xserver: Branch 'XACE-SELINUX' - 3 commits
Eamon Walsh
ewalsh at kemper.freedesktop.org
Wed Nov 14 09:24:41 PST 2007
Xext/security.c | 16 ++++++++++++++++
Xext/xselinux.c | 52 ++++++++++++++++++++++++++++------------------------
Xext/xselinux.h | 3 ++-
3 files changed, 46 insertions(+), 25 deletions(-)
New commits:
commit f207e69d62bc04c7f254347b03e6d8fa8b569d66
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Nov 14 12:23:29 2007 -0500
xselinux: adjust receive hook to use new synthetic_event class.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index eed78f4..cefde9d 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -532,7 +532,7 @@ SELinuxSend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
if (rc != Success)
goto err;
- auditdata.event = rec->events[i].u.u.type;
+ auditdata.event = type;
rc = SELinuxDoCheck(clientIndex, subj, &ev_sid, class,
DixSendAccess, &auditdata);
if (rc != Success)
@@ -547,9 +547,10 @@ static void
SELinuxReceive(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceReceiveAccessRec *rec = calldata;
- SELinuxStateRec *subj, *obj;
+ SELinuxStateRec *subj, *obj, ev_sid;
SELinuxAuditRec auditdata = { .client = NULL };
- int rc, i;
+ security_class_t class;
+ int rc, i, type;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
obj = dixLookupPrivate(&rec->pWin->devPrivates, stateKey);
@@ -562,14 +563,15 @@ SELinuxReceive(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* Check receive permission on specific event types */
for (i = 0; i < rec->count; i++) {
- SELinuxStateRec ev_sid;
+ type = rec->events[i].u.u.type;
+ class = (type & 128) ? SECCLASS_X_FAKEEVENT : SECCLASS_X_EVENT;
- rc = SELinuxEventToSID(rec->events[i].u.u.type, obj->sid, &ev_sid);
+ rc = SELinuxEventToSID(type, obj->sid, &ev_sid);
if (rc != Success)
goto err;
- auditdata.event = rec->events[i].u.u.type;
- rc = SELinuxDoCheck(rec->client->index, subj, &ev_sid, SECCLASS_X_EVENT,
+ auditdata.event = type;
+ rc = SELinuxDoCheck(rec->client->index, subj, &ev_sid, class,
DixReceiveAccess, &auditdata);
if (rc != Success)
goto err;
commit 45f884d79c0eebaa1eb24d7db76c1177f6b710c9
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Fri Nov 9 14:45:27 2007 -0500
xselinux: add new synthetic_event security class, and fix registry code.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index f6d1dcd..eed78f4 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -129,6 +129,7 @@ static struct security_class_mapping map[] = {
{ "x_server", { "record", "", "", "", "getattr", "setattr", "", "", "", "", "", "", "", "", "", "", "", "grab", "", "", "", "", "", "", "", "manage", "debug", NULL }},
{ "x_extension", { "", "", "", "", "query", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "use", NULL }},
{ "x_event", { "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "send", "receive", NULL }},
+ { "x_synthetic_event", { "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "send", "receive", NULL }},
{ "x_resource", { "read", "write", "write", "write", "read", "write", "read", "read", "write", "read", "write", "read", "write", "write", "write", "read", "read", "write", "write", "write", "write", "write", "write", "read", "read", "write", "read", "write", NULL }},
{ NULL }
};
@@ -501,9 +502,10 @@ static void
SELinuxSend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceSendAccessRec *rec = calldata;
- SELinuxStateRec *subj, *obj;
+ SELinuxStateRec *subj, *obj, ev_sid;
SELinuxAuditRec auditdata = { .client = rec->client };
- int rc, i, clientIndex;
+ security_class_t class;
+ int rc, i, type, clientIndex;
if (rec->dev) {
subj = dixLookupPrivate(&rec->dev->devPrivates, stateKey);
@@ -523,14 +525,15 @@ SELinuxSend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* Check send permission on specific event types */
for (i = 0; i < rec->count; i++) {
- SELinuxStateRec ev_sid;
+ type = rec->events[i].u.u.type;
+ class = (type & 128) ? SECCLASS_X_FAKEEVENT : SECCLASS_X_EVENT;
- rc = SELinuxEventToSID(rec->events[i].u.u.type, obj->sid, &ev_sid);
+ rc = SELinuxEventToSID(type, obj->sid, &ev_sid);
if (rc != Success)
goto err;
auditdata.event = rec->events[i].u.u.type;
