diff options
Diffstat (limited to 'xorg-server/Xext')
-rw-r--r-- | xorg-server/Xext/xselinux.h | 8 | ||||
-rw-r--r-- | xorg-server/Xext/xselinux_ext.c | 41 | ||||
-rw-r--r-- | xorg-server/Xext/xselinux_hooks.c | 73 | ||||
-rw-r--r-- | xorg-server/Xext/xselinux_label.c | 23 |
4 files changed, 47 insertions, 98 deletions
diff --git a/xorg-server/Xext/xselinux.h b/xorg-server/Xext/xselinux.h index dcd250e76..57239821e 100644 --- a/xorg-server/Xext/xselinux.h +++ b/xorg-server/Xext/xselinux.h @@ -23,7 +23,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. /* Extension info */ #define SELINUX_EXTENSION_NAME "SELinux" #define SELINUX_MAJOR_VERSION 1 -#define SELINUX_MINOR_VERSION 0 +#define SELINUX_MINOR_VERSION 1 #define SELinuxNumberEvents 0 #define SELinuxNumberErrors 0 @@ -33,9 +33,9 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #define X_SELinuxGetDeviceCreateContext 2 #define X_SELinuxSetDeviceContext 3 #define X_SELinuxGetDeviceContext 4 -#define X_SELinuxSetWindowCreateContext 5 -#define X_SELinuxGetWindowCreateContext 6 -#define X_SELinuxGetWindowContext 7 +#define X_SELinuxSetDrawableCreateContext 5 +#define X_SELinuxGetDrawableCreateContext 6 +#define X_SELinuxGetDrawableContext 7 #define X_SELinuxSetPropertyCreateContext 8 #define X_SELinuxGetPropertyCreateContext 9 #define X_SELinuxSetPropertyUseContext 10 diff --git a/xorg-server/Xext/xselinux_ext.c b/xorg-server/Xext/xselinux_ext.c index b36fb13eb..aa5573455 100644 --- a/xorg-server/Xext/xselinux_ext.c +++ b/xorg-server/Xext/xselinux_ext.c @@ -132,7 +132,6 @@ ProcSELinuxSetCreateContext(ClientPtr client, unsigned offset) ptr = dixLookupPrivate(privPtr, subjectKey); pSid = (security_id_t *)(ptr + offset); - sidput(*pSid); *pSid = NULL; rc = Success; @@ -193,11 +192,9 @@ ProcSELinuxSetDeviceContext(ClientPtr client) } subj = dixLookupPrivate(&dev->devPrivates, subjectKey); - sidput(subj->sid); subj->sid = sid; obj = dixLookupPrivate(&dev->devPrivates, objectKey); - sidput(obj->sid); - sidget(obj->sid = sid); + obj->sid = sid; rc = Success; out: @@ -224,20 +221,28 @@ ProcSELinuxGetDeviceContext(ClientPtr client) } static int -ProcSELinuxGetWindowContext(ClientPtr client) +ProcSELinuxGetDrawableContext(ClientPtr client) { - WindowPtr pWin; + DrawablePtr pDraw; + PrivateRec **privatePtr; SELinuxObjectRec *obj; int rc; REQUEST(SELinuxGetContextReq); REQUEST_SIZE_MATCH(SELinuxGetContextReq); - rc = dixLookupWindow(&pWin, stuff->id, client, DixGetAttrAccess); + rc = dixLookupDrawable(&pDraw, stuff->id, client, + M_WINDOW | M_DRAWABLE_PIXMAP, + DixGetAttrAccess); if (rc != Success) return rc; - obj = dixLookupPrivate(&pWin->devPrivates, objectKey); + if (pDraw->type == M_DRAWABLE_PIXMAP) + privatePtr = &((PixmapPtr)pDraw)->devPrivates; + else + privatePtr = &((WindowPtr)pDraw)->devPrivates; + + obj = dixLookupPrivate(privatePtr, objectKey); return SELinuxSendContextReply(client, obj->sid); } @@ -481,12 +486,12 @@ ProcSELinuxDispatch(ClientPtr client) return ProcSELinuxSetDeviceContext(client); case X_SELinuxGetDeviceContext: return ProcSELinuxGetDeviceContext(client); - case X_SELinuxSetWindowCreateContext: + case X_SELinuxSetDrawableCreateContext: return ProcSELinuxSetCreateContext(client, CTX_WIN); - case X_SELinuxGetWindowCreateContext: + case X_SELinuxGetDrawableCreateContext: return ProcSELinuxGetCreateContext(client, CTX_WIN); - case X_SELinuxGetWindowContext: - return ProcSELinuxGetWindowContext(client); + case X_SELinuxGetDrