRCS)
endif
EXTRA_DIST = \
- $(SERVERCONFIG_DATA) \
$(MITSHM_SRCS) \
$(XV_SRCS) \
$(RES_SRCS) \
diff --git a/Xext/SecurityPolicy b/Xext/SecurityPolicy
deleted file mode 100644
index 04dfb0e..0000000
--- a/Xext/SecurityPolicy
+++ /dev/null
@@ -1,86 +0,0 @@
-version-1
-
-# $Xorg: SecurityPolicy,v 1.3 2000/08/17 19:47:56 cpqbld Exp $
-
-# Property access rules:
-# property <property> <window> <permissions>
-# <window> ::= any | root | <propertyselector>
-# <propertyselector> ::= <property> | <property>=<value>
-# <permissions> :== [ <operation> | <action> | <space> ]*
-# <operation> :== r | w | d
-# r read
-# w write
-# d delete
-# <action> :== a | i | e
-# a allow
-# i ignore
-# e error
-
-# Allow reading of application resources, but not writing.
-property RESOURCE_MANAGER root ar iw
-property SCREEN_RESOURCES root ar iw
-
-# Ignore attempts to use cut buffers. Giving errors causes apps to crash,
-# and allowing access may give away too much information.
-property CUT_BUFFER0 root irw
-property CUT_BUFFER1 root irw
-property CUT_BUFFER2 root irw
-property CUT_BUFFER3 root irw
-property CUT_BUFFER4 root irw
-property CUT_BUFFER5 root irw
-property CUT_BUFFER6 root irw
-property CUT_BUFFER7 root irw
-
-# If you are using Motif, you probably want these.
-property _MOTIF_DEFAULT_BINDINGS root ar iw
-property _MOTIF_DRAG_WINDOW root ar iw
-property _MOTIF_DRAG_TARGETS any ar iw
-property _MOTIF_DRAG_ATOMS any ar iw
-property _MOTIF_DRAG_ATOM_PAIRS any ar iw
-
-# If you are running CDE you also need these
-property _MOTIF_WM_INFO root arw
-property TT_SESSION root irw
-property WM_ICON_SIZE root irw
-property "SDT Pixel Set" any irw
-
-# The next two rules let xwininfo -tree work when untrusted.
-property WM_NAME any ar
-
-# Allow read of WM_CLASS, but only for windows with WM_NAME.
-# This might be more restrictive than necessary, but demonstrates
-# the <required property> facility, and is also an attempt to
-# say "top level windows only."
-property WM_CLASS WM_NAME ar
-
-# These next three let xlsclients work untrusted. Think carefully
-# before including these; giving away the client machine name and command
-# may be exposing too much.
-property WM_STATE WM_NAME ar
-property WM_CLIENT_MACHINE WM_NAME ar
-property WM_COMMAND WM_NAME ar
-
-# To let untrusted clients use the standard colormaps created by
-# xstdcmap, include these lines.
-property RGB_DEFAULT_MAP root ar
-property RGB_BEST_MAP root ar
-property RGB_RED_MAP root ar
-property RGB_GREEN_MAP root ar
-property RGB_BLUE_MAP root ar
-property RGB_GRAY_MAP root ar
-
-# To let untrusted clients use the color management database created
-# by xcmsdb, include these lines.
-property XDCCC_LINEAR_RGB_CORRECTION root ar
-property XDCCC_LINEAR_RGB_MATRICES root ar
-property XDCCC_GRAY_SCREENWHITEPOINT root ar
-property XDCCC_GRAY_CORRECTION root ar
-
-# To let untrusted clients use the overlay visuals that many vendors
-# support, include this line.
-property SERVER_OVERLAY_VISUALS root ar
-
-# Only trusted extensions can be used by untrusted clients
-trust extension XC-MISC
-trust extension BIG-REQUESTS
-trust extension XpExtension
diff --git a/doc/Makefile.am b/doc/Makefile.am
index ce1979d..d3911c9 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -5,7 +5,7 @@ filemandir = $(FILE_MAN_DIR)
# (i.e. those handled in the os/utils.c options processing instead of in
# the DDX-level options processing)
appman_PRE = Xserver.man.pre
-fileman_PRE = SecurityPolicy.man.pre
+fileman_PRE =
appman_PROCESSED = $(appman_PRE:man.pre=man)
fileman_PROCESSED = $(fileman_PRE:man.pre=man)
diff --git a/doc/SecurityPolicy.man.pre b/doc/SecurityPolicy.man.pre
deleted file mode 100644
index f5aff0c..0000000
--- a/doc/SecurityPolicy.man.pre
+++ /dev/null
@@ -1,258 +0,0 @@
-.\" Split out of Xserver.man, which was covered by this notice:
-.\" Copyright 1984 - 1991, 1993, 1994, 1998 The Open Group
-.\"
-.\" Permission to use, copy, modify, distribute, and sell this software and its
-.\" documentation for any purpose is hereby granted without fee, provided that
-.\" the above copyright notice appear in all copies and that both that
-.\" copyright notice and this permission notice appear in supporting
-.\" documentation.
-.\"
-.\" The above copyright notice and this permission notice shall be included
-.\" in all copies or substantial portions of the Software.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-.\" IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR
-.\" OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
-.\" ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
-.\" OTHER DEALINGS IN THE SOFTWARE.
-.\"
-.\" Except as contained in this notice, the name of The Open Group shall
-.\" not be used in advertising or otherwise to promote the sale, use or
-.\" other dealings in this Software without prior written authorization
-.\" from The Open Group.
-.\" $XFree86: xc/programs/Xserver/Xserver.man,v 3.31 2004/01/10 22:27:46 dawes Exp $
-.\" shorthand for double quote that works everywhere.
-.ds q \N'34'
-.TH SecurityPolicy __filemansuffix__ __xorgversion__
-.SH NAME
-SecurityPolicy \- X Window System SECURITY Extension Policy file format
-.SH DESCRIPTION
-The SECURITY extension to the X Window System uses a policy file to determine
-which operations should be allowed or denied. The default location for this
-file is
-.IR __projectroot__/lib/xserver/SecurityPolicy .
-.PP
-The syntax of the security policy file is as follows.
-Notation: "*" means zero or more occurrences of the preceding element,
-and "+" means one or more occurrences. To interpret <foo/bar>, ignore
-the text after the /; it is used to distinguish between instances of
-<foo> in the next section.
-.PP
-.nf
-<policy file> ::= <version line> <other line>*
-
-<version line> ::= <string/v> '\en'
-
-<other line > ::= <comment> | <access rule> | <site policy> | <blank line>
-
-<comment> ::= # <not newline>* '\en'
-
-<blank line> ::= <space> '\en'
-
-<site policy> ::= sitepolicy <string/sp> '\en'
-
-<access rule> ::= property <property/ar> <window> <perms> '\en'
-
-<property> ::= <string>
-
-<window> ::= any | root | <required property>
-
-<required property> ::= <property/rp> | <property with value>
-
-<property with value> ::= <property/rpv> = <string/rv>
-
-<perms> ::= [ <operation> | <action> | <space> ]*
-
-<operation> ::= r | w | d
-
-<action> ::= a | i | e
-
-<string> ::= <dbl quoted string> | <single quoted string> | <unquoted string>
-
-<dbl quoted string> ::= <space> " <not dquote>* " <space>
-
-<single quoted string> ::= <space> ' <not squote>* ' <space>
-
-<unquoted string> ::= <space> <not space>+ <space>
-
-<space> ::= [ ' ' | '\et' ]*
-
-Character sets:
-
-<not newline> ::= any character except '\en'
-<not dquote> ::= any character except "
-<not squote> ::= any character except '
-<not space> ::= any character except those in <space>
-.fi
-.PP
-The semantics associated with the above syntax are as follows.
-.PP
-<version line>, the first line in the file, specifies the file format
-version. If the server does not recognize the version <string/v>, it
-ignores the rest of the file. The version string for the file format
-described here is "version-1" .
-.PP
-Once past the <version line>, lines that do not match the above syntax
-are ignored.
-.PP
-<comment> lines are ignored.
-.PP
-<sitepolicy> lines are currently ignored. They are intended to
-specify the site policies used by the XC-QUERY-SECURITY-1
-authorization method.
-.PP
-<access rule> lines specify how the server should react to untrusted
-client requests that affect the X Window property named <property/ar>.
-The rest of this section describes the interpretation of an
-<access rule>.
-.PP
-For an <access rule> to apply to a given instance of <property/ar>,
-<property/ar> must be on a window that is in the set of windows
-specified by <window>. If <window> is any, the rule applies to
-<property/ar> on any window. If <window> is root, the rule applies to
-<property/ar> only on root windows.
