[PULL -v2] XACE and SELinux updates for server-1.7-branch

Eamon Walsh ewalsh at tycho.nsa.gov
Wed Oct 21 19:10:14 PDT 2009 

On 10/21/2009 09:36 PM, Peter Hutterer wrote:
> On Wed, Oct 21, 2009 at 09:07:40PM -0400, Eamon Walsh wrote:
>   
>> Hi Peter,
>>
>> Please pull these updates into server-1.7-branch.
>>
>> Thanks.
>>
>>
>> The following changes are available in the git repository at:
>>
>>     git://anongit.freedesktop.org/~ewalsh/xserver server-1.7-branch
>>
>> Eamon Walsh (9):
>>       xace: Fake return values on denials in input polling requests.
>>       xselinux: Stop special-casing QueryPointer access checks.
>>       xace: Relax permissions on XkbGetState from Read to Getattr.
>>       xselinux: switch from x_device to separate x_pointer and x_keyboard classes.
>>       xselinux: Allow SetWindowCreateContext to be used for pixmaps as well.
>>       dix: Export IsPointerDevice() and IsKeyboardDevice().
>>       xselinux: Use the now-exported IsPointerDevice() instead of a copy.
>>       xselinux: Note something in the log if disabled by boolean.
>>       Remove some debug messages that trigger on XACE event delivery failure.
>>     
> I should have spotted this earlier but - the last patch is not quite
> optimal and the commit message makes it sound like a different issue.
>
> EventToXI can return BadMatch, BadAlloc and BadImplementation. Both of the
> latter are worth noting in the log file since things are expected to go bad
> if that happens  EventToCore only returns BadMatch or BadImplementation on
> failure (in both cases, BadImplementation is logged anyway).
>
> The reason why XACE triggered these logs is because the if condition was
> joined. XACE doesn't modify rc either, so just reading this patch and the
> associated commit message is confusing.
>
> I think it'd be better to split the condition from the current 
>
> if (rc == Success && XACE(...) == Success)
>
> to something like this
>
> if (rc == Success) {
>      if (XACE == Success) {
>          do stuff
>      }
> } else {
>      log message
> }
>
> any opinions?
>
> Cheers,
>   Peter
>   


You're right, removing the log message entirely is probably bad.

I rebased the branch, removing the previous commit and adding one that
does what you suggest.

Once I've tested it I'll send a -v3 pull request.

Also, I haven't forgotten about the plan to use internal events instead
of wire events in the XACE hook.  I should get started on that soon.


--Eamon

More information about the xorg-devel mailing list