xserver: Branch 'server-1.5-branch'

Eamon Walsh ewalsh at kemper.freedesktop.org
Fri Mar 28 11:24:34 PDT 2008 

 Xext/xselinux.c                     |   31 ++++++++++++++++++++++++++-----
 hw/xfree86/dixmods/extmod/modinit.c |   23 ++++++++++++++++++++++-
 hw/xfree86/loader/dixsym.c          |    3 +++
 include/globals.h                   |   10 ++++++++++
 mi/miinitext.c                      |    8 +++++++-
 os/utils.c                          |    4 ++++
 6 files changed, 72 insertions(+), 7 deletions(-)

New commits:
commit c26bccf4173a037aa403c511dd08fd63cbbed87a
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Fri Mar 28 14:01:34 2008 -0400

    XSELinux: Add xorg.conf option for permissive/enforcing/disabled.
    Patch by Joe Nall.
    
    The option goes in the "extmod" subsection.
    TODO: Make it easier for extension modules to handle their own options.
    (cherry picked from commit b5f98fcea2024c67e598947782913982072cf4fb)

diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 17ce7af..2e059a4 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -37,6 +37,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #include <libaudit.h>
 
 #include <X11/Xatom.h>
+#include "globals.h"
 #include "resource.h"
 #include "privates.h"
 #include "registry.h"
@@ -1891,16 +1892,36 @@ void
 SELinuxExtensionInit(INITARGS)
 {
     ExtensionEntry *extEntry;
-    struct selinux_opt options[] = { { SELABEL_OPT_VALIDATE, (char *)1 } };
+    struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 };
+    struct selinux_opt avc_option = { AVC_OPT_SETENFORCE, (char *)0 };
     security_context_t con;
     int ret = TRUE;
 
-    /* Setup SELinux stuff */
+    /* Check SELinux mode on system */
     if (!is_selinux_enabled()) {
-	ErrorF("SELinux: SELinux not enabled, disabling SELinux support.\n");
+	ErrorF("SELinux: Disabled on system, not enabling in X server\n");
 	return;
     }
 
+    /* Check SELinux mode in configuration file */
+    switch(selinuxEnforcingState) {
+    case SELINUX_MODE_DISABLED:
+	LogMessage(X_INFO, "SELinux: Disabled in configuration file\n");
+	return;
+    case SELINUX_MODE_ENFORCING:
+	LogMessage(X_INFO, "SELinux: Configured in enforcing mode\n");
+	avc_option.value = (char *)1;
+	break;
+    case SELINUX_MODE_PERMISSIVE:
+	LogMessage(X_INFO, "SELinux: Configured in permissive mode\n");
+	avc_option.value = (char *)0;
+	break;
+    default:
+	avc_option.type = AVC_OPT_UNUSED;
+	break;
+    }
+
+    /* Set up SELinux stuff */
     selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback)SELinuxLog);
     selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback)SELinuxAudit);
 
@@ -1912,11 +1933,11 @@ SELinuxExtensionInit(INITARGS)
 	FatalError("SELinux: Failed to set up security class mapping\n");
     }
 
-    if (avc_open(NULL, 0) < 0)
+    if (avc_open(&avc_option, 1) < 0)
 	FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n");
     avc_active = 1;
 
-    label_hnd = selabel_open(SELABEL_CTX_X, options, 1);
+    label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1);
     if (!label_hnd)
 	FatalError("SELinux: Failed to open x_contexts mapping in policy\n");
 
