Subject: [PATCH 1/1] XSELinux: When SELinux is enabled the xserver seg faults

Eamon Walsh ewalsh.mailinglists at gmail.com
Tue Jun 12 21:45:07 PDT 2012 

Hi,

Looks good to me, although I thought this was handled at the callsites.  I
guess some callsites have been added or changed that pass in the special
ID's.

Acked-by: Eamon Walsh <efw at eamonwalsh.com>


On Tue, Jun 12, 2012 at 9:49 AM, Richard Haines <
richard_c_haines at btinternet.com> wrote:

> This patch was created using xorg-server-1.12.0 source.
>
> When using Fedora 17 with xorg-server-1.12.0 and SELinux is enabled
> ('setsebool xserver_object_manager on') the xserver will not load. The X
> log file has a seg fault pointing to XACE/SELinux. Bug 50641 was raised
> (https://bugs.freedesktop.org/show_bug.cgi?id=50641). The patch below is a
> possible fix.
>
> The bug is caused by X calling XaceHook(XACE_DEVICE_ACCESS, client, ...)
> with a device ID of '1' that is XIAllMasterDevices. It would also happen
> if the device ID = 0 (XIAllDevices).
>
> The only places currently seen calling with a device id=1 are:
> GrabKey - in Xi/exevents.c and AddPassiveGrabToList - in dix/grabs.c
> These start life in ProcXIPassiveGrabDevice (in Xi/xipassivegrab.c) that
> has been called by XIGrabKeycode.
>
> The patch has been tested using the other XI calls that would also impact
> this: XIGrabTouchBegin, XIGrabButton, XIGrabFocusIn and XIGrabEnter with
> and without the correct permissions (grab and freeze) with no problems.
>
> Both possible classes have to be checked (x_keyboard and x_pointer) as it
> is not known whether it is a pointer or keyboard as this info is not
> available. To get this info would require a change to the
> XaceHook(XACE_DEVICE_ACCESS, client, ..) call to pass an additional
> parameter stating the actual devices (that would defeat the objective of
> the XIAllMasterDevices and XIAllDevices dev ids).
>
> Note that there are other devices apart from the keyboard and pointer, for
> example on the test system: DeviceID: 9 is the Integrated_Webcam_1.3M. As
> it is classed as a slave keyboard it is checked.
>
> Signed-off-by: Richard Haines <richard_c_haines at btinternet.com>
> ---
>  Xext/xselinux_hooks.c |   44 +++++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 39 insertions(+), 5 deletions(-)
>
> diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c
> index 0d4c9ab..c2b21d6 100644
> --- a/Xext/xselinux_hooks.c
> +++ b/Xext/xselinux_hooks.c
> @@ -336,9 +336,17 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused,
> pointer calldata)
>     SELinuxAuditRec auditdata = { .client = rec->client, .dev = rec->dev };
>     security_class_t cls;
>     int rc;
> +    DeviceIntPtr dev = NULL;
> +    int i = 0;
>
>     subj = dixLookupPrivate(&rec->client->devPrivates, subjectKey);
> -    obj = dixLookupPrivate(&rec->dev->devPrivates, objectKey);
> +       /*
> +        * The XIAllMasterDevices or XIAllDevices do not have devPrivates
> +        * entries. Therefore dixLookupPrivate for the object is done later
> +        * for these device IDs.
> +        */
> +       if (rec->dev->id != XIAllDevices && rec->dev->id !=
> XIAllMasterDevices)
> +       obj = dixLookupPrivate(&rec->dev->devPrivates, objectKey);
>
>     /* If this is a new object that needs labeling, do it now */
>     if (rec->access_mode & DixCreateAccess) {
> @@ -356,12 +364,38 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused,
> pointer calldata)
>        }
>     }
>
> -    cls = IsPointerDevice(rec->dev) ? SECCLASS_X_POINTER :
> SECCLASS_X_KEYBOARD;
> -    rc = SELinuxDoCheck(subj, obj, cls, rec->access_mode, &auditdata);
> -    if (rc != Success)
> -       rec->status = rc;
> +       if (rec->dev->id != XIAllDevices && rec->dev->id !=
> XIAllMasterDevices) {
> +               cls = IsPointerDevice(rec->dev) ? SECCLASS_X_POINTER :
> SECCLASS_X_KEYBOARD;
> +               rc = SELinuxDoCheck(subj, obj, cls, rec->access_mode,
> &auditdata);
> +               if (rc != Success)
> +                       rec->status = rc;
> +               return;
> +       } else {
> +               /*
> +                * Device ID must be 0 or 1
> +                * We have to check both possible classes as we don't know
> whether it
> +                * was a pointer or keyboard. Therefore all devices are
> checked for:
> +                *              rec->dev->id == XIAllDevices
> +                * and only masters for:
> +                *               rec->dev->id == XIAllMasterDevices
> +                *
> +                * An error is returned should any device fail
> SELinuxDoCheck
> +                */
> +               for (dev = inputInfo.devices; dev; dev = dev->next, i++) {
> +                       if (!IsMaster(dev) && rec->dev->id ==
> XIAllMasterDevices)
> +                               continue;
> +                       cls = IsPointerDevice(dev) ? SECCLASS_X_POINTER :
> SECCLASS_X_KEYBOARD;
> +                       obj = dixLookupPrivate(&dev->devPrivates,
> objectKey);
> +                   rc = SELinuxDoCheck(subj, obj, cls, rec->access_mode,
> &auditdata);
> +                   if (rc != Success) {
> +                               rec->status = rc;
> +                               return;
> +                       }
> +               }
> +       }
>  }
>
> +
>  static void
>  SELinuxSend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
>  {
> --
> 1.7.10.2
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg-devel/attachments/20120613/faca117f/attachment.html>

More information about the xorg-devel mailing list