diff options
| author | marha <marha@users.sourceforge.net> | 2012-03-26 14:23:28 +0200 |
|---|---|---|
| committer | marha <marha@users.sourceforge.net> | 2012-03-26 14:23:28 +0200 |
| commit | 76bcc36ed305418a3ddc5752d287ede894243e1b (patch) | |
| tree | bacb320c825768471ce56f058f17ce863d592376 /xorg-server/Xext/xselinux_label.c | |
| parent | 7d894e32566b710952c44cbc71939ad1d9e2fa8d (diff) | |
| parent | 0f834b91a4768673833ab4917e87d86c237bb1a6 (diff) | |
| download | vcxsrv-76bcc36ed305418a3ddc5752d287ede894243e1b.tar.gz vcxsrv-76bcc36ed305418a3ddc5752d287ede894243e1b.tar.bz2 vcxsrv-76bcc36ed305418a3ddc5752d287ede894243e1b.zip | |
Merge remote-tracking branch 'origin/released'
Conflicts:
pixman/pixman/pixman-mmx.c
xorg-server/Xext/shm.c
xorg-server/Xext/syncsrv.h
xorg-server/Xext/xvmain.c
xorg-server/Xi/exevents.c
xorg-server/Xi/opendev.c
xorg-server/composite/compalloc.c
xorg-server/composite/compoverlay.c
xorg-server/dix/colormap.c
xorg-server/dix/devices.c
xorg-server/dix/dispatch.c
xorg-server/dix/dixfonts.c
xorg-server/dix/eventconvert.c
xorg-server/dix/events.c
xorg-server/dix/gc.c
xorg-server/dix/getevents.c
xorg-server/dix/main.c
xorg-server/dix/privates.c
xorg-server/dix/registry.c
xorg-server/dix/resource.c
xorg-server/exa/exa_accel.c
xorg-server/exa/exa_migration_classic.c
xorg-server/exa/exa_unaccel.c
xorg-server/fb/fb.h
xorg-server/fb/fbcopy.c
xorg-server/fb/fbpixmap.c
xorg-server/glx/dispatch.h
xorg-server/glx/glapi.h
xorg-server/glx/glapi_gentable.c
xorg-server/glx/glapitable.h
xorg-server/glx/glprocs.h
xorg-server/glx/glxcmds.c
xorg-server/glx/glxcmdsswap.c
xorg-server/glx/glxdricommon.c
xorg-server/glx/glxdriswrast.c
xorg-server/glx/glxext.c
xorg-server/glx/indirect_dispatch.c
xorg-server/glx/indirect_dispatch.h
xorg-server/glx/indirect_dispatch_swap.c
xorg-server/glx/indirect_size.h
xorg-server/glx/indirect_size_get.h
xorg-server/glx/indirect_table.c
xorg-server/glx/indirect_util.c
xorg-server/glx/rensize.c
xorg-server/glx/single2swap.c
xorg-server/glx/singlepix.c
xorg-server/glx/singlepixswap.c
xorg-server/glx/singlesize.c
xorg-server/hw/dmx/dmxinit.c
xorg-server/hw/kdrive/ephyr/ephyr.c
xorg-server/hw/kdrive/ephyr/hostx.c
xorg-server/hw/kdrive/ephyr/hostx.h
xorg-server/hw/kdrive/src/kinput.c
xorg-server/hw/xfree86/common/compiler.h
xorg-server/hw/xwin/InitInput.c
xorg-server/hw/xwin/InitOutput.c
xorg-server/hw/xwin/ddraw.h
xorg-server/hw/xwin/glx/glwrap.c
xorg-server/hw/xwin/glx/indirect.c
xorg-server/hw/xwin/glx/wgl_ext_api.h
xorg-server/hw/xwin/glx/winpriv.c
xorg-server/hw/xwin/win.h
xorg-server/hw/xwin/winallpriv.c
xorg-server/hw/xwin/winauth.c
xorg-server/hw/xwin/winclipboard.h
xorg-server/hw/xwin/winclipboardinit.c
xorg-server/hw/xwin/winclipboardthread.c
xorg-server/hw/xwin/winclipboardunicode.c
xorg-server/hw/xwin/winclipboardwndproc.c
xorg-server/hw/xwin/winclipboardwrappers.c
xorg-server/hw/xwin/winclipboardxevents.c
xorg-server/hw/xwin/wincmap.c
xorg-server/hw/xwin/winconfig.c
xorg-server/hw/xwin/wincreatewnd.c
xorg-server/hw/xwin/wincursor.c
xorg-server/hw/xwin/windialogs.c
xorg-server/hw/xwin/winengine.c
xorg-server/hw/xwin/winerror.c
xorg-server/hw/xwin/wingc.c
xorg-server/hw/xwin/wingetsp.c
