xserver: Branch 'master' - 8 commits
Keith Packard
keithp at kemper.freedesktop.org
Mon Feb 22 20:25:08 PST 2010
Xext/xselinux.h | 8 ++---
Xext/xselinux_ext.c | 41 +++++++++++++++-----------
Xext/xselinux_hooks.c | 73 +++++++-----------------------------------------
Xext/xselinux_label.c | 23 +++++----------
configure.ac | 11 +------
dix/events.c | 62 ++++++++++++++++++++++------------------
include/dix-config.h.in | 2 -
7 files changed, 84 insertions(+), 136 deletions(-)
New commits:
commit db4f676f25c6d8e58263d5151942be730592d444
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Feb 3 15:40:47 2010 -0500
xselinux: Bump extension minor version.
Changes introduced in this version:
- 3 window-related requests now handle pixmaps also.
Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/Xext/xselinux.h b/Xext/xselinux.h
index d82d903..5723982 100644
--- a/Xext/xselinux.h
+++ b/Xext/xselinux.h
@@ -23,7 +23,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
/* Extension info */
#define SELINUX_EXTENSION_NAME "SELinux"
#define SELINUX_MAJOR_VERSION 1
-#define SELINUX_MINOR_VERSION 0
+#define SELINUX_MINOR_VERSION 1
#define SELinuxNumberEvents 0
#define SELinuxNumberErrors 0
commit a6cbcf6e782e65f3d4d14202ed0b7a8f65b33c9d
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Feb 3 15:38:57 2010 -0500
xselinux: Rename window-related requests that now support pixmaps.
Renamed requests:
SetWindowCreateContext -> SetDrawableCreateContext
GetWindowCreateContext -> GetDrawableCreateContext
GetWindowContext -> GetDrawableContext
Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/Xext/xselinux.h b/Xext/xselinux.h
index dcd250e..d82d903 100644
--- a/Xext/xselinux.h
+++ b/Xext/xselinux.h
@@ -33,9 +33,9 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#define X_SELinuxGetDeviceCreateContext 2
#define X_SELinuxSetDeviceContext 3
#define X_SELinuxGetDeviceContext 4
-#define X_SELinuxSetWindowCreateContext 5
-#define X_SELinuxGetWindowCreateContext 6
-#define X_SELinuxGetWindowContext 7
+#define X_SELinuxSetDrawableCreateContext 5
+#define X_SELinuxGetDrawableCreateContext 6
+#define X_SELinuxGetDrawableContext 7
#define X_SELinuxSetPropertyCreateContext 8
#define X_SELinuxGetPropertyCreateContext 9
#define X_SELinuxSetPropertyUseContext 10
diff --git a/Xext/xselinux_ext.c b/Xext/xselinux_ext.c
index 1dff32d..aa55734 100644
--- a/Xext/xselinux_ext.c
+++ b/Xext/xselinux_ext.c
@@ -221,7 +221,7 @@ ProcSELinuxGetDeviceContext(ClientPtr client)
}
static int
-ProcSELinuxGetWindowContext(ClientPtr client)
+ProcSELinuxGetDrawableContext(ClientPtr client)
{
DrawablePtr pDraw;
PrivateRec **privatePtr;
@@ -486,12 +486,12 @@ ProcSELinuxDispatch(ClientPtr client)
return ProcSELinuxSetDeviceContext(client);
case X_SELinuxGetDeviceContext:
return ProcSELinuxGetDeviceContext(client);
- case X_SELinuxSetWindowCreateContext:
+ case X_SELinuxSetDrawableCreateContext:
return ProcSELinuxSetCreateContext(client, CTX_WIN);
- case X_SELinuxGetWindowCreateContext:
+ case X_SELinuxGetDrawableCreateContext:
return ProcSELinuxGetCreateContext(client, CTX_WIN);
- case X_SELinuxGetWindowContext:
- return ProcSELinuxGetWindowContext(client);
+ case X_SELinuxGetDrawableContext:
+ return ProcSELinuxGetDrawableContext(client);
case X_SELinuxSetPropertyCreateContext:
return ProcSELinuxSetCreateContext(client, CTX_PRP);
case X_SELinuxGetPropertyCreateContext:
@@ -574,14 +574,14 @@ SProcSELinuxGetDeviceContext(ClientPtr client)
}
static int
-SProcSELinuxGetWindowContext(ClientPtr client)
+SProcSELinuxGetDrawableContext(ClientPtr client)
{
REQUEST(SELinuxGetContextReq);
int n;
REQUEST_SIZE_MATCH(SELinuxGetContextReq);
swapl(&stuff->id, n);
- return ProcSELinuxGetWindowContext(client);
+ return ProcSELinuxGetDrawableContext(client);
}
static int
@@ -648,12 +648,12 @@ SProcSELinuxDispatch(ClientPtr client)
return SProcSELinuxSetDeviceContext(client);
case X_SELinuxGetDeviceContext:
return SProcSELinuxGetDeviceContext(client);
- case X_SELinuxSetWindowCreateContext:
+ case X_SELinuxSetDrawableCreateContext:
return SProcSELinuxSetCreateContext(client, CTX_WIN);
- case X_SELinuxGetWindowCreateContext:
+ case X_SELinuxGetDrawableCreateContext:
return ProcSELinuxGetCreateContext(client, CTX_WIN);
- case X_SELinuxGetWindowContext:
- return SProcSELinuxGetWindowContext(client);
+ case X_SELinuxGetDrawableContext:
+ return SProcSELinuxGetDrawableContext(client);
case X_SELinuxSetPropertyCreateContext:
return SProcSELinuxSetCreateContext(client, CTX_PRP);
case X_SELinuxGetPropertyCreateContext:
commit ab68c707fd02613d9359120ba6402639dd8bd89e
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Feb 3 15:08:40 2010 -0500
xselinux: Allow GetWindowContext to be used for pixmaps as well.
Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/Xext/xselinux_ext.c b/Xext/xselinux_ext.c
index dc27c92..1dff32d 100644
--- a/Xext/xselinux_ext.c
+++ b/Xext/xselinux_ext.c
@@ -223,18 +223,26 @@ ProcSELinuxGetDeviceContext(ClientPtr client)
static int
ProcSELinuxGetWindowContext(ClientPtr client)
{
- WindowPtr pWin;
+ DrawablePtr pDraw;
+ PrivateRec **privatePtr;
SELinuxObjectRec *obj;
int rc;
REQUEST(SELinuxGetContextReq);
REQUEST_SIZE_MATCH(SELinuxGetContextReq);
- rc = dixLookupWindow(&pWin, stuff->id, client, DixGetAttrAccess);
+ rc = dixLookupDrawable(&pDraw, stuff->id, client,
+ M_WINDOW | M_DRAWABLE_PIXMAP,
+ DixGetAttrAccess);
if (rc != Success)
return rc;
- obj = dixLookupPrivate(&pWin->devPrivates, objectKey);
+ if (pDraw->type == M_DRAWABLE_PIXMAP)
+ privatePtr = &((PixmapPtr)pDraw)->devPrivates;
+ else
+ privatePtr = &((WindowPtr)pDraw)->devPrivates;
+
+ obj = dixLookupPrivate(privatePtr, objectKey);
return SELinuxSendContextReply(client, obj->sid);
}
commit eb9210097efea81065c301e5b6b4da7a566deb4a
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Jan 6 12:52:51 2010 -0500
xselinux: Remove reference counting calls for SID objects.
Starting with libselinux 2.0.86, SID objects are no longer
reference counted and the sidput() and sidget() calls are no-ops.
Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/Xext/xselinux_ext.c b/Xext/xselinux_ext.c
index b36fb13..dc27c92 100644
--- a/Xext/xselinux_ext.c
+++ b/Xext/xselinux_ext.c
@@ -132,7 +132,6 @@ ProcSELinuxSetCreateContext(ClientPtr client, unsigned offset)
ptr = dixLookupPrivate(privPtr, subjectKey);
pSid = (security_id_t *)(ptr + offset);
- sidput(*pSid);
*pSid = NULL;
rc = Success;
@@ -193,11 +192,9 @@ ProcSELinuxSetDeviceContext(ClientPtr client)
}
subj = dixLookupPrivate(&dev->devPrivates, subjectKey);
- sidput(subj->sid);
subj->sid = sid;
obj = dixLookupPrivate(&dev->devPrivates, objectKey);
- sidput(obj->sid);
- sidget(obj->sid = sid);
+ obj->sid = sid;
rc = Success;
out:
diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c
index 72732e7..6c8c8cd 100644
--- a/Xext/xselinux_hooks.c
+++ b/Xext/xselinux_hooks.c
@@ -69,9 +69,6 @@ DevPrivateKey dataKey = &dataKeyIndex;
/* audit file descriptor */
static int audit_fd;
-/* whether AVC is active */
-static int avc_active;
-
/* atoms for window label properties */
static Atom atom_ctx;
static Atom atom_client_ctx;
@@ -125,9 +122,7 @@ SELinuxLabelClient(ClientPtr client)
security_context_t ctx;
subj = dixLookupPrivate(&client->devPrivates, subjectKey);
- sidput(subj->sid);
obj = dixLookupPrivate(&client->devPrivates, objectKey);
- sidput(obj->sid);
/* Try to get a context from the socket */
if (fd < 0 || getpeercon_raw(fd, &ctx) < 0) {
@@ -170,7 +165,7 @@ finish:
FatalError("SELinux: client %d: context_to_sid_raw(%s) failed\n",
client->index, ctx);
- sidget(obj->sid = subj->sid);
+ obj->sid = subj->sid;
freecon(ctx);
}
@@ -191,7 +186,6 @@ SELinuxLabelInitial(void)
subj = dixLookupPrivate(&serverClient->devPrivates, subjectKey);
obj = dixLookupPrivate(&serverClient->devPrivates, objectKey);
subj->privileged = 1;
- sidput(subj->sid);
/* Use the context of the X server process for the serverClient */
if (getcon_raw(&ctx) < 0)
@@ -201,7 +195,7 @@ SELinuxLabelInitial(void)
if (avc_context_to_sid_raw(ctx, &subj->sid) < 0)
FatalError("SELinux: serverClient: context_to_sid(%s) failed\n", ctx);
- sidget(obj->sid = subj->sid);
+ obj->sid = subj->sid;
freecon(ctx);
srec.client = serverClient;
@@ -231,7 +225,7 @@ SELinuxLabelResource(XaceResourceAccessRec *rec, SELinuxSubjectRec *subj,
/* Check for a create context */
if (rec->rtype & RC_DRAWABLE && subj->win_create_sid) {
- sidget(obj->sid = subj->win_create_sid);
+ obj->sid = subj->win_create_sid;
return Success;
}
@@ -359,17 +353,14 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
SELinuxSubjectRec *dsubj;
dsubj = dixLookupPrivate(&rec->dev->devPrivates, subjectKey);
- sidput(dsubj->sid);
- sidput(obj->sid);
-
if (subj->dev_create_sid) {
/* Label the device with the create context */
- sidget(obj->sid = subj->dev_create_sid);
- sidget(dsubj->sid = subj->dev_create_sid);
+ obj->sid = subj->dev_create_sid;
+ dsubj->sid = subj->dev_create_sid;
} else {
/* Label the device directly with the process SID */
- sidget(obj->sid = subj->sid);
- sidget(dsubj->sid = subj->sid);
+ obj->sid = subj->sid;
+ dsubj->sid = subj->sid;
}
}
@@ -483,8 +474,6 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
return;
}
- sidput(obj->sid);
-
/* Perform a transition to obtain the final SID */
if (avc_compute_create(serv->sid, sid, SECCLASS_X_EXTENSION,
&obj->sid) < 0) {
@@ -520,7 +509,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* If this is a new object that needs labeling, do it now */
if (access_mode & DixCreateAccess) {
- sidput(obj->sid);