-.PP
-If <window> is <required property>, the following apply. If <required
-property> is a <property/rp>, the rule applies when the window also
-has that <property/rp>, regardless of its value. If <required
-property> is a <property with value>, <property/rpv> must also have
-the value specified by <string/rv>. In this case, the property must
-have type STRING and format 8, and should contain one or more
-null-terminated strings. If any of the strings match <string/rv>, the
-rule applies.
-.PP
-The definition of string matching is simple case-sensitive string
-comparison with one elaboration: the occurrence of the character '*' in
-<string/rv> is a wildcard meaning "any string." A <string/rv> can
-contain multiple wildcards anywhere in the string. For example, "x*"
-matches strings that begin with x, "*x" matches strings that end with
-x, "*x*" matches strings containing x, and "x*y*" matches strings that
-start with x and subsequently contain y.
-.PP
-There may be multiple <access rule> lines for a given <property/ar>.
-The rules are tested in the order that they appear in the file. The
-first rule that applies is used.
-.PP
-<perms> specify operations that untrusted clients may attempt, and
-the actions that the server should take in response to those operations.
-.PP
-<operation> can be r (read), w (write), or d (delete). The following
-table shows how X Protocol property requests map to these operations
-in the X.Org server implementation.
-.PP
-.nf
-GetProperty r, or r and d if delete = True
-ChangeProperty w
-RotateProperties r and w
-DeleteProperty d
-ListProperties none, untrusted clients can always list all properties
-.fi
-.PP
-<action> can be a (allow), i (ignore), or e (error). Allow means
-execute the request as if it had been issued by a trusted client.
-Ignore means treat the request as a no-op. In the case of
-GetProperty, ignore means return an empty property value if the
-property exists, regardless of its actual value. Error means do not
-execute the request and return a BadAtom error with the atom set to
-the property name. Error is the default action for all properties,
-including those not listed in the security policy file.
-.PP
-An <action> applies to all <operation>s that follow it, until the next
-<action> is encountered. Thus, irwad means ignore read and write,
-allow delete.
-.PP
-GetProperty and RotateProperties may do multiple operations (r and d,
-or r and w). If different actions apply to the operations, the most
-severe action is applied to the whole request; there is no partial
-request execution. The severity ordering is: allow < ignore < error.
-Thus, if the <perms> for a property are ired (ignore read, error
-delete), and an untrusted client attempts GetProperty on that property
-with delete = True, an error is returned, but the property value is
-not. Similarly, if any of the properties in a RotateProperties do not
-allow both read and write, an error is returned without changing any
-property values.
-.PP
-Here is an example security policy file.
-.PP
-.ta 3i 4i
-.nf
-version-1
-
-XCOMM Allow reading of application resources, but not writing.
-property RESOURCE_MANAGER root ar iw
-property SCREEN_RESOURCES root ar iw
-
-XCOMM Ignore attempts to use cut buffers. Giving errors causes apps to crash,
-XCOMM and allowing access may give away too much information.
-property CUT_BUFFER0 root irw
-property CUT_BUFFER1 root irw
-property CUT_BUFFER2 root irw
-property CUT_BUFFER3 root irw
-property CUT_BUFFER4 root irw
-property CUT_BUFFER5 root irw
-property CUT_BUFFER6 root irw
-property CUT_BUFFER7 root irw
-
-XCOMM If you are using Motif, you probably want these.
-property _MOTIF_DEFAULT_BINDINGS root ar iw
-property _MOTIF_DRAG_WINDOW root ar iw
-property _MOTIF_DRAG_TARGETS any ar iw
-property _MOTIF_DRAG_ATOMS any ar iw
-property _MOTIF_DRAG_ATOM_PAIRS any ar iw
-
-XCOMM The next two rules let xwininfo -tree work when untrusted.
-property WM_NAME any ar
-
-XCOMM Allow read of WM_CLASS, but only for windows with WM_NAME.
-XCOMM This might be more restrictive than necessary, but demonstrates
-XCOMM the <required property> facility, and is also an attempt to
-XCOMM say "top level windows only."
-property WM_CLASS WM_NAME ar
-
-XCOMM These next three let xlsclients work untrusted. Think carefully
-XCOMM before including these; giving away the client machine name and command
-XCOMM may be exposing too much.
-property WM_STATE WM_NAME ar
-property WM_CLIENT_MACHINE WM_NAME ar
-property WM_COMMAND WM_NAME ar
-
-XCOMM To let untrusted clients use the standard colormaps created by
-XCOMM xstdcmap, include these lines.
-property RGB_DEFAULT_MAP root ar
-property RGB_BEST_MAP root ar
-property RGB_RED_MAP root ar
-property RGB_GREEN_MAP root ar
-property RGB_BLUE_MAP root ar
-property RGB_GRAY_MAP root ar
-
-XCOMM To let untrusted clients use the color management database created
-XCOMM by xcmsdb, include these lines.
-property XDCCC_LINEAR_RGB_CORRECTION root ar
-property XDCCC_LINEAR_RGB_MATRICES root ar
-property XDCCC_GRAY_SCREENWHITEPOINT root ar
-property XDCCC_GRAY_CORRECTION root ar
-
-XCOMM To let untrusted clients use the overlay visuals that many vendors
-XCOMM support, include this line.
-property SERVER_OVERLAY_VISUALS root ar
-
-XCOMM Dumb examples to show other capabilities.
-
-XCOMM oddball property names and explicit specification of error conditions
-property "property with spaces" 'property with "' aw er ed
-
-XCOMM Allow deletion of Woo-Hoo if window also has property OhBoy with value
-XCOMM ending in "son". Reads and writes will cause an error.
-property Woo-Hoo OhBoy = "*son" ad
-
-.fi
-.SH FILES
-.TP 30
-.I __projectroot__/lib/xserver/SecurityPolicy
-Default X server security policy
-.SH "SEE ALSO"
-.PP
-\fIXserver\fp(__appmansuffix__),
-.I "Security Extension Specification"
diff --git a/doc/Xserver.man.pre b/doc/Xserver.man.pre
index c9ee019..c47a396 100644
--- a/doc/Xserver.man.pre
+++ b/doc/Xserver.man.pre
@@ -407,15 +407,6 @@ elapse between autorepeat-generated keystrokes).
.TP 8
.B \-xkbmap \fIfilename\fP
loads keyboard description in \fIfilename\fP on server startup.
-.SH SECURITY EXTENSION OPTIONS
-X servers that support the SECURITY extension accept the following option:
-.TP 8
-.B \-sp \fIfilename\fP
-causes the server to attempt to read and interpret filename as a security
-policy file with the format described below. The file is read at server
-startup and reread at each server reset.
-The syntax of the security policy file is described in
-\fISecurityPolicy\fP(__filemansuffix__).
.SH "NETWORK CONNECTIONS"
The X server supports client connections via a platform-dependent subset of
the following transport types: TCP\/IP, Unix Domain sockets, DECnet,
@@ -580,9 +571,6 @@ Error log file for display number \fBn\fP if run from \fIinit\fP(__adminmansuffi
.TP 30
.I __projectroot__/lib/X11/xdm/xdm-errors
Default error log file if the server is run from \fIxdm\fP(1)
-.TP 30
-.I __projectroot__/lib/xserver/SecurityPolicy
-Default X server security policy
.SH "SEE ALSO"
General information: \fIX\fP(__miscmansuffix__)
.PP
@@ -597,7 +585,6 @@ Fonts: \fIbdftopcf\fP(1), \fImkfontdir\fP(1), \fImkfontscale\fP(1),
.PP
Security: \fIXsecurity\fP(__miscmansuffix__), \fIxauth\fP(1), \fIXau\fP(1),
\fIxdm\fP(1), \fIxhost\fP(1), \fIxfwp\fP(1),
-\fISecurityPolicy\fP(__filemansuffix__),
.I "Security Extension Specification"
.PP
Starting the server: \fIxdm\fP(1), \fIxinit\fP(1)
commit 8b5d21cc1d1f4e9d20e5d5eca44cb1e60a419763
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Nov 8 16:32:42 2007 -0500
Rework of the XC-SECURITY extension. The gen-auth protocol has not changed,
but the XC-QUERY-SECURITY-1 authorization method and the SecurityPolicy
configuration file have been removed. The semantics of the trusted vs.
untrusted split have been changed. This will be documented in a future
commit.
diff --git a/Xext/security.c b/Xext/security.c
index ec414a0..6aab3a3 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -31,53 +31,47 @@ in this Software without prior written authorization from The Open Group.