xorg-server/hw/xwin/winkeybd.c
xorg-server/hw/xwin/winkeybd.h
xorg-server/hw/xwin/winlayouts.h
xorg-server/hw/xwin/winmisc.c
xorg-server/hw/xwin/winmonitors.c
xorg-server/hw/xwin/winmouse.c
xorg-server/hw/xwin/winmsg.c
xorg-server/hw/xwin/winmsg.h
xorg-server/hw/xwin/winmultiwindowclass.c
xorg-server/hw/xwin/winmultiwindowicons.c
xorg-server/hw/xwin/winmultiwindowshape.c
xorg-server/hw/xwin/winmultiwindowwindow.c
xorg-server/hw/xwin/winmultiwindowwm.c
xorg-server/hw/xwin/winmultiwindowwndproc.c
xorg-server/hw/xwin/winnativegdi.c
xorg-server/hw/xwin/winpfbdd.c
xorg-server/hw/xwin/winpixmap.c
xorg-server/hw/xwin/winpolyline.c
xorg-server/hw/xwin/winprefs.c
xorg-server/hw/xwin/winprocarg.c
xorg-server/hw/xwin/winregistry.c
xorg-server/hw/xwin/winscrinit.c
xorg-server/hw/xwin/winsetsp.c
xorg-server/hw/xwin/winshaddd.c
xorg-server/hw/xwin/winshadddnl.c
xorg-server/hw/xwin/winshadgdi.c
xorg-server/hw/xwin/wintrayicon.c
xorg-server/hw/xwin/winwin32rootless.c
xorg-server/hw/xwin/winwin32rootlesswindow.c
xorg-server/hw/xwin/winwin32rootlesswndproc.c
xorg-server/hw/xwin/winwindow.c
xorg-server/hw/xwin/winwindow.h
xorg-server/hw/xwin/winwindowswm.c
xorg-server/hw/xwin/winwndproc.c
xorg-server/include/callback.h
xorg-server/include/dixstruct.h
xorg-server/include/misc.h
xorg-server/include/os.h
xorg-server/include/scrnintstr.h
xorg-server/mi/micmap.c
xorg-server/mi/miinitext.c
xorg-server/mi/mioverlay.c
xorg-server/mi/misprite.c
xorg-server/mi/mivaltree.c
xorg-server/mi/miwindow.c
xorg-server/miext/damage/damage.c
xorg-server/miext/rootless/rootlessGC.c
xorg-server/miext/rootless/rootlessWindow.c
xorg-server/os/WaitFor.c
xorg-server/os/access.c
xorg-server/os/connection.c
xorg-server/os/io.c
xorg-server/os/log.c
xorg-server/os/osinit.c
xorg-server/os/utils.c
xorg-server/os/xdmcp.c
xorg-server/os/xprintf.c
xorg-server/os/xstrans.c
xorg-server/render/mipict.c
xorg-server/xkb/xkbActions.c
xorg-server/xkb/xkbInit.c
xorg-server/xkeyboard-config/compat/default.in
Diffstat (limited to 'xorg-server/Xext/xselinux_label.c')
| -rw-r--r-- | xorg-server/Xext/xselinux_label.c | 755 |
1 files changed, 381 insertions, 374 deletions
diff --git a/xorg-server/Xext/xselinux_label.c b/xorg-server/Xext/xselinux_label.c index 76e537abe..2c33d1cbf 100644 --- a/xorg-server/Xext/xselinux_label.c +++ b/xorg-server/Xext/xselinux_label.c @@ -1,374 +1,381 @@ -/************************************************************
-
-Author: Eamon Walsh <ewalsh@tycho.nsa.gov>
-
-Permission to use, copy, modify, distribute, and sell this software and its
-documentation for any purpose is hereby granted without fee, provided that
-this permission notice appear in supporting documentation. This permission
-notice shall be included in all copies or substantial portions of the
-Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
-AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-********************************************************/
-
-#ifdef HAVE_DIX_CONFIG_H
-#include <dix-config.h>
-#endif
-
-#include <selinux/label.h>
-
-#include "registry.h"
-#include "xselinuxint.h"
-
-/* selection and property atom cache */
-typedef struct {
- SELinuxObjectRec prp;
- SELinuxObjectRec sel;