rc = SELinuxSelectionToSID(name, subj, &obj->sid, &obj->poly);
if (rc != Success)
obj->sid = unlabeled_sid;
@@ -538,7 +526,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
break;
obj = dixLookupPrivate(&pSel->devPrivates, objectKey);
}
- sidput(tsid);
if (pSel)
*rec->ppSel = pSel;
@@ -557,11 +544,10 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* Label the content (advisory only) */
if (access_mode & DixSetAttrAccess) {
data = dixLookupPrivate(&pSel->devPrivates, dataKey);
- sidput(data->sid);
if (subj->sel_create_sid)
- sidget(data->sid = subj->sel_create_sid);
+ data->sid = subj->sel_create_sid;
else
- sidget(data->sid = obj->sid);
+ data->sid = obj->sid;
}
}
@@ -586,7 +572,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* If this is a new object that needs labeling, do it now */
if (rec->access_mode & DixCreateAccess) {
- sidput(obj->sid);
rc = SELinuxPropertyToSID(name, subj, &obj->sid, &obj->poly);
if (rc != Success) {
rec->status = rc;
@@ -605,7 +590,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
break;
obj = dixLookupPrivate(&pProp->devPrivates, objectKey);
}
- sidput(tsid);
if (pProp)
*rec->ppProp = pProp;
@@ -624,11 +608,10 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* Label the content (advisory only) */
if (rec->access_mode & DixWriteAccess) {
data = dixLookupPrivate(&pProp->devPrivates, dataKey);
- sidput(data->sid);
if (subj->prp_create_sid)
- sidget(data->sid = subj->prp_create_sid);
+ data->sid = subj->prp_create_sid;
else
- sidget(data->sid = obj->sid);
+ data->sid = obj->sid;
}
}
@@ -705,8 +688,6 @@ SELinuxScreen(CallbackListPtr *pcbl, pointer is_saver, pointer calldata)
/* If this is a new object that needs labeling, do it now */
if (access_mode & DixCreateAccess) {
- sidput(obj->sid);
-
/* Perform a transition to obtain the final SID */
if (avc_compute_create(subj->sid, subj->sid, SECCLASS_X_SCREEN,
&obj->sid) < 0) {
@@ -838,7 +819,6 @@ SELinuxSubjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
PrivateCallbackRec *rec = calldata;
SELinuxSubjectRec *subj = *rec->value;
- sidget(unlabeled_sid);
subj->sid = unlabeled_sid;
avc_entry_ref_init(&subj->aeref);
@@ -851,14 +831,6 @@ SELinuxSubjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata)
SELinuxSubjectRec *subj = *rec->value;
xfree(subj->command);
-
- if (avc_active) {
- sidput(subj->sid);
- sidput(subj->dev_create_sid);
- sidput(subj->win_create_sid);
- sidput(subj->sel_create_sid);
- sidput(subj->prp_create_sid);
- }
}
static void
@@ -867,20 +839,9 @@ SELinuxObjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
PrivateCallbackRec *rec = calldata;
SELinuxObjectRec *obj = *rec->value;
- sidget(unlabeled_sid);
obj->sid = unlabeled_sid;
}
-static void
-SELinuxObjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata)
-{
- PrivateCallbackRec *rec = calldata;
- SELinuxObjectRec *obj = *rec->value;
-
- if (avc_active)
- sidput(obj->sid);
-}
-
static int netlink_fd;
static void
@@ -923,7 +884,6 @@ SELinuxFlaskReset(void)
RemoveGeneralSocket(netlink_fd);
avc_destroy();
- avc_active = 0;
}
void
@@ -961,7 +921,6 @@ SELinuxFlaskInit(void)
if (avc_open(&avc_option, 1) < 0)
FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n");
- avc_active = 1;
if (security_get_initial_context_raw("unlabeled", &ctx) < 0)
FatalError("SELinux: Failed to look up unlabeled context\n");
@@ -997,9 +956,7 @@ SELinuxFlaskInit(void)
ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL);
ret &= dixRegisterPrivateDeleteFunc(subjectKey, SELinuxSubjectFree, NULL);