- rc = SELinuxDoCheck(clientIndex, subj, &ev_sid, SECCLASS_X_EVENT,
+ rc = SELinuxDoCheck(clientIndex, subj, &ev_sid, class,
DixSendAccess, &auditdata);
if (rc != Success)
goto err;
@@ -1073,7 +1076,6 @@ ProcSELinuxSetDeviceContext(ClientPtr client)
state = dixLookupPrivate(&dev->devPrivates, stateKey);
sidput(state->sid);
state->sid = sid;
- ErrorF("I really, actually did relabel a device to %s\n", ctx);
return Success;
}
@@ -1397,26 +1399,26 @@ XSELinuxExtensionInit(INITARGS)
SELinuxLabelInitial();
/* Add names to registry */
- RegisterRequestName(X_SELinuxQueryVersion, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxQueryVersion,
XSELINUX_EXTENSION_NAME ":SELinuxQueryVersion");
- RegisterRequestName(X_SELinuxSetSelectionManager, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxSetSelectionManager,
XSELINUX_EXTENSION_NAME ":SELinuxSetSelectionManager");
- RegisterRequestName(X_SELinuxGetSelectionManager, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxGetSelectionManager,
XSELINUX_EXTENSION_NAME ":SELinuxGetSelectionManager");
- RegisterRequestName(X_SELinuxSetDeviceContext, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxSetDeviceContext,
XSELINUX_EXTENSION_NAME ":SELinuxSetDeviceContext");
- RegisterRequestName(X_SELinuxGetDeviceContext, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxGetDeviceContext,
XSELINUX_EXTENSION_NAME ":SELinuxGetDeviceContext");
- RegisterRequestName(X_SELinuxSetPropertyCreateContext, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxSetPropertyCreateContext,
XSELINUX_EXTENSION_NAME ":SELinuxSetPropertyCreateContext");
- RegisterRequestName(X_SELinuxGetPropertyCreateContext, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxGetPropertyCreateContext,
XSELINUX_EXTENSION_NAME ":SELinuxGetPropertyCreateContext");
- RegisterRequestName(X_SELinuxGetPropertyContext, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxGetPropertyContext,
XSELINUX_EXTENSION_NAME ":SELinuxGetPropertyContext");
- RegisterRequestName(X_SELinuxSetWindowCreateContext, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxSetWindowCreateContext,
XSELINUX_EXTENSION_NAME ":SELinuxSetWindowCreateContext");
- RegisterRequestName(X_SELinuxGetWindowCreateContext, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxGetWindowCreateContext,
XSELINUX_EXTENSION_NAME ":SELinuxGetWindowCreateContext");
- RegisterRequestName(X_SELinuxGetWindowContext, 0,
+ RegisterRequestName(extEntry->base, X_SELinuxGetWindowContext,
XSELINUX_EXTENSION_NAME ":SELinuxGetWindowContext");
}
diff --git a/Xext/xselinux.h b/Xext/xselinux.h
index 50838d7..ea8d9e4 100644
--- a/Xext/xselinux.h
+++ b/Xext/xselinux.h
@@ -187,6 +187,7 @@ typedef struct {
#define SECCLASS_X_SERVER 11
#define SECCLASS_X_EXTENSION 12
#define SECCLASS_X_EVENT 13
-#define SECCLASS_X_RESOURCE 14
+#define SECCLASS_X_FAKEEVENT 14
+#define SECCLASS_X_RESOURCE 15
#endif /* _XSELINUX_H */
commit b092856baba5bd43b23950f23236b5cc3ce78c1e
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Fri Nov 9 14:45:02 2007 -0500
registry: Register XC-SECURITY extension protocol names.
diff --git a/Xext/security.c b/Xext/security.c
index 6aab3a3..eef4f69 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -1114,4 +1114,20 @@ SecurityExtensionInit(INITARGS)
/* Label objects that were created before we could register ourself */
SecurityLabelInitial();
+
+ /* Register protocol names */
+ RegisterRequestName(extEntry->base, X_SecurityQueryVersion,
+ SECURITY_EXTENSION_NAME ":QueryVersion");
+ RegisterRequestName(extEntry->base, X_SecurityGenerateAuthorization,
+ SECURITY_EXTENSION_NAME ":GenerateAuthorization");
+ RegisterRequestName(extEntry->base, X_SecurityRevokeAuthorization,
+ SECURITY_EXTENSION_NAME ":RevokeAuthorization");
+
+ RegisterEventName(SecurityEventBase + XSecurityAuthorizationRevoked,
+ SECURITY_EXTENSION_NAME ":AuthorizationRevoked");
+
+ RegisterErrorName(SecurityErrorBase + XSecurityBadAuthorization,
+ SECURITY_EXTENSION_NAME ":BadAuthorization");
+ RegisterErrorName(SecurityErrorBase + XSecurityBadAuthorizationProtocol,
+ SECURITY_EXTENSION_NAME ":BadAuthorizationProtocol");
}
More information about the xorg-commit
mailing list