#include "scrnintstr.h"
#include "colormapst.h"
#include "privates.h"
+#include "registry.h"
#include "xacestr.h"
#include "securitysrv.h"
#include <X11/extensions/securstr.h>
-#include <assert.h>
-#include <stdarg.h>
#ifdef XAPPGROUP
#include "appgroup.h"
#endif
-#include <stdio.h> /* for file reading operations */
-#include <X11/Xatom.h> /* for XA_STRING */
-
-#ifndef DEFAULTPOLICYFILE
-# define DEFAULTPOLICYFILE NULL
-#endif
-#if defined(WIN32) || defined(__CYGWIN__)
-#include <X11/Xos.h>
-#undef index
-#endif
-
#include "modinit.h"
+/* Extension stuff */
static int SecurityErrorBase; /* first Security error number */
static int SecurityEventBase; /* first Security event number */
-static const DevPrivateKey stateKey = &stateKey;
-/* this is what we store as client security state */
+RESTYPE SecurityAuthorizationResType; /* resource type for authorizations */
+static RESTYPE RTEventClient;
+
+static CallbackListPtr SecurityValidateGroupCallback = NULL;
+
+/* Private state record */
+static DevPrivateKey stateKey = &stateKey;
+
+/* This is what we store as client security state */
typedef struct {
int haveState;
unsigned int trustLevel;
XID authId;
-} SecurityClientStateRec;
-
-#define HAVESTATE(client) (((SecurityClientStateRec *) \
- dixLookupPrivate(DEVPRIV_PTR(client), stateKey))->haveState)
-#define TRUSTLEVEL(client) (((SecurityClientStateRec *) \
- dixLookupPrivate(DEVPRIV_PTR(client), stateKey))->trustLevel)
-#define AUTHID(client)(((SecurityClientStateRec *) \
- dixLookupPrivate(DEVPRIV_PTR(client), stateKey))->authId)
-
-static CallbackListPtr SecurityValidateGroupCallback = NULL;
-
-static char **SecurityTrustedExtensions = NULL;
-static int nSecurityTrustedExtensions = 0;
+} SecurityStateRec;
+
+/* Extensions that untrusted clients shouldn't have access to */
+static char *SecurityUntrustedExtensions[] = {
+ "RandR",
+ "SECURITY",
+ "XFree86-DGA",
+ NULL
+};
-RESTYPE SecurityAuthorizationResType; /* resource type for authorizations */
+/* Access modes that untrusted clients can do to trusted stuff */
+static const Mask SecurityAllowedMask =
+ DixGetAttrAccess | DixListPropAccess | DixGetPropAccess |
+ DixGetFocusAccess | DixListAccess | DixReceiveAccess;
-static RESTYPE RTEventClient;
/* SecurityAudit
*
@@ -103,6 +97,51 @@ SecurityAudit(char *format, ...)
va_end(args);
} /* SecurityAudit */
+/*
+ * Performs a Security permission check.
+ */
+static int
+SecurityDoCheck(SecurityStateRec *subj, SecurityStateRec *obj,
+ Mask requested, Mask allowed)
+{
+ if (!subj->haveState || !obj->haveState)
+ return Success;
+ if (subj->trustLevel == XSecurityClientTrusted)
+ return Success;
+ if (obj->trustLevel != XSecurityClientTrusted)
+ return Success;
+ if ((requested | allowed) == allowed)
+ return Success;
+
+ return BadAccess;
+}
+
+/*
+ * Labels initial server objects.
+ */
+static void
+SecurityLabelInitial(void)
+{
+ SecurityStateRec *state;
+
+ /* Do the serverClient */
+ state = dixLookupPrivate(&serverClient->devPrivates, stateKey);
+ state->trustLevel = XSecurityClientTrusted;
+ state->haveState = TRUE;
+}
+
+/*
+ * Looks up a request name
+ */
+static _X_INLINE const char *
+SecurityLookupRequestName(ClientPtr client)
+{
+ int major = ((xReq *)client->requestBuffer)->reqType;
+ int minor = MinorOpcodeOfRequest(client);
+ return LookupRequestName(major, minor);
+}
+
+
#define rClient(obj) (clients[CLIENT_ID((obj)->resource)])
/* SecurityDeleteAuthorization
@@ -163,10 +202,12 @@ SecurityDeleteAuthorization(
/* kill all clients using this auth */
for (i = 1; i<currentMaxClients; i++)
- {
- if (clients[i] && (AUTHID(clients[i]) == pAuth->id))
- CloseDownClient(clients[i]);
- }
+ if (clients[i]) {
+ SecurityStateRec *state;
+ state = dixLookupPrivate(&clients[i]->devPrivates, stateKey);
+ if (state->haveState && state->authId == pAuth->id)
+ CloseDownClient(clients[i]);
+ }
SecurityAudit("revoked authorization ID %d\n", pAuth->id);
xfree(pAuth);
@@ -315,12 +356,6 @@ ProcSecurityQueryVersion(
/* REQUEST(xSecurityQueryVersionReq); */
xSecurityQueryVersionReply rep;
- /* paranoia: this "can't happen" because this extension is hidden
- * from untrusted clients, but just in case...
- */
- if (TRUSTLEVEL(client) != XSecurityClientTrusted)
- return BadRequest;
-
REQUEST_SIZE_MATCH(xSecurityQueryVersionReq);
rep.type = X_Reply;
rep.sequenceNumber = client->sequence;
@@ -401,12 +436,6 @@ ProcSecurityGenerateAuthorization(
char *pAuthdata; /* generated auth data */
Mask eventMask; /* what events on this auth does client want */
- /* paranoia: this "can't happen" because this extension is hidden
- * from untrusted clients, but just in case...
- */
- if (TRUSTLEVEL(client) != XSecurityClientTrusted)
- return BadRequest;
-
/* check request length */
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
@@ -584,12 +613,6 @@ ProcSecurityRevokeAuthorization(
REQUEST(xSecurityRevokeAuthorizationReq);
SecurityAuthorizationPtr pAuth;
- /* paranoia: this "can't happen" because this extension is hidden
- * from untrusted clients, but just in case...
- */
- if (TRUSTLEVEL(client) != XSecurityClientTrusted)
- return BadRequest;
-
REQUEST_SIZE_MATCH(xSecurityRevokeAuthorizationReq);
pAuth = (SecurityAuthorizationPtr)SecurityLookupIDByType(client,
@@ -703,59 +726,6 @@ SwapSecurityAuthorizationRevokedEvent(
cpswapl(from->authId, to->authId);
}
-/* SecurityDetermineEventPropogationLimits
- *
- * This is a helper function for SecurityCheckDeviceAccess.
- *
- * Arguments:
- * dev is the device for which the starting and stopping windows for
- * event propogation should be determined.
- * The values pointed to by ppWin and ppStopWin are not used.
- *
- * Returns:
- * ppWin is filled in with a pointer to the window at which event
- * propogation for the given device should start given the current
- * state of the server (pointer position, window layout, etc.)
- * ppStopWin is filled in with the window at which event propogation
- * should stop; events should not go to ppStopWin.
- *
- * Side Effects: none.
- */
-
-static void
-SecurityDetermineEventPropogationLimits(
- DeviceIntPtr dev,
- WindowPtr *ppWin,
- WindowPtr *ppStopWin)
-{
- WindowPtr pFocusWin = dev->focus ? dev->focus->win : NoneWin;
-
- if (pFocusWin == NoneWin)
- { /* no focus -- events don't go anywhere */
- *ppWin = *ppStopWin = NULL;
- return;
- }
-
- if (pFocusWin == PointerRootWin)
- { /* focus follows the pointer */
- *ppWin = GetSpriteWindow();
- *ppStopWin = NULL; /* propogate all the way to the root */
- }
- else
- { /* a real window is set for the focus */
- WindowPtr pSpriteWin = GetSpriteWindow();
- *ppStopWin = pFocusWin->parent; /* don't go past the focus window */
-
- /* if the pointer is in a subwindow of the focus window, start
- * at that subwindow, else start at the focus window itself
- */
- if (IsParent(pFocusWin, pSpriteWin))
- *ppWin = pSpriteWin;
- else *ppWin = pFocusWin;
- }
-} /* SecurityDetermineEventPropogationLimits */
-
-
/* SecurityCheckDeviceAccess
*
* Arguments:
@@ -773,163 +743,25 @@ SecurityDetermineEventPropogationLimits(
*/
static void
-SecurityCheckDeviceAccess(CallbackListPtr *pcbl, pointer unused,
- pointer calldata)
+SecurityDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- XaceDeviceAccessRec *rec = (XaceDeviceAccessRec*)calldata;
- ClientPtr client = rec->client;
- DeviceIntPtr dev = rec->dev;
- Bool fromRequest = rec->fromRequest;
- WindowPtr pWin, pStopWin;
- Bool untrusted_got_event;
- Bool found_event_window;
- Mask eventmask;
- int reqtype = 0;
-
- /* trusted clients always allowed to do anything */
- if (TRUSTLEVEL(client) == XSecurityClientTrusted)
- return;
-
- /* device security other than keyboard is not implemented yet */
- if (dev != inputInfo.keyboard)
- return;
-
- /* some untrusted client wants access */
-
- if (fromRequest)
- {
- reqtype = ((xReq *)client->requestBuffer)->reqType;
- switch (reqtype)
- {
- /* never allow these */
- case X_ChangeKeyboardMapping:
- case X_ChangeKeyboardControl:
- case X_SetModifierMapping:
- SecurityAudit("client %d attempted request %d\n",
- client->index, reqtype);
- rec->status = BadAccess;
- return;
- default:
- break;
- }
- }
-
- untrusted_got_event = FALSE;
- found_event_window = FALSE;
-
- if (dev->grab)
- {
- untrusted_got_event =
- (TRUSTLEVEL(rClient(dev->grab)) != XSecurityClientTrusted);
- }
- else
- {
- SecurityDetermineEventPropogationLimits(dev, &pWin, &pStopWin);
-
- eventmask = KeyPressMask | KeyReleaseMask;
- while ( (pWin != pStopWin) && !found_event_window)
- {
- OtherClients *other;
-
- if (pWin->eventMask & eventmask)
- {
- found_event_window = TRUE;
- client = wClient(pWin);
- if (TRUSTLEVEL(client) != XSecurityClientTrusted)
- {
- untrusted_got_event = TRUE;
- }
- }
- if (wOtherEventMasks(pWin) & eventmask)
- {
- found_event_window = TRUE;
- for (other = wOtherClients(pWin); other; other = other->next)
- {
- if (other->mask & eventmask)
- {
- client = rClient(other);
- if (TRUSTLEVEL(client) != XSecurityClientTrusted)
- {
- untrusted_got_event = TRUE;
- break;
- }
- }
- }
- }
- if (wDontPropagateMask(pWin) & eventmask)
- break;
- pWin = pWin->parent;
- } /* while propogating the event */
- }
-
- /* allow access by untrusted clients only if an event would have gone
- * to an untrusted client
- */
-
- if (!untrusted_got_event)
- {
- char *devname = dev->name;
- if (!devname) devname = "unnamed";
- if (fromRequest)
- SecurityAudit("client %d attempted request %d device %d (%s)\n",
- client->index, reqtype, dev->id, devname);
- else
- SecurityAudit("client %d attempted to access device %d (%s)\n",
- client->index, dev->id, devname);
+ XaceDeviceAccessRec *rec = calldata;
+ SecurityStateRec *subj, *obj;
+ Mask requested = rec->access_mode;
+ Mask allowed = SecurityAllowedMask;
+
+ subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
+ obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
+
+ if (SecurityDoCheck(subj, obj, requested, allowed) != Success) {
+ SecurityAudit("Security denied client %d keyboard access on request "
+ "%s\n", rec->client->index,
+ SecurityLookupRequestName(rec->client));
rec->status = BadAccess;
}
- return;
-} /* SecurityCheckDeviceAccess */
-
-
-
-/* SecurityAuditResourceIDAccess
- *
- * Arguments:
- * client is the client doing the resource access.
- * id is the resource id.
- *
- * Returns: NULL
- *
- * Side Effects:
- * An audit message is generated with details of the denied
- * resource access.
- */
-
-static pointer
-SecurityAuditResourceIDAccess(
- ClientPtr client,
- XID id)
-{
- int cid = CLIENT_ID(id);
- int reqtype = ((xReq *)client->requestBuffer)->reqType;
- switch (reqtype)
- {
- case X_ChangeProperty:
- case X_DeleteProperty:
- case X_GetProperty:
- {
- xChangePropertyReq *req =
- (xChangePropertyReq *)client->requestBuffer;
- int propertyatom = req->property;
- char *propertyname = NameForAtom(propertyatom);
-
- SecurityAudit("client %d attempted request %d with window 0x%x property %s of client %d\n",
- client->index, reqtype, id, propertyname, cid);
- break;
- }
- default:
- {
- SecurityAudit("client %d attempted request %d with resource 0x%x of client %d\n",
- client->index, reqtype, id, cid);
- break;
- }
- }
- return NULL;
-} /* SecurityAuditResourceIDAccess */
-
+}
-/* SecurityCheckResourceIDAccess
+/* SecurityResource
*
* This function gets plugged into client->CheckAccess and is called from
* SecurityLookupIDByType/Class to determine if the client can access the
@@ -951,803 +783,245 @@ SecurityAuditResourceIDAccess(
*/
static void
-SecurityCheckResourceIDAccess(CallbackListPtr *pcbl, pointer unused,
- pointer calldata)
+SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- XaceResourceAccessRec *rec = (XaceResourceAccessRec*)calldata;
- ClientPtr client = rec->client;
- XID id = rec->id;
- RESTYPE rtype = rec->rtype;
- Mask access_mode = rec->access_mode;
- pointer rval = rec->res;
- int cid, reqtype;
-
- if (TRUSTLEVEL(client) == XSecurityClientTrusted ||
- DixUnknownAccess == access_mode)
- return; /* for compatibility, we have to allow access */
-
- cid = CLIENT_ID(id);
- reqtype = ((xReq *)client->requestBuffer)->reqType;
- switch (reqtype)
- { /* these are always allowed */
- case X_QueryTree:
- case X_TranslateCoords:
- case X_GetGeometry:
- /* property access is controlled in SecurityCheckPropertyAccess */
- case X_GetProperty:
- case X_ChangeProperty:
- case X_DeleteProperty:
- case X_RotateProperties:
- case X_ListProperties:
- return;
- default:
- break;
+ XaceResourceAccessRec *rec = calldata;
+ SecurityStateRec *subj, *obj;
+ int cid = CLIENT_ID(rec->id);
+ Mask requested = rec->access_mode;
+ Mask allowed = SecurityAllowedMask;
+
+ subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
+ obj = dixLookupPrivate(&clients[cid]->devPrivates, stateKey);
+
+ /* special checks for server-owned resources */
+ if (cid == 0) {
+ if (rec->rtype & RC_DRAWABLE)
+ /* additional operations allowed on root windows */
+ allowed |= DixReadAccess|DixSendAccess;
+
+ else if (rec->rtype == RT_COLORMAP)
+ /* allow access to default colormaps */
+ allowed = requested;
}
- if (cid != 0)
- { /* not a server-owned resource */
- /*
- * The following 'if' restricts clients to only access resources at
- * the same trustLevel. Since there are currently only two trust levels,
- * and trusted clients never call this function, this degenerates into
- * saying that untrusted clients can only access resources of other
- * untrusted clients. One way to add the notion of groups would be to
- * allow values other than Trusted (0) and Untrusted (1) for this field.
- * Clients at the same trust level would be able to use each other's
- * resources, but not those of clients at other trust levels. I haven't
- * tried it, but this probably mostly works already. The obvious
- * competing alternative for grouping clients for security purposes is to
- * use app groups. dpw
- */
- if (TRUSTLEVEL(client) == TRUSTLEVEL(clients[cid])
+ if (SecurityDoCheck(subj, obj, requested, allowed) == Success)
+ return;
+
#ifdef XAPPGROUP
- || (RT_COLORMAP == rtype &&
- XagDefaultColormap (client) == (Colormap) id)
+ if (rec->id == XagDefaultColormap(rec->client))
+ return;
#endif
- )
- return;
- else
- goto deny;
- }
- else /* server-owned resource - probably a default colormap or root window */
- {
- if (RT_WINDOW == rtype || RC_DRAWABLE == rtype)
- {
- switch (reqtype)
- { /* the following operations are allowed on root windows */
- case X_CreatePixmap:
- case X_CreateGC:
- case X_CreateWindow:
- case X_CreateColormap:
- case X_ListProperties:
- case X_GrabPointer:
- case X_UngrabButton:
- case X_QueryBestSize:
- case X_GetWindowAttributes:
- break;
- case X_SendEvent:
- { /* see if it is an event specified by the ICCCM */
- xSendEventReq *req = (xSendEventReq *)
- (client->requestBuffer);
- if (req->propagate == xTrue
- ||
- (req->eventMask != ColormapChangeMask &&
- req->eventMask != StructureNotifyMask &&
- req->eventMask !=
- (SubstructureRedirectMask|SubstructureNotifyMask)
- )
- ||
- (req->event.u.u.type != UnmapNotify &&
- req->event.u.u.type != ConfigureRequest &&
- req->event.u.u.type != ClientMessage
- )
- )
- { /* not an ICCCM event */
- goto deny;
- }
- break;
- } /* case X_SendEvent on root */
-
- case X_ChangeWindowAttributes:
- { /* Allow selection of PropertyNotify and StructureNotify
- * events on the root.
- */
- xChangeWindowAttributesReq *req =
- (xChangeWindowAttributesReq *)(client->requestBuffer);
- if (req->valueMask == CWEventMask)
- {
- CARD32 value = *((CARD32 *)(req + 1));
- if ( (value &
- ~(PropertyChangeMask|StructureNotifyMask)) == 0)
- break;
- }
- goto deny;
- } /* case X_ChangeWindowAttributes on root */
-
- default:
- {
- /* others not allowed */
- goto deny;
- }
- }
- } /* end server-owned window or drawable */
- else if (SecurityAuthorizationResType == rtype)
- {
- SecurityAuthorizationPtr pAuth = (SecurityAuthorizationPtr)rval;
- if (pAuth->trustLevel != TRUSTLEVEL(client))
- goto deny;
- }
- else if (RT_COLORMAP != rtype)
- { /* don't allow anything else besides colormaps */
- goto deny;
- }
- }
- return;
- deny:
- SecurityAuditResourceIDAccess(client, id);
- rec->status = BadAccess; /* deny access */
-} /* SecurityCheckResourceIDAccess */
+ SecurityAudit("Security: denied client %d access to resource 0x%x "
+ "of client %d on request %s\n", rec->client->index, rec->id,
+ cid, SecurityLookupRequestName(rec->client));
+ rec->status = BadAccess; /* deny access */
+}
-/* SecurityClientStateCallback
- *
- * Arguments:
- * pcbl is &ClientStateCallback.
- * nullata is NULL.
- * calldata is a pointer to a NewClientInfoRec (include/dixstruct.h)
- * which contains information about client state changes.
- *
- * Returns: nothing.
- *
- * Side Effects:
- *
- * If a new client is connecting, its authorization ID is copied to
- * client->authID. If this is a generated authorization, its reference
- * count is bumped, its timer is cancelled if it was running, and its
- * trustlevel is copied to TRUSTLEVEL(client).
- *
- * If a client is disconnecting and the client was using a generated
- * authorization, the authorization's reference count is decremented, and
- * if it is now zero, the timer for this authorization is started.
- */
static void
-SecurityClientStateCallback(CallbackListPtr *pcbl, pointer unused,
- pointer calldata)
+SecurityExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- NewClientInfoRec *pci = (NewClientInfoRec *)calldata;
- ClientPtr client = pci->client;
-
- switch (client->clientState)
- {
- case ClientStateInitial:
- TRUSTLEVEL(client) = XSecurityClientTrusted;
- AUTHID(client) = None;
- break;
-
- case ClientStateRunning:
- {
- XID authId = AuthorizationIDOfClient(client);
- SecurityAuthorizationPtr pAuth;
-
- TRUSTLEVEL(client) = XSecurityClientTrusted;
- AUTHID(client) = authId;
- pAuth = (SecurityAuthorizationPtr)LookupIDByType(authId,
- SecurityAuthorizationResType);
- if (pAuth)
- { /* it is a generated authorization */
- pAuth->refcnt++;
- if (pAuth->refcnt == 1)
- {
- if (pAuth->timer) TimerCancel(pAuth->timer);
- }
- TRUSTLEVEL(client) = pAuth->trustLevel;
+ XaceExtAccessRec *rec = calldata;
+ SecurityStateRec *subj;
+ int i = 0;
+
+ subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
+
+ if (subj->haveState && subj->trustLevel != XSecurityClientTrusted)
+ while (SecurityUntrustedExtensions[i])
+ if (!strcmp(SecurityUntrustedExtensions[i++], rec->ext->name)) {
+ SecurityAudit("Security: denied client %d access to extension "
+ "%s on request %s\n",
+ rec->client->index, rec->ext->name,
+ SecurityLookupRequestName(rec->client));
+ rec->status = BadAccess;
+ return;
}
- break;
- }
- case ClientStateGone:
- case ClientStateRetained: /* client disconnected */
- {
- SecurityAuthorizationPtr pAuth;
-
- /* client may not have any state (bad authorization) */
- if (!HAVESTATE(client))
- break;
-
- pAuth = (SecurityAuthorizationPtr)LookupIDByType(AUTHID(client),
- SecurityAuthorizationResType);
- if (pAuth)
- { /* it is a generated authorization */
- pAuth->refcnt--;
- if (pAuth->refcnt == 0)
- {
- SecurityStartAuthorizationTimer(pAuth);
- }
- }
- break;
- }
- default: break;
- }
-} /* SecurityClientStateCallback */
-
-static void
-SecurityCheckDrawableAccess(CallbackListPtr *pcbl, pointer unused,
- pointer calldata)
-{
- XaceDrawableAccessRec *rec = (XaceDrawableAccessRec*)calldata;
-
- if (TRUSTLEVEL(rec->client) != XSecurityClientTrusted)
- rec->status = BadAccess;
}
static void
-SecurityCheckMapAccess(CallbackListPtr *pcbl, pointer unused,
- pointer calldata)
+SecurityServer(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- XaceMapAccessRec *rec = (XaceMapAccessRec*)calldata;
- WindowPtr pWin = rec->pWin;
-
- if (HAVESTATE(rec->client) &&
- (TRUSTLEVEL(rec->client) != XSecurityClientTrusted) &&
- (pWin->drawable.class == InputOnly) &&
- pWin->parent && pWin->parent->parent &&
- (TRUSTLEVEL(wClient(pWin->parent)) == XSecurityClientTrusted))
+ XaceServerAccessRec *rec = calldata;
+ SecurityStateRec *subj, *obj;
+ Mask requested = rec->access_mode;
+ Mask allowed = SecurityAllowedMask;
+ subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
+ obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
+
+ if (SecurityDoCheck(subj, obj, requested, allowed) != Success) {
+ SecurityAudit("Security: denied client %d access to server "
+ "configuration request %s\n", rec->client->index,
+ SecurityLookupRequestName(rec->client));
rec->status = BadAccess;
+ }
}
static void
-SecurityCheckExtAccess(CallbackListPtr *pcbl, pointer unused,
- pointer calldata)
+SecurityClient(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- XaceExtAccessRec *rec = (XaceExtAccessRec*)calldata;
- int i, trusted = 0;
-
- for (i = 0; i < nSecurityTrustedExtensions; i++)
- if (!strcmp(SecurityTrustedExtensions[i], rec->ext->name))
- trusted = 1;
-
- if ((TRUSTLEVEL(rec->client) != XSecurityClientTrusted) && !trusted)
+ XaceClientAccessRec *rec = calldata;
+ SecurityStateRec *subj, *obj;
+ Mask requested = rec->access_mode;
+ Mask allowed = SecurityAllowedMask;
+
+ subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
+ obj = dixLookupPrivate(&rec->target->devPrivates, stateKey);
+
+ if (SecurityDoCheck(subj, obj, requested, allowed) != Success) {
+ SecurityAudit("Security: denied client %d access to client %d on "
+ "request %s\n", rec->client->index, rec->target->index,
+ SecurityLookupRequestName(rec->client));
rec->status = BadAccess;
+ }
}
static void
-SecurityCheckServerAccess(CallbackListPtr *pcbl, pointer unused,
- pointer calldata)
-{
- XaceServerAccessRec *rec = (XaceServerAccessRec*)calldata;
-
- if (TRUSTLEVEL(rec->client) != XSecurityClientTrusted)
- {
+SecurityProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
+{
+ XacePropertyAccessRec *rec = calldata;
+ SecurityStateRec *subj, *obj;
+ ATOM name = rec->pProp->propertyName;
+ Mask requested = rec->access_mode;
+ Mask allowed = SecurityAllowedMask | DixReadAccess;
+
+ subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
+ obj = dixLookupPrivate(&wClient(rec->pWin)->devPrivates, stateKey);
+
+ if (SecurityDoCheck(subj, obj, requested, allowed) != Success) {
+ SecurityAudit("Security: denied client %d access to property %s "
+ "(atom 0x%x) window 0x%x of client %d on request %s\n",
+ rec->client->index, NameForAtom(name), name,
+ rec->pWin->drawable.id, wClient(rec->pWin)->index,
+ SecurityLookupRequestName(rec->client));
rec->status = BadAccess;
- if (rec->access_mode == DixWriteAccess)
- SecurityAudit("client %d attempted to change host access\n",
- rec->client->index);
- else
- SecurityAudit("client %d attempted to list hosts\n",
- rec->client->index);
}
}
-/**********************************************************************/
-
-typedef struct _PropertyAccessRec {
- ATOM name;
- ATOM mustHaveProperty;
- char *mustHaveValue;
- char windowRestriction;
-#define SecurityAnyWindow 0
-#define SecurityRootWindow 1
-#define SecurityWindowWithProperty 2
- int readAction;
- int writeAction;
- int destroyAction;
- struct _PropertyAccessRec *next;
-} PropertyAccessRec, *PropertyAccessPtr;
-
-static PropertyAccessPtr PropertyAccessList = NULL;
-static int SecurityDefaultAction = BadAtom;
-static char *SecurityPolicyFile = DEFAULTPOLICYFILE;
-static ATOM SecurityMaxPropertyName = 0;
-
-static char *SecurityKeywords[] = {
-#define SecurityKeywordComment 0
- "#",
-#define SecurityKeywordProperty 1
- "property",
-#define SecurityKeywordSitePolicy 2
- "sitepolicy",
-#define SecurityKeywordRoot 3
- "root",
-#define SecurityKeywordAny 4
- "any",
-#define SecurityKeywordExtension 5
- "trust extension",
-};
-
-#define NUMKEYWORDS (sizeof(SecurityKeywords) / sizeof(char *))
-
static void
-SecurityFreePropertyAccessList(void)
+SecuritySend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- while (PropertyAccessList)
- {
- PropertyAccessPtr freeit = PropertyAccessList;
- PropertyAccessList = PropertyAccessList->next;
- xfree(freeit);
- }
-} /* SecurityFreePropertyAccessList */
+ XaceSendAccessRec *rec = calldata;
+ SecurityStateRec *subj, *obj;
-#define SecurityIsWhitespace(c) ( (c == ' ') || (c == '\t') || (c == '\n') )
-
-static char *
-SecuritySkipWhitespace(
- char *p)
-{
- while (SecurityIsWhitespace(*p))
- p++;
- return p;
-} /* SecuritySkipWhitespace */
-
-
-static char *
-SecurityParseString(
- char **rest)
-{
- char *startOfString;
- char *s = *rest;
- char endChar = 0;
-
- s = SecuritySkipWhitespace(s);
-
- if (*s == '"' || *s == '\'')
- {
- endChar = *s++;
- startOfString = s;
- while (*s && (*s != endChar))
- s++;
- }
- else
- {
- startOfString = s;
- while (*s && !SecurityIsWhitespace(*s))
- s++;
- }
- if (*s)
- {
- *s = '\0';
- *rest = s + 1;
- return startOfString;
- }
- else
- {
- *rest = s;
- return (endChar) ? NULL : startOfString;
- }
-} /* SecurityParseString */
-
-
-static int
-SecurityParseKeyword(
- char **p)
-{
- int i;
- char *s = *p;
- s = SecuritySkipWhitespace(s);
- for (i = 0; i < NUMKEYWORDS; i++)
- {
- int len = strlen(SecurityKeywords[i]);
- if (strncmp(s, SecurityKeywords[i], len) == 0)
- {
- *p = s + len;
- return (i);
- }
- }
- *p = s;
- return -1;
-} /* SecurityParseKeyword */
+ if (rec->client) {
+ int i;
+ subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
+ obj = dixLookupPrivate(&wClient(rec->pWin)->devPrivates, stateKey);
-static Bool
-SecurityParsePropertyAccessRule(
- char *p)
-{
- char *propname;
- char c;
- int action = SecurityDefaultAction;
- int readAction, writeAction, destroyAction;
- PropertyAccessPtr pacl, prev, cur;
- char *mustHaveProperty = NULL;
- char *mustHaveValue = NULL;
- Bool invalid;
- char windowRestriction;
- int size;
- int keyword;
-
- /* get property name */
- propname = SecurityParseString(&p);
- if (!propname || (strlen(propname) == 0))
- return FALSE;
-
- /* get window on which property must reside for rule to apply */
-
- keyword = SecurityParseKeyword(&p);
- if (keyword == SecurityKeywordRoot)
- windowRestriction = SecurityRootWindow;
- else if (keyword == SecurityKeywordAny)
- windowRestriction = SecurityAnyWindow;
- else /* not root or any, must be a property name */
- {
- mustHaveProperty = SecurityParseString(&p);
- if (!mustHaveProperty || (strlen(mustHaveProperty) == 0))
- return FALSE;
- windowRestriction = SecurityWindowWithProperty;
- p = SecuritySkipWhitespace(p);
- if (*p == '=')
- { /* property value is specified too */
- p++; /* skip over '=' */
- mustHaveValue = SecurityParseString(&p);
- if (!mustHaveValue)
- return FALSE;
- }
- }
-
- /* get operations and actions */
-
- invalid = FALSE;
- readAction = writeAction = destroyAction = SecurityDefaultAction;
- while ( (c = *p++) && !invalid)
- {
- switch (c)
- {
- case 'i': action = XaceIgnoreError; break;
- case 'a': action = Success; break;
- case 'e': action = BadAtom; break;
-
- case 'r': readAction = action; break;
- case 'w': writeAction = action; break;
- case 'd': destroyAction = action; break;
-
- default :
- if (!SecurityIsWhitespace(c))
- invalid = TRUE;
- break;
- }
- }
- if (invalid)
- return FALSE;
-
- /* We've successfully collected all the information needed for this
- * property access rule. Now record it in a PropertyAccessRec.
- */
- size = sizeof(PropertyAccessRec);
-
- /* If there is a property value string, allocate space for it
- * right after the PropertyAccessRec.
- */
- if (mustHaveValue)
- size += strlen(mustHaveValue) + 1;
- pacl = (PropertyAccessPtr)Xalloc(size);
- if (!pacl)
- return FALSE;
-
- pacl->name = MakeAtom(propname, strlen(propname), TRUE);
- if (pacl->name == BAD_RESOURCE)
- {
- Xfree(pacl);
- return FALSE;
- }
- if (mustHaveProperty)
- {
- pacl->mustHaveProperty = MakeAtom(mustHaveProperty,
- strlen(mustHaveProperty), TRUE);
- if (pacl->mustHaveProperty == BAD_RESOURCE)
- {
- Xfree(pacl);
- return FALSE;
- }
- }
- else
- pacl->mustHaveProperty = 0;
-
- if (mustHaveValue)
- {
- pacl->mustHaveValue = (char *)(pacl + 1);
- strcpy(pacl->mustHaveValue, mustHaveValue);
- }
- else
- pacl->mustHaveValue = NULL;
-
- SecurityMaxPropertyName = max(SecurityMaxPropertyName, pacl->name);
-
- pacl->windowRestriction = windowRestriction;
- pacl->readAction = readAction;
- pacl->writeAction = writeAction;
- pacl->destroyAction = destroyAction;
+ if (SecurityDoCheck(subj, obj, DixSendAccess, 0) == Success)
+ return;
- /* link the new rule into the list of rules in order of increasing
- * property name (atom) value to make searching easier
- */
+ for (i = 0; i < rec->count; i++)
+ if (rec->events[i].u.u.type != UnmapNotify &&
+ rec->events[i].u.u.type != ConfigureRequest &&
+ rec->events[i].u.u.type != ClientMessage) {
- for (prev = NULL, cur = PropertyAccessList;
- cur && cur->name <= pacl->name;
- prev = cur, cur = cur->next)
- ;
- if (!prev)
- {
- pacl->next = cur;
- PropertyAccessList = pacl;
- }
- else
- {
- prev->next = pacl;
- pacl->next = cur;
+ SecurityAudit("Security: denied client %d from sending event "
+ "of type %s to window 0x%x of client %d\n",
+ rec->client->index, rec->pWin->drawable.id,
+ wClient(rec->pWin)->index,
+ LookupEventName(rec->events[i].u.u.type));
+ rec->status = BadAccess;
+ return;
+ }
}
- return TRUE;
-} /* SecurityParsePropertyAccessRule */
+}
-static Bool
-SecurityParseExtensionRule(
- char *p)
+static void
+SecurityReceive(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- char *extName = SecurityParseString(&p);
- char *copyExtName;
- char **newStrings;
-
- if (!extName)
- return FALSE;
-
- copyExtName = (char *)Xalloc(strlen(extName) + 1);
- if (!copyExtName)
- return TRUE;
- strcpy(copyExtName, extName);
- newStrings = (char **)Xrealloc(SecurityTrustedExtensions,
- sizeof (char *) * (nSecurityTrustedExtensions + 1));
- if (!newStrings)
- {
- Xfree(copyExtName);
- return TRUE;
- }
+ XaceReceiveAccessRec *rec = calldata;
+ SecurityStateRec *subj, *obj;
- SecurityTrustedExtensions = newStrings;
- SecurityTrustedExtensions[nSecurityTrustedExtensions++] = copyExtName;
+ subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
+ obj = dixLookupPrivate(&wClient(rec->pWin)->devPrivates, stateKey);
- return TRUE;
+ if (SecurityDoCheck(subj, obj, DixReceiveAccess, 0) == Success)
+ return;
-} /* SecurityParseExtensionRule */
+ SecurityAudit("Security: denied client %d from receiving an event "
+ "sent to window 0x%x of client %d\n",
+ rec->client->index, rec->pWin->drawable.id,
+ wClient(rec->pWin)->index);
+ rec->status = BadAccess;
+}
-static void
-SecurityFreeTrustedExtensionStrings(void)
-{
- if (SecurityTrustedExtensions)
- {
- assert(nSecurityTrustedExtensions);
- while (nSecurityTrustedExtensions--)
- {
- Xfree(SecurityTrustedExtensions[nSecurityTrustedExtensions]);
- }
- Xfree(SecurityTrustedExtensions);
- SecurityTrustedExtensions = NULL;
- nSecurityTrustedExtensions = 0;
- }
-} /* SecurityFreeSiteTrustedExtensions */
+/* SecurityClientStateCallback
+ *
+ * Arguments:
+ * pcbl is &ClientStateCallback.