diff --git a/hw/xfree86/dixmods/extmod/modinit.c b/hw/xfree86/dixmods/extmod/modinit.c
index d0d892a..8c8a4ce 100644
--- a/hw/xfree86/dixmods/extmod/modinit.c
+++ b/hw/xfree86/dixmods/extmod/modinit.c
@@ -42,7 +42,7 @@ static ExtensionModule extensionModules[] = {
     {
 	SELinuxExtensionInit,
 	SELINUX_EXTENSION_NAME,
-	NULL,
+	&noSELinuxExtension,
 	NULL,
 	NULL
     },
@@ -258,6 +258,27 @@ extmodSetup(pointer module, pointer opts, int *errmaj, int *errmin)
 		}
 	    }
 	}
+
+#ifdef XSELINUX
+	if (! strcmp(SELINUX_EXTENSION_NAME, extensionModules[i].name)) {
+	    pointer o;
+	    selinuxEnforcingState = SELINUX_MODE_DEFAULT;
+
+	    if ((o = xf86FindOption(opts, "SELinux mode disabled"))) {
+		xf86MarkOptionUsed(o);
+		selinuxEnforcingState = SELINUX_MODE_DISABLED;
+	    }
+	    if ((o = xf86FindOption(opts, "SELinux mode permissive"))) {
+		xf86MarkOptionUsed(o);
+		selinuxEnforcingState = SELINUX_MODE_PERMISSIVE;
+	    }
+	    if ((o = xf86FindOption(opts, "SELinux mode enforcing"))) {
+		xf86MarkOptionUsed(o);
+		selinuxEnforcingState = SELINUX_MODE_ENFORCING;
+	    }
+	}
+#endif
+
 	LoadExtension(&extensionModules[i], FALSE);
     }
     /* Need a non-NULL return */
diff --git a/hw/xfree86/loader/dixsym.c b/hw/xfree86/loader/dixsym.c
index d035c76..d6d22c4 100644
--- a/hw/xfree86/loader/dixsym.c
+++ b/hw/xfree86/loader/dixsym.c
@@ -440,6 +440,9 @@ _X_HIDDEN void *dixLookupTab[] = {
 #ifdef XIDLE
     SYMVAR(noXIdleExtension)
 #endif
+#ifdef XSELINUX
+    SYMVAR(noSELinuxExtension)
+#endif
 #ifdef XV
     SYMVAR(noXvExtension)
 #endif
diff --git a/include/globals.h b/include/globals.h
index b230dfc..2ca9531 100644
--- a/include/globals.h
+++ b/include/globals.h
@@ -175,6 +175,16 @@ extern Bool noXInputExtension;
 extern Bool noXIdleExtension;
 #endif
 
+#ifdef XSELINUX
+extern Bool noSELinuxExtension;
+
+#define SELINUX_MODE_DEFAULT    0
+#define SELINUX_MODE_DISABLED   1
+#define SELINUX_MODE_PERMISSIVE 2
+#define SELINUX_MODE_ENFORCING  3
+extern int selinuxEnforcingState;
+#endif
+
 #ifdef XV
 extern Bool noXvExtension;
 #endif
diff --git a/mi/miinitext.c b/mi/miinitext.c
index 3c55eeb..cc4c15c 100644
--- a/mi/miinitext.c
+++ b/mi/miinitext.c
@@ -215,6 +215,9 @@ extern Bool noXInputExtension;
 #ifdef XIDLE
 extern Bool noXIdleExtension;
 #endif
+#ifdef XSELINUX
+extern Bool noSELinuxExtension;
+#endif
 #ifdef XV
 extern Bool noXvExtension;
 #endif
@@ -488,6 +491,9 @@ static ExtensionToggle ExtensionToggleList[] =
 #ifdef XKB
     { "XKEYBOARD", &noXkbExtension },
 #endif
+#ifdef XSELINUX
+    { "SELinux", &noSELinuxExtension },
+#endif
     { "XTEST", &noTestExtensions },
 #ifdef XV
     { "XVideo", &noXvExtension },
@@ -597,7 +603,7 @@ InitExtensions(argc, argv)
     if (!noSecurityExtension) SecurityExtensionInit();
 #endif
 #ifdef XSELINUX
-    SELinuxExtensionInit();
+    if (!noSELinuxExtension) SELinuxExtensionInit();
 #endif
 #ifdef XPRINT
     XpExtensionInit(); /* server-specific extension, cannot be disabled */
diff --git a/os/utils.c b/os/utils.c
index 4041028..57293ab 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -232,6 +232,10 @@ _X_EXPORT Bool noXInputExtension = FALSE;
 #ifdef XIDLE
 _X_EXPORT Bool noXIdleExtension = FALSE;
 #endif
+#ifdef XSELINUX
+_X_EXPORT Bool noSELinuxExtension = FALSE;
+_X_EXPORT int selinuxEnforcingState = SELINUX_MODE_DEFAULT;
+#endif
 #ifdef XV
 _X_EXPORT Bool noXvExtension = FALSE;
 #endif

More information about the xorg-commit mailing list