ret &= dixRegisterPrivateInitFunc(objectKey, SELinuxObjectInit, NULL);
- ret &= dixRegisterPrivateDeleteFunc(objectKey, SELinuxObjectFree, NULL);
ret &= dixRegisterPrivateInitFunc(dataKey, SELinuxObjectInit, NULL);
- ret &= dixRegisterPrivateDeleteFunc(dataKey, SELinuxObjectFree, NULL);
ret &= AddCallback(&ClientStateCallback, SELinuxClientState, NULL);
ret &= AddCallback(&ResourceStateCallback, SELinuxResourceState, NULL);
diff --git a/Xext/xselinux_label.c b/Xext/xselinux_label.c
index 239536c..9b5023a 100644
--- a/Xext/xselinux_label.c
+++ b/Xext/xselinux_label.c
@@ -177,20 +177,17 @@ SELinuxSelectionToSID(Atom selection, SELinuxSubjectRec *subj,
/* Check for an override context next */
if (subj->sel_use_sid) {
- sidget(tsid = subj->sel_use_sid);
+ tsid = subj->sel_use_sid;
goto out;
}
- sidget(tsid = obj->sid);
+ tsid = obj->sid;
/* Polyinstantiate if necessary to obtain the final SID */
- if (obj->poly) {
- sidput(tsid);
- if (avc_compute_member(subj->sid, obj->sid,
- SECCLASS_X_SELECTION, &tsid) < 0) {
- ErrorF("SELinux: a compute_member call failed!\n");
- return BadValue;
- }
+ if (obj->poly && avc_compute_member(subj->sid, obj->sid,
+ SECCLASS_X_SELECTION, &tsid) < 0) {
+ ErrorF("SELinux: a compute_member call failed!\n");
+ return BadValue;
}
out:
*sid_rtn = tsid;
@@ -217,7 +214,7 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj,
/* Check for an override context next */
if (subj->prp_use_sid) {
- sidget(tsid = subj->prp_use_sid);
+ tsid = subj->prp_use_sid;
goto out;
}
@@ -234,10 +231,8 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj,
if (avc_compute_member(subj->sid, tsid2,
SECCLASS_X_PROPERTY, &tsid) < 0) {
ErrorF("SELinux: a compute_member call failed!\n");
- sidput(tsid2);
return BadValue;
}
- sidput(tsid2);
}
out:
*sid_rtn = tsid;
@@ -273,10 +268,8 @@ SELinuxEventToSID(unsigned type, security_id_t sid_of_window,
}
freecon(ctx);
/* Cache the SID value */
- if (!SELinuxArraySet(&arr_events, type, sid)) {
- sidput(sid);
+ if (!SELinuxArraySet(&arr_events, type, sid))
return BadAlloc;
- }
}
/* Perform a transition to obtain the final SID */
commit 0c4b75a08922416050bb73d2e279ce938d3823e7
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Oct 21 21:59:01 2009 -0400
Don't print a failure message when XACE denies an input event delivery.
A denial is normal and the behavior should be to drop the event.
Having the log message creates excessive log spam.
Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/dix/events.c b/dix/events.c
index aecf726..2e94726 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -2485,15 +2485,15 @@ DeliverDeviceEvents(WindowPtr pWin, InternalEvent *event, GrabPtr grab,
if (mask & XI_MASK)
{
rc = EventToXI(event, &xE, &count);
- if (rc == Success &&
- XaceHook(XACE_SEND_ACCESS, NULL, dev, pWin, xE, count) == Success)
- {
- filter = GetEventFilter(dev, xE);
- FixUpEventFromWindow(dev, xE, pWin, child, FALSE);
- deliveries = DeliverEventsToWindow(dev, pWin, xE, count,
- filter, grab);
- if (deliveries > 0)
- goto unwind;
+ if (rc == Success) {
+ if (XaceHook(XACE_SEND_ACCESS, NULL, dev, pWin, xE, count) == Success) {
+ filter = GetEventFilter(dev, xE);
+ FixUpEventFromWindow(dev, xE, pWin, child, FALSE);
+ deliveries = DeliverEventsToWindow(dev, pWin, xE, count,
+ filter, grab);
+ if (deliveries > 0)
+ goto unwind;
+ }
} else if (rc != BadMatch)
ErrorF("[dix] %s: XI conversion failed in DDE (%d, %d). Skipping delivery.\n",
dev->name, event->any.type, rc);
@@ -2503,15 +2503,15 @@ DeliverDeviceEvents(WindowPtr pWin, InternalEvent *event, GrabPtr grab,
if ((mask & CORE_MASK) && IsMaster(dev) && dev->coreEvents)
{
rc = EventToCore(event, &core);
- if (rc == Success &&
- XaceHook(XACE_SEND_ACCESS, NULL, dev, pWin, &core, 1) == Success)
- {
- filter = GetEventFilter(dev, &core);
- FixUpEventFromWindow(dev, &core, pWin, child, FALSE);
- deliveries = DeliverEventsToWindow(dev, pWin, &core, 1,
- filter, grab);
- if (deliveries > 0)
- goto unwind;
+ if (rc == Success) {
+ if (XaceHook(XACE_SEND_ACCESS, NULL, dev, pWin, &core, 1) == Success) {
+ filter = GetEventFilter(dev, &core);
+ FixUpEventFromWindow(dev, &core, pWin, child, FALSE);
+ deliveries = DeliverEventsToWindow(dev, pWin, &core, 1,
+ filter, grab);
+ if (deliveries > 0)
+ goto unwind;
+ }
} else if (rc != BadMatch)
ErrorF("[dix] %s: Core conversion failed in DDE (%d, %d).\n",
dev->name, event->any.type, rc);
@@ -3791,13 +3791,13 @@ DeliverFocusedEvent(DeviceIntPtr keybd, InternalEvent *event, WindowPtr window)
if (sendCore)
{
rc = EventToCore(event, &core);
- if (rc == Success &&
- XaceHook(XACE_SEND_ACCESS, NULL, keybd, focus, &core, 1) == Success)
- {
- FixUpEventFromWindow(keybd, &core, focus, None, FALSE);
- deliveries = DeliverEventsToWindow(keybd, focus, &core, 1,
- GetEventFilter(keybd, &core),
- NullGrab);
+ if (rc == Success) {
+ if (XaceHook(XACE_SEND_ACCESS, NULL, keybd, focus, &core, 1) == Success) {
+ FixUpEventFromWindow(keybd, &core, focus, None, FALSE);
+ deliveries = DeliverEventsToWindow(keybd, focus, &core, 1,
+ GetEventFilter(keybd, &core),
+ NullGrab);
+ }
} else if (rc != BadMatch)
ErrorF("[dix] %s: core conversion failed DFE (%d, %d). Skipping delivery.\n",
keybd->name, event->any.type, rc);
commit e687e11b1248494a45b9a4e4c321675526808703
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Oct 21 21:46:50 2009 -0400
Revert "Remove some debug messages that trigger on XACE event delivery failure."
The log messages still need to be there for non-XACE failures.
This reverts commit 4be354c4c2da5168b302601b91bd80cfaca7e193.
Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/dix/events.c b/dix/events.c
index c085a75..aecf726 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -2494,7 +2494,9 @@ DeliverDeviceEvents(WindowPtr pWin, InternalEvent *event, GrabPtr grab,
filter, grab);
if (deliveries > 0)
goto unwind;
- }
+ } else if (rc != BadMatch)
+ ErrorF("[dix] %s: XI conversion failed in DDE (%d, %d). Skipping delivery.\n",
+ dev->name, event->any.type, rc);
}
/* Core event */
@@ -2510,7 +2512,9 @@ DeliverDeviceEvents(WindowPtr pWin, InternalEvent *event, GrabPtr grab,
filter, grab);
if (deliveries > 0)
goto unwind;
- }
+ } else if (rc != BadMatch)
+ ErrorF("[dix] %s: Core conversion failed in DDE (%d, %d).\n",
+ dev->name, event->any.type, rc);
}
if ((deliveries < 0) || (pWin == stopAt) ||
@@ -3794,7 +3798,9 @@ DeliverFocusedEvent(DeviceIntPtr keybd, InternalEvent *event, WindowPtr window)
deliveries = DeliverEventsToWindow(keybd, focus, &core, 1,
GetEventFilter(keybd, &core),
NullGrab);
- }
+ } else if (rc != BadMatch)
+ ErrorF("[dix] %s: core conversion failed DFE (%d, %d). Skipping delivery.\n",
+ keybd->name, event->any.type, rc);
}
unwind:
commit 2ecb9f7d86117f212d7845741a3e155553954a85
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Oct 21 19:28:26 2009 -0400
libselinux now has a pkgconfig file. Use it.
Also remove HAVE_NETLINK_AVC_ACQUIRE_FD tests, because we now
require a version of libselinux that has it.
Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c
index 6e8c86d..72732e7 100644
--- a/Xext/xselinux_hooks.c
+++ b/Xext/xselinux_hooks.c
@@ -881,7 +881,6 @@ SELinuxObjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata)
sidput(obj->sid);
}
-#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
static int netlink_fd;
static void
@@ -895,7 +894,6 @@ SELinuxWakeupHandler(void *data, int err, void *read_mask)
if (FD_ISSET(netlink_fd, (fd_set *)read_mask))
avc_netlink_check_nb();
}
-#endif
void
SELinuxFlaskReset(void)
@@ -919,12 +917,10 @@ SELinuxFlaskReset(void)
/* Tear down SELinux stuff */
audit_close(audit_fd);
-#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
avc_netlink_release_fd();
RemoveBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler,
NULL);
RemoveGeneralSocket(netlink_fd);
-#endif
avc_destroy();
avc_active = 0;
@@ -992,12 +988,10 @@ SELinuxFlaskInit(void)
if (atom_client_ctx == BAD_RESOURCE)
FatalError("SELinux: Failed to create atom\n");
-#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
netlink_fd = avc_netlink_acquire_fd();
AddGeneralSocket(netlink_fd);
RegisterBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler,
NULL);
-#endif
/* Register callbacks */
ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL);
diff --git a/configure.ac b/configure.ac
index de252f3..b9c7574 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1056,16 +1056,11 @@ if test "x$XSELINUX" = xyes; then
if test "x$XACE" != xyes; then
AC_MSG_ERROR([cannot build SELinux extension without X-ACE])
fi
- AC_CHECK_HEADERS([selinux/selinux.h selinux/avc.h], [], AC_MSG_ERROR([SELinux include files not found]))
- AC_CHECK_LIB(selinux, avc_init, [], AC_MSG_ERROR([SELinux library not found]))
AC_CHECK_HEADERS([libaudit.h], [], AC_MSG_ERROR([SELinux extension requires audit system headers]))
AC_CHECK_LIB(audit, audit_open, [], AC_MSG_ERROR([SELinux extension requires audit system library]))
- AC_CHECK_DECL(avc_netlink_acquire_fd,
- [AC_DEFINE(HAVE_AVC_NETLINK_ACQUIRE_FD, 1, "Have avc_netlink_acquire_fd")],
- [],
- [#include <selinux/avc.h>])
+ PKG_CHECK_MODULES([SELINUX], [libselinux >= 2.0.86])
+ SELINUX_LIBS="$SELINUX_LIBS -laudit"
AC_DEFINE(XSELINUX, 1, [Build SELinux extension])
- SELINUX_LIB="-lselinux -laudit"
fi
AM_CONDITIONAL(XCSECURITY, [test "x$XCSECURITY" = xyes])
@@ -1584,7 +1579,7 @@ if test "x$XORG" = xyes; then
AC_CHECK_FUNCS([pci_device_vgaarb_init])
LIBS=$SAVE_LIBS
CFLAGS=$SAVE_CFLAGS
- XORG_SYS_LIBS="$XORG_SYS_LIBS $PCIACCESS_LIBS $GLX_SYS_LIBS $SELINUX_LIB"
+ XORG_SYS_LIBS="$XORG_SYS_LIBS $PCIACCESS_LIBS $GLX_SYS_LIBS $SELINUX_LIBS"
XORG_CFLAGS="$XORG_CFLAGS $PCIACCESS_CFLAGS"
case $host_os in
diff --git a/include/dix-config.h.in b/include/dix-config.h.in
index e942dac..058c8fd 100644
--- a/include/dix-config.h.in
+++ b/include/dix-config.h.in
@@ -446,6 +446,4 @@
#include "dix-config-apple-verbatim.h"
#endif
-#undef HAVE_AVC_NETLINK_ACQUIRE_FD
-
#endif /* _DIX_CONFIG_H_ */
commit 9fc6b59d46382e949526dc10c3f5bfddbe2acb92
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Thu Oct 15 17:32:21 2009 -0400
xselinux: Allow SetWindowCreateContext to be used for pixmaps as well.
Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c
index 43683ff..6e8c86d 100644
--- a/Xext/xselinux_hooks.c
+++ b/Xext/xselinux_hooks.c
@@ -230,7 +230,7 @@ SELinuxLabelResource(XaceResourceAccessRec *rec, SELinuxSubjectRec *subj,
security_id_t tsid;
/* Check for a create context */
- if (rec->rtype == RT_WINDOW && subj->win_create_sid) {
+ if (rec->rtype & RC_DRAWABLE && subj->win_create_sid) {
sidget(obj->sid = subj->win_create_sid);
return Success;
}
More information about the xorg-commit
mailing list