-} SELinuxAtomRec;
-
-/* dynamic array */
-typedef struct {
- unsigned size;
- void **array;
-} SELinuxArrayRec;
-
-/* labeling handle */
-static struct selabel_handle *label_hnd;
-
-/* Array of object classes indexed by resource type */
-SELinuxArrayRec arr_types;
-/* Array of event SIDs indexed by event type */
-SELinuxArrayRec arr_events;
-/* Array of property and selection SID structures */
-SELinuxArrayRec arr_atoms;
-
-/*
- * Dynamic array helpers
- */
-static void *
-SELinuxArrayGet(SELinuxArrayRec *rec, unsigned key)
-{
- return (rec->size > key) ? rec->array[key] : 0;
-}
-
-static int
-SELinuxArraySet(SELinuxArrayRec *rec, unsigned key, void *val)
-{
- if (key >= rec->size) {
- /* Need to increase size of array */
- rec->array = realloc(rec->array, (key + 1) * sizeof(val));
- if (!rec->array)
- return FALSE;
- memset(rec->array + rec->size, 0, (key - rec->size + 1) * sizeof(val));
- rec->size = key + 1;
- }
-
- rec->array[key] = val;
- return TRUE;
-}
-
-static void
-SELinuxArrayFree(SELinuxArrayRec *rec, int free_elements)
-{
- if (free_elements) {
- unsigned i = rec->size;
- while (i)
- free(rec->array[--i]);
- }
-
- free(rec->array);
- rec->size = 0;
- rec->array = NULL;
-}
-
-/*
- * Looks up a name in the selection or property mappings
- */
-static int
-SELinuxAtomToSIDLookup(Atom atom, SELinuxObjectRec *obj, int map, int polymap)
-{
- const char *name = NameForAtom(atom);
- security_context_t ctx;
- int rc = Success;
-
- obj->poly = 1;
-
- /* Look in the mappings of names to contexts */
- if (selabel_lookup_raw(label_hnd, &ctx, name, map) == 0) {
- obj->poly = 0;
- } else if (errno != ENOENT) {
- ErrorF("SELinux: a property label lookup failed!\n");
- return BadValue;
- } else if (selabel_lookup_raw(label_hnd, &ctx, name, polymap) < 0) {
- ErrorF("SELinux: a property label lookup failed!\n");
- return BadValue;
- }
-
- /* Get a SID for context */
- if (avc_context_to_sid_raw(ctx, &obj->sid) < 0) {
- ErrorF("SELinux: a context_to_SID_raw call failed!\n");
- rc = BadAlloc;
- }
-
- freecon(ctx);
- return rc;
-}
-
-/*
- * Looks up the SID corresponding to the given property or selection atom
- */
-int
-SELinuxAtomToSID(Atom atom, int prop, SELinuxObjectRec **obj_rtn)
-{
- SELinuxAtomRec *rec;
- SELinuxObjectRec *obj;
- int rc, map, polymap;
-
- rec = SELinuxArrayGet(&arr_atoms, atom);
- if (!rec) {
- rec = calloc(1, sizeof(SELinuxAtomRec));
- if (!rec || !SELinuxArraySet(&arr_atoms, atom, rec))
- return BadAlloc;
- }
-
- if (prop) {
- obj = &rec->prp;
- map = SELABEL_X_PROP;
- polymap = SELABEL_X_POLYPROP;
- } else {
- obj = &rec->sel;
- map = SELABEL_X_SELN;
- polymap = SELABEL_X_POLYSELN;
- }
-
- if (!obj->sid) {
- rc = SELinuxAtomToSIDLookup(atom, obj, map, polymap);
- if (rc != Success)
- goto out;
- }
-
- *obj_rtn = obj;
- rc = Success;
-out:
- return rc;
-}
-
-/*
- * Looks up a SID for a selection/subject pair
- */
-int
-SELinuxSelectionToSID(Atom selection, SELinuxSubjectRec *subj,
- security_id_t *sid_rtn, int *poly_rtn)
-{
- int rc;
- SELinuxObjectRec *obj;
- security_id_t tsid;
-
- /* Get the default context and polyinstantiation bit */
- rc = SELinuxAtomToSID(selection, 0, &obj);
- if (rc != Success)