+ * nullata is NULL.
+ * calldata is a pointer to a NewClientInfoRec (include/dixstruct.h)
+ * which contains information about client state changes.
+ *
+ * Returns: nothing.
+ *
+ * Side Effects:
+ *
+ * If a new client is connecting, its authorization ID is copied to
+ * client->authID. If this is a generated authorization, its reference
+ * count is bumped, its timer is cancelled if it was running, and its
+ * trustlevel is copied to TRUSTLEVEL(client).
+ *
+ * If a client is disconnecting and the client was using a generated
+ * authorization, the authorization's reference count is decremented, and
+ * if it is now zero, the timer for this authorization is started.
+ */
static void
-SecurityLoadPropertyAccessList(void)
+SecurityClientState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- FILE *f;
- int lineNumber = 0;
-
- SecurityMaxPropertyName = 0;
-
- if (!SecurityPolicyFile)
- return;
-
- f = fopen(SecurityPolicyFile, "r");
- if (!f)
- {
- ErrorF("error opening security policy file %s\n",
- SecurityPolicyFile);
- return;
- }
+ NewClientInfoRec *pci = calldata;
+ SecurityStateRec *state;
+ SecurityAuthorizationPtr pAuth;
+ int rc;
- while (!feof(f))
- {
- char buf[200];
- Bool validLine;
- char *p;
+ state = dixLookupPrivate(&pci->client->devPrivates, stateKey);
- if (!(p = fgets(buf, sizeof(buf), f)))
- break;
- lineNumber++;
+ switch (pci->client->clientState) {
+ case ClientStateInitial:
+ state->trustLevel = XSecurityClientTrusted;
+ state->authId = None;
+ state->haveState = TRUE;
+ break;
- /* if first line, check version number */
- if (lineNumber == 1)
- {
- char *v = SecurityParseString(&p);
- if (strcmp(v, SECURITY_POLICY_FILE_VERSION) != 0)
- {
- ErrorF("%s: invalid security policy file version, ignoring file\n",
- SecurityPolicyFile);
- break;
- }
- validLine = TRUE;
- }
- else
- {
- switch (SecurityParseKeyword(&p))
- {
- case SecurityKeywordComment:
- case SecurityKeywordSitePolicy:
- validLine = TRUE;
- break;
-
- case SecurityKeywordProperty:
- validLine = SecurityParsePropertyAccessRule(p);
- break;
-
- case SecurityKeywordExtension:
- validLine = SecurityParseExtensionRule(p);
- break;
-
- default:
- validLine = (*p == '\0'); /* blank lines OK, others not */
- break;
- }
+ case ClientStateRunning:
+ state->authId = AuthorizationIDOfClient(pci->client);
+ rc = dixLookupResource((pointer *)&pAuth, state->authId,
+ SecurityAuthorizationResType, serverClient,
+ DixGetAttrAccess);
+ if (rc == Success) {
+ /* it is a generated authorization */
+ pAuth->refcnt++;
+ if (pAuth->refcnt == 1 && pAuth->timer)
+ TimerCancel(pAuth->timer);
+
+ state->trustLevel = pAuth->trustLevel;
}
+ break;
- if (!validLine)
- ErrorF("Line %d of %s invalid, ignoring\n",
- lineNumber, SecurityPolicyFile);
- } /* end while more input */
-
- fclose(f);
-} /* SecurityLoadPropertyAccessList */
-
-
-static Bool
-SecurityMatchString(
- char *ws,
- char *cs)
-{
- while (*ws && *cs)
- {
- if (*ws == '*')
- {
- Bool match = FALSE;
- ws++;
- while (!(match = SecurityMatchString(ws, cs)) && *cs)
- {
- cs++;
- }
- return match;
- }
- else if (*ws == *cs)
- {
- ws++;
- cs++;
+ case ClientStateGone:
+ case ClientStateRetained:
+ rc = dixLookupResource((pointer *)&pAuth, state->authId,
+ SecurityAuthorizationResType, serverClient,
+ DixGetAttrAccess);
+ if (rc == Success) {
+ /* it is a generated authorization */
+ pAuth->refcnt--;
+ if (pAuth->refcnt == 0)
+ SecurityStartAuthorizationTimer(pAuth);
}
- else break;
- }
- return ( ( (*ws == '\0') || ((*ws == '*') && *(ws+1) == '\0') )
- && (*cs == '\0') );
-} /* SecurityMatchString */
-
-
-static void
-SecurityCheckPropertyAccess(CallbackListPtr *pcbl, pointer unused,
- pointer calldata)
-{
- XacePropertyAccessRec *rec = (XacePropertyAccessRec*)calldata;
- ClientPtr client = rec->client;
- WindowPtr pWin = rec->pWin;
- ATOM propertyName = rec->pProp->propertyName;
- Mask access_mode = rec->access_mode;
- PropertyAccessPtr pacl;
- int action = SecurityDefaultAction;
-
- /* if client trusted or window untrusted, allow operation */
-
- if ((TRUSTLEVEL(client) == XSecurityClientTrusted) ||
- (TRUSTLEVEL(wClient(pWin)) != XSecurityClientTrusted) )
- return;
-
- /* If the property atom is bigger than any atoms on the list,
- * we know we won't find it, so don't even bother looking.
- */
- if (propertyName <= SecurityMaxPropertyName)
- {
- /* untrusted client operating on trusted window; see if it's allowed */
-
- for (pacl = PropertyAccessList; pacl; pacl = pacl->next)
- {
- if (pacl->name < propertyName)
- continue;
- if (pacl->name > propertyName)
- break;
-
- /* pacl->name == propertyName, so see if it applies to this window */
+ break;
- switch (pacl->windowRestriction)
- {
- case SecurityAnyWindow: /* always applies */
- break;
-
- case SecurityRootWindow:
- {
- /* if not a root window, this rule doesn't apply */
- if (pWin->parent)
- continue;
- }
- break;
-
- case SecurityWindowWithProperty:
- {
- PropertyPtr pProp = wUserProps (pWin);
- Bool match = FALSE;
- char *p;
- char *pEndData;
-
- while (pProp)
- {
- if (pProp->propertyName == pacl->mustHaveProperty)
- break;
- pProp = pProp->next;
- }
- if (!pProp)
- continue;
- if (!pacl->mustHaveValue)
- break;
- if (pProp->type != XA_STRING || pProp->format != 8)
- continue;
-
- p = pProp->data;
- pEndData = ((char *)pProp->data) + pProp->size;
- while (!match && p < pEndData)
- {
- if (SecurityMatchString(pacl->mustHaveValue, p))
- match = TRUE;
- else
- { /* skip to the next string */
- while (*p++ && p < pEndData)
- ;
- }
- }
- if (!match)
- continue;
- }
- break; /* end case SecurityWindowWithProperty */
- } /* end switch on windowRestriction */
-
- /* If we get here, the property access rule pacl applies.
- * If pacl doesn't apply, something above should have
- * executed a continue, which will skip the follwing code.
- */
- action = Success;
- if (access_mode & DixReadAccess)
- action = max(action, pacl->readAction);
- if (access_mode & DixWriteAccess)
- action = max(action, pacl->writeAction);
- if (access_mode & DixDestroyAccess)
- action = max(action, pacl->destroyAction);
- break;
- } /* end for each pacl */
- } /* end if propertyName <= SecurityMaxPropertyName */
-
- if (action != Success)
- { /* audit the access violation */
- int cid = CLIENT_ID(pWin->drawable.id);
- int reqtype = ((xReq *)client->requestBuffer)->reqType;
- char *actionstr = (XaceIgnoreError == action) ? "ignored" : "error";
- SecurityAudit("client %d attempted request %d with window 0x%x property %s (atom 0x%x) of client %d, %s\n",
- client->index, reqtype, pWin->drawable.id,
- NameForAtom(propertyName), propertyName, cid, actionstr);
+ default:
+ break;
}
- /* return codes increase with strictness */
- if (action != Success)
- rec->status = action;
-} /* SecurityCheckPropertyAccess */
-
+}
/* SecurityResetProc
*
@@ -1764,25 +1038,19 @@ static void
SecurityResetProc(
ExtensionEntry *extEntry)
{
- SecurityFreePropertyAccessList();
- SecurityFreeTrustedExtensionStrings();
-} /* SecurityResetProc */
-
-
-int
-XSecurityOptions(argc, argv, i)
- int argc;
- char **argv;
- int i;
-{
- if (strcmp(argv[i], "-sp") == 0)
- {
- if (i < argc)
- SecurityPolicyFile = argv[++i];
- return (i + 1);
- }
- return (i);
-} /* XSecurityOptions */
+ /* Unregister callbacks */
+ DeleteCallback(&ClientStateCallback, SecurityClientState, NULL);
+
+ XaceDeleteCallback(XACE_EXT_DISPATCH, SecurityExtension, NULL);
+ XaceDeleteCallback(XACE_RESOURCE_ACCESS, SecurityResource, NULL);
+ XaceDeleteCallback(XACE_DEVICE_ACCESS, SecurityDevice, NULL);
+ XaceDeleteCallback(XACE_PROPERTY_ACCESS, SecurityProperty, NULL);
+ XaceDeleteCallback(XACE_SEND_ACCESS, SecuritySend, NULL);
+ XaceDeleteCallback(XACE_RECEIVE_ACCESS, SecurityReceive, NULL);
+ XaceDeleteCallback(XACE_CLIENT_ACCESS, SecurityClient, NULL);
+ XaceDeleteCallback(XACE_EXT_ACCESS, SecurityExtension, NULL);
+ XaceDeleteCallback(XACE_SERVER_ACCESS, SecurityServer, NULL);
+}
/* SecurityExtensionInit
@@ -1799,6 +1067,7 @@ void
SecurityExtensionInit(INITARGS)
{
ExtensionEntry *extEntry;
+ int ret = TRUE;
SecurityAuthorizationResType =
CreateNewResourceType(SecurityDeleteAuthorization);
@@ -1812,12 +1081,26 @@ SecurityExtensionInit(INITARGS)
RTEventClient |= RC_NEVERRETAIN;
/* Allocate the private storage */
- if (!dixRequestPrivate(stateKey, sizeof(SecurityClientStateRec)))
+ if (!dixRequestPrivate(stateKey, sizeof(SecurityStateRec)))
FatalError("SecurityExtensionSetup: Can't allocate client private.\n");
- if (!AddCallback(&ClientStateCallback, SecurityClientStateCallback, NULL))
- return;
+ /* Register callbacks */
+ ret &= AddCallback(&ClientStateCallback, SecurityClientState, NULL);
+
+ ret &= XaceRegisterCallback(XACE_EXT_DISPATCH, SecurityExtension, NULL);
+ ret &= XaceRegisterCallback(XACE_RESOURCE_ACCESS, SecurityResource, NULL);
+ ret &= XaceRegisterCallback(XACE_DEVICE_ACCESS, SecurityDevice, NULL);
+ ret &= XaceRegisterCallback(XACE_PROPERTY_ACCESS, SecurityProperty, NULL);
+ ret &= XaceRegisterCallback(XACE_SEND_ACCESS, SecuritySend, NULL);
+ ret &= XaceRegisterCallback(XACE_RECEIVE_ACCESS, SecurityReceive, NULL);
+ ret &= XaceRegisterCallback(XACE_CLIENT_ACCESS, SecurityClient, NULL);
+ ret &= XaceRegisterCallback(XACE_EXT_ACCESS, SecurityExtension, NULL);
+ ret &= XaceRegisterCallback(XACE_SERVER_ACCESS, SecurityServer, NULL);
+ if (!ret)
+ FatalError("SecurityExtensionSetup: Failed to register callbacks\n");
+
+ /* Add extension to server */
extEntry = AddExtension(SECURITY_EXTENSION_NAME,
XSecurityNumberEvents, XSecurityNumberErrors,
ProcSecurityDispatch, SProcSecurityDispatch,
@@ -1829,15 +1112,6 @@ SecurityExtensionInit(INITARGS)
EventSwapVector[SecurityEventBase + XSecurityAuthorizationRevoked] =
(EventSwapPtr)SwapSecurityAuthorizationRevokedEvent;
- SecurityLoadPropertyAccessList();
-
- /* register callbacks */
-#define XaceRC XaceRegisterCallback
- XaceRC(XACE_RESOURCE_ACCESS, SecurityCheckResourceIDAccess, NULL);
- XaceRC(XACE_DEVICE_ACCESS, SecurityCheckDeviceAccess, NULL);
- XaceRC(XACE_PROPERTY_ACCESS, SecurityCheckPropertyAccess, NULL);
- XaceRC(XACE_MAP_ACCESS, SecurityCheckMapAccess, NULL);
- XaceRC(XACE_EXT_DISPATCH, SecurityCheckExtAccess, NULL);
- XaceRC(XACE_EXT_ACCESS, SecurityCheckExtAccess, NULL);
- XaceRC(XACE_SERVER_ACCESS, SecurityCheckServerAccess, NULL);
-} /* SecurityExtensionInit */
+ /* Label objects that were created before we could register ourself */
+ SecurityLabelInitial();
+}
diff --git a/Xext/securitysrv.h b/Xext/securitysrv.h
index 7320ab7..f4f3e32 100644
--- a/Xext/securitysrv.h
+++ b/Xext/securitysrv.h
@@ -77,11 +77,7 @@ typedef struct {
Bool valid; /* did anyone recognize it? if so, set to TRUE */
} SecurityValidateGroupInfoRec;
-extern int XSecurityOptions(int argc, char **argv, int i);
-
/* Give this value or higher to the -audit option to get security messages */
#define SECURITY_AUDIT_LEVEL 4
-#define SECURITY_POLICY_FILE_VERSION "version-1"
-
#endif /* _SECURITY_SRV_H */
diff --git a/os/utils.c b/os/utils.c
index 3228146..d69936d 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -123,9 +123,6 @@ OR PERFORMANCE OF THIS SOFTWARE.
#ifdef XKB
#include <xkbsrv.h>
#endif
-#ifdef XCSECURITY
-#include "securitysrv.h"
-#endif
#ifdef RENDER
#include "picture.h"
@@ -621,9 +618,6 @@ void UseMsg(void)
ErrorF("-render [default|mono|gray|color] set render color alloc policy\n");
#endif
ErrorF("-s # screen-saver timeout (minutes)\n");
-#ifdef XCSECURITY
- ErrorF("-sp file security policy file\n");
-#endif
#ifdef XPRINT
PrinterUseMsg();
#endif
@@ -1040,12 +1034,6 @@ ProcessCommandLine(int argc, char *argv[])
i = skip - 1;
}
#endif
-#ifdef XCSECURITY
- else if ((skip = XSecurityOptions(argc, argv, i)) != i)
- {
- i = skip - 1;
- }
-#endif
#ifdef AIXV3
else if ( strcmp( argv[i], "-timeout") == 0)
{
More information about the xorg-commit
mailing list