xserver: Branch 'server-1.5-branch' - 2 commits
Eamon Walsh
ewalsh at kemper.freedesktop.org
Thu Mar 20 18:35:20 PDT 2008
Xext/xselinux.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
New commits:
commit 98249dfa98b53a238b7d881beb5ec8b85f28ecd0
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Mar 20 20:03:02 2008 -0400
XSELinux: Do a check for whether background "None" is allowed.
(cherry picked from commit 3bbd77ff98478153afe3251de9ba11d757218213)
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 3035898..17ce7af 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -1026,6 +1026,13 @@ SELinuxResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
rc = SELinuxDoCheck(subj, obj, class, access_mode, &auditdata);
if (rc != Success)
rec->status = rc;
+
+ /* Perform the background none check on windows */
+ if (access_mode & DixCreateAccess && rec->rtype == RT_WINDOW) {
+ rc = SELinuxDoCheck(subj, obj, class, DixBlendAccess, &auditdata);
+ if (rc != Success)
+ ((WindowPtr)rec->res)->forcedBG = TRUE;
+ }
}
static void
commit d08bb7040cd5ba2d438dec614ff1b4dd0f9b33d5
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Mar 20 19:42:09 2008 -0400
XSELinux: Correctly handle some permission bits that are used more than once.
(cherry picked from commit e323bb426ce8a072d119cb2720b773241259c137)
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 18c6526..3035898 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -152,6 +152,12 @@ static struct security_class_mapping map[] = {
{ NULL }
};
+/* x_resource "read" bits from the list above */
+#define SELinuxReadMask (DixReadAccess|DixGetAttrAccess|DixListPropAccess| \
+ DixGetPropAccess|DixGetFocusAccess|DixListAccess| \
+ DixShowAccess|DixBlendAccess|DixReceiveAccess| \
+ DixUseAccess|DixDebugAccess)
+
/* forward declarations */
static void SELinuxScreen(CallbackListPtr *, pointer, pointer);
@@ -853,6 +859,7 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
SELinuxObjectRec *obj, *data;
Selection *pSel = *rec->ppSel;
Atom name = pSel->selection;
+ Mask access_mode = rec->access_mode;
SELinuxAuditRec auditdata = { .client = rec->client, .selection = name };
security_id_t tsid;
int rc;
@@ -861,11 +868,12 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
obj = dixLookupPrivate(&pSel->devPrivates, objectKey);
/* If this is a new object that needs labeling, do it now */
- if (rec->access_mode & DixCreateAccess) {
+ if (access_mode & DixCreateAccess) {
sidput(obj->sid);
rc = SELinuxSelectionToSID(name, subj, &obj->sid, &obj->poly);
if (rc != Success)
obj->sid = unlabeled_sid;
+ access_mode = DixSetAttrAccess;
}
/* If this is a polyinstantiated object, find the right instance */
else if (obj->poly) {
@@ -890,13 +898,13 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
}
/* Perform the security check */
- rc = SELinuxDoCheck(subj, obj, SECCLASS_X_SELECTION, rec->access_mode,
+ rc = SELinuxDoCheck(subj, obj, SECCLASS_X_SELECTION, access_mode,
&auditdata);
if (rc != Success)
rec->status = rc;
/* Label the content (advisory only) */
- if (rec->access_mode & DixSetAttrAccess) {
+ if (access_mode & DixSetAttrAccess) {
data = dixLookupPrivate(&pSel->devPrivates, dataKey);
sidput(data->sid);
if (subj->sel_create_sid)
@@ -976,6 +984,7 @@ SELinuxResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
SELinuxSubjectRec *subj;
SELinuxObjectRec *obj;
SELinuxAuditRec auditdata = { .client = rec->client };
+ Mask access_mode = rec->access_mode;
PrivateRec **privatePtr;
security_class_t class;
int rc, offset;
@@ -997,7 +1006,7 @@ SELinuxResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
}
/* If this is a new object that needs labeling, do it now */
- if (rec->access_mode & DixCreateAccess && offset >= 0) {
+ if (access_mode & DixCreateAccess && offset >= 0) {
rc = SELinuxLabelResource(rec, subj, obj, class);
if (rc != Success) {
rec->status = rc;
@@ -1005,10 +1014,16 @@ SELinuxResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
}
}
+ /* Collapse generic resource permissions down to read/write */
+ if (class == SECCLASS_X_RESOURCE) {
+ access_mode = !!(rec->access_mode & SELinuxReadMask); /* rd */
+ access_mode |= !!(rec->access_mode & ~SELinuxReadMask) << 1; /* wr */
+ }
+
/* Perform the security check */
auditdata.restype = rec->rtype;
auditdata.id = rec->id;
- rc = SELinuxDoCheck(subj, obj, class, rec->access_mode, &auditdata);
+ rc = SELinuxDoCheck(subj, obj, class, access_mode, &auditdata);
if (rc != Success)
rec->status = rc;
}
More information about the xorg-commit
mailing list