- return rc;
-
- /* Check for an override context next */
- if (subj->sel_use_sid) {
- tsid = subj->sel_use_sid;
- goto out;
- }
-
- tsid = obj->sid;
-
- /* Polyinstantiate if necessary to obtain the final SID */
- if (obj->poly && avc_compute_member(subj->sid, obj->sid,
- SECCLASS_X_SELECTION, &tsid) < 0) {
- ErrorF("SELinux: a compute_member call failed!\n");
- return BadValue;
- }
-out:
- *sid_rtn = tsid;
- if (poly_rtn)
- *poly_rtn = obj->poly;
- return Success;
-}
-
-/*
- * Looks up a SID for a property/subject pair
- */
-int
-SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj,
- security_id_t *sid_rtn, int *poly_rtn)
-{
- int rc;
- SELinuxObjectRec *obj;
- security_id_t tsid, tsid2;
-
- /* Get the default context and polyinstantiation bit */
- rc = SELinuxAtomToSID(property, 1, &obj);
- if (rc != Success)
- return rc;
-
- /* Check for an override context next */
- if (subj->prp_use_sid) {
- tsid = subj->prp_use_sid;
- goto out;
- }
-
- /* Perform a transition */
- if (avc_compute_create(subj->sid, obj->sid,
- SECCLASS_X_PROPERTY, &tsid) < 0) {
- ErrorF("SELinux: a compute_create call failed!\n");
- return BadValue;
- }
-
- /* Polyinstantiate if necessary to obtain the final SID */
- if (obj->poly) {
- tsid2 = tsid;
- if (avc_compute_member(subj->sid, tsid2,
- SECCLASS_X_PROPERTY, &tsid) < 0) {
- ErrorF("SELinux: a compute_member call failed!\n");
- return BadValue;
- }
- }
-out:
- *sid_rtn = tsid;
- if (poly_rtn)
- *poly_rtn = obj->poly;
- return Success;
-}
-
-/*
- * Looks up the SID corresponding to the given event type
- */
-int
-SELinuxEventToSID(unsigned type, security_id_t sid_of_window,
- SELinuxObjectRec *sid_return)
-{
- const char *name = LookupEventName(type);
- security_id_t sid;
- security_context_t ctx;
- type &= 127;
-
- sid = SELinuxArrayGet(&arr_events, type);
- if (!sid) {
- /* Look in the mappings of event names to contexts */
- if (selabel_lookup_raw(label_hnd, &ctx, name, SELABEL_X_EVENT) < 0) {
- ErrorF("SELinux: an event label lookup failed!\n");
- return BadValue;
- }
- /* Get a SID for context */
- if (avc_context_to_sid_raw(ctx, &sid) < 0) {
- ErrorF("SELinux: a context_to_SID_raw call failed!\n");
- freecon(ctx);
- return BadAlloc;
- }
- freecon(ctx);
- /* Cache the SID value */
- if (!SELinuxArraySet(&arr_events, type, sid))
- return BadAlloc;
- }
-
- /* Perform a transition to obtain the final SID */
- if (avc_compute_create(sid_of_window, sid, SECCLASS_X_EVENT,
- &sid_return->sid) < 0) {
- ErrorF("SELinux: a compute_create call failed!\n");
- return BadValue;
- }
-
- return Success;
-}
-
-int
-SELinuxExtensionToSID(const char *name, security_id_t *sid_rtn)
-{
- security_context_t ctx;
-
- /* Look in the mappings of extension names to contexts */
- if (selabel_lookup_raw(label_hnd, &ctx, name, SELABEL_X_EXT) < 0) {
- ErrorF("SELinux: a property label lookup failed!\n");
- return BadValue;
- }
- /* Get a SID for context */
- if (avc_context_to_sid_raw(ctx, sid_rtn) < 0) {
- ErrorF("SELinux: a context_to_SID_raw call failed!\n");
- freecon(ctx);
- return BadAlloc;
- }
- freecon(ctx);
- return Success;
-}
-
-/*
- * Returns the object class corresponding to the given resource type.
- */
-security_class_t
-SELinuxTypeToClass(RESTYPE type)
-{
- void *tmp;
-
- tmp = SELinuxArrayGet(&arr_types, type & TypeMask);
- if (!tmp) {
- unsigned long class = SECCLASS_X_RESOURCE;
-
- if (type & RC_DRAWABLE)
- class = SECCLASS_X_DRAWABLE;
- else if (type == RT_GC)
- class = SECCLASS_X_GC;
- else if (type == RT_FONT)
- class = SECCLASS_X_FONT;
- else if (type == RT_CURSOR)
- class = SECCLASS_X_CURSOR;
- else if (type == RT_COLORMAP)
- class = SECCLASS_X_COLORMAP;
- else {
- /* Need to do a string lookup */
- const char *str = LookupResourceName(type);
- if (!strcmp(str, "PICTURE"))
- class = SECCLASS_X_DRAWABLE;
- else if (!strcmp(str, "GLYPHSET"))
- class = SECCLASS_X_FONT;
- }
-
- tmp = (void *)class;
- SELinuxArraySet(&arr_types, type & TypeMask, tmp);
- }
-
- return (security_class_t)(unsigned long)tmp;
-}
-
-security_context_t
-SELinuxDefaultClientLabel(void)
-{
- security_context_t ctx;
-
- if (selabel_lookup_raw(label_hnd, &ctx, "remote", SELABEL_X_CLIENT) < 0)
- FatalError("SELinux: failed to look up remote-client context\n");
-
- return ctx;
-}
-
-void
-SELinuxLabelInit(void)
-{
- struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 };
-
- label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1);
- if (!label_hnd)
- FatalError("SELinux: Failed to open x_contexts mapping in policy\n");
-}
-
-void
-SELinuxLabelReset(void)
-{
- selabel_close(label_hnd);
- label_hnd = NULL;
-
- /* Free local state */
- SELinuxArrayFree(&arr_types, 0);
- SELinuxArrayFree(&arr_events, 0);
- SELinuxArrayFree(&arr_atoms, 1);
-}
+/************************************************************ + +Author: Eamon Walsh <ewalsh@tycho.nsa.gov> + +Permission to use, copy, modify, distribute, and sell this software and its +documentation for any purpose is hereby granted without fee, provided that +this permission notice appear in supporting documentation. This permission +notice shall be included in all copies or substantial portions of the +Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +********************************************************/ + +#ifdef HAVE_DIX_CONFIG_H +#include <dix-config.h> +#endif + +#include <selinux/label.h> + +#include "registry.h" +#include "xselinuxint.h" + +/* selection and property atom cache */ +typedef struct { + SELinuxObjectRec prp; + SELinuxObjectRec sel; +} SELinuxAtomRec; + +/* dynamic array */ +typedef struct { + unsigned size; + void **array; +} SELinuxArrayRec; + +/* labeling handle */ +static struct selabel_handle *label_hnd; + +/* Array of object classes indexed by resource type */ +SELinuxArrayRec arr_types; + +/* Array of event SIDs indexed by event type */ +SELinuxArrayRec arr_events; + +/* Array of property and selection SID structures */ +SELinuxArrayRec arr_atoms; + +/* + * Dynamic array helpers + */ +static void * +SELinuxArrayGet(SELinuxArrayRec * rec, unsigned key) +{ + return (rec->size > key) ? rec->array[key] : 0; +} + +static int +SELinuxArraySet(SELinuxArrayRec * rec, unsigned key, void *val) +{ + if (key >= rec->size) { + /* Need to increase size of array */ + rec->array = realloc(rec->array, (key + 1) * sizeof(val)); + if (!rec->array) + return FALSE; + memset(rec->array + rec->size, 0, (key - rec->size + 1) * sizeof(val)); + rec->size = key + 1; + } + + rec->array[key] = val; + return TRUE; +} + +static void +SELinuxArrayFree(SELinuxArrayRec * rec, int free_elements) +{ + if (free_elements) { + unsigned i = rec->size; + + while (i) + free(rec->array[--i]); + } + + free(rec->array); + rec->size = 0; + rec->array = NULL; +} + +/* + * Looks up a name in the selection or property mappings + */ +static int +SELinuxAtomToSIDLookup(Atom atom, SELinuxObjectRec * obj, int map, int polymap) +{ + const char *name = NameForAtom(atom); + security_context_t ctx; + int rc = Success; + + obj->poly = 1; + + /* Look in the mappings of names to contexts */ + if (selabel_lookup_raw(label_hnd, &ctx, name, map) == 0) { + obj->poly = 0; + } + else if (errno != ENOENT) { + ErrorF("SELinux: a property label lookup failed!\n"); + return BadValue; + } + else if (selabel_lookup_raw(label_hnd, &ctx, name, polymap) < 0) { + ErrorF("SELinux: a property label lookup failed!\n"); + return BadValue; + } + + /* Get a SID for context */ + if (avc_context_to_sid_raw(ctx, &obj->sid) < 0) { + ErrorF("SELinux: a context_to_SID_raw call failed!\n"); + rc = BadAlloc; + } + + freecon(ctx); + return rc; +} + +/* + * Looks up the SID corresponding to the given property or selection atom + */ +int +SELinuxAtomToSID(Atom atom, int prop, SELinuxObjectRec ** obj_rtn) +{ + SELinuxAtomRec *rec; + SELinuxObjectRec *obj; + int rc, map, polymap; + + rec = SELinuxArrayGet(&arr_atoms, atom); + if (!rec) { + rec = calloc(1, sizeof(SELinuxAtomRec)); + if (!rec || !SELinuxArraySet(&arr_atoms, atom, rec)) + return BadAlloc; + } + + if (prop) { + obj = &rec->prp; + map = SELABEL_X_PROP; + polymap = SELABEL_X_POLYPROP; + } + else { + obj = &rec->sel; + map = SELABEL_X_SELN; + polymap = SELABEL_X_POLYSELN; + } + + if (!obj->sid) { + rc = SELinuxAtomToSIDLookup(atom, obj, map, polymap); + if (rc != Success) + goto out; + } + + *obj_rtn = obj; + rc = Success; + out: + return rc; +} + +/* + * Looks up a SID for a selection/subject pair + */ +int +SELinuxSelectionToSID(Atom selection, SELinuxSubjectRec * subj, + security_id_t * sid_rtn, int *poly_rtn) +{ + int rc; + SELinuxObjectRec *obj; + security_id_t tsid; + + /* Get the default context and polyinstantiation bit */ + rc = SELinuxAtomToSID(selection, 0, &obj); + if (rc != Success) + return rc; + + /* Check for an override context next */ + if (subj->sel_use_sid) { + tsid = subj->sel_use_sid; + goto out; + } + + tsid = obj->sid; + + /* Polyinstantiate if necessary to obtain the final SID */ + if (obj->poly && avc_compute_member(subj->sid, obj->sid, + SECCLASS_X_SELECTION, &tsid) < 0) { + ErrorF("SELinux: a compute_member call failed!\n"); + return BadValue; + } + out: + *sid_rtn = tsid; + if (poly_rtn) + *poly_rtn = obj->poly; + return Success; +} + +/* + * Looks up a SID for a property/subject pair + */ +int +SELinuxPropertyToSID(Atom property, SELinuxSubjectRec * subj, + security_id_t * sid_rtn, int *poly_rtn) +{ + int rc; + SELinuxObjectRec *obj; + security_id_t tsid, tsid2; + + /* Get the default context and polyinstantiation bit */ + rc = SELinuxAtomToSID(property, 1, &obj); + if (rc != Success) + return rc; + + /* Check for an override context next */ + if (subj->prp_use_sid) { + tsid = subj->prp_use_sid; + goto out; + } + + /* Perform a transition */ + if (avc_compute_create(subj->sid, obj->sid, SECCLASS_X_PROPERTY, &tsid) < 0) { + ErrorF("SELinux: a compute_create call failed!\n"); + return BadValue; + } + + /* Polyinstantiate if necessary to obtain the final SID */ + if (obj->poly) { + tsid2 = tsid; + if (avc_compute_member(subj->sid, tsid2, + SECCLASS_X_PROPERTY, &tsid) < 0) { + ErrorF("SELinux: a compute_member call failed!\n"); + return BadValue; + } + } + out: + *sid_rtn = tsid; + if (poly_rtn) + *poly_rtn = obj->poly; + return Success; +} + +/* + * Looks up the SID corresponding to the given event type + */ +int +SELinuxEventToSID(unsigned type, security_id_t sid_of_window, + SELinuxObjectRec * sid_return) +{ + const char *name = LookupEventName(type); + security_id_t sid; + security_context_t ctx; + + type &= 127; + + sid = SELinuxArrayGet(&arr_events, type); + if (!sid) { + /* Look in the mappings of event names to contexts */ + if (selabel_lookup_raw(label_hnd, &ctx, name, SELABEL_X_EVENT) < 0) { + ErrorF("SELinux: an event label lookup failed!\n"); + return BadValue; + } + /* Get a SID for context */ + if (avc_context_to_sid_raw(ctx, &sid) < 0) { + ErrorF("SELinux: a context_to_SID_raw call failed!\n"); + freecon(ctx); + return BadAlloc; + } + freecon(ctx); + /* Cache the SID value */ + if (!SELinuxArraySet(&arr_events, type, sid)) + return BadAlloc; + } + + /* Perform a transition to obtain the final SID */ + if (avc_compute_create(sid_of_window, sid, SECCLASS_X_EVENT, + &sid_return->sid) < 0) { + ErrorF("SELinux: a compute_create call failed!\n"); + return BadValue; + } + + return Success; +} + +int +SELinuxExtensionToSID(const char *name, security_id_t * sid_rtn) +{ + security_context_t ctx; + + /* Look in the mappings of extension names to contexts */ + if (selabel_lookup_raw(label_hnd, &ctx, name, SELABEL_X_EXT) < 0) { + ErrorF("SELinux: a property label lookup failed!\n"); + return BadValue; + } + /* Get a SID for context */ + if (avc_context_to_sid_raw(ctx, sid_rtn) < 0) { + ErrorF("SELinux: a context_to_SID_raw call failed!\n"); + freecon(ctx); + return BadAlloc; + } + freecon(ctx); + return Success; +} + +/* + * Returns the object class corresponding to the given resource type. + */ +security_class_t +SELinuxTypeToClass(RESTYPE type) +{ + void *tmp; + + tmp = SELinuxArrayGet(&arr_types, type & TypeMask); + if (!tmp) { + unsigned long class = SECCLASS_X_RESOURCE; + + if (type & RC_DRAWABLE) + class = SECCLASS_X_DRAWABLE; + else if (type == RT_GC) + class = SECCLASS_X_GC; + else if (type == RT_FONT) + class = SECCLASS_X_FONT; + else if (type == RT_CURSOR) + class = SECCLASS_X_CURSOR; + else if (type == RT_COLORMAP) + class = SECCLASS_X_COLORMAP; + else { + /* Need to do a string lookup */ + const char *str = LookupResourceName(type); + + if (!strcmp(str, "PICTURE")) + class = SECCLASS_X_DRAWABLE; + else if (!strcmp(str, "GLYPHSET")) + class = SECCLASS_X_FONT; + } + + tmp = (void *) class; + SELinuxArraySet(&arr_types, type & TypeMask, tmp); + } + + return (security_class_t) (unsigned long) tmp; +} + +security_context_t +SELinuxDefaultClientLabel(void) +{ + security_context_t ctx; + + if (selabel_lookup_raw(label_hnd, &ctx, "remote", SELABEL_X_CLIENT) < 0) + FatalError("SELinux: failed to look up remote-client context\n"); + + return ctx; +} + +void +SELinuxLabelInit(void) +{ + struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *) 1 }; + + label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1); + if (!label_hnd) + FatalError("SELinux: Failed to open x_contexts mapping in policy\n"); +} + +void +SELinuxLabelReset(void) +{ + selabel_close(label_hnd); + label_hnd = NULL; + + /* Free local state */ + SELinuxArrayFree(&arr_types, 0); + SELinuxArrayFree(&arr_events, 0); + SELinuxArrayFree(&arr_atoms, 1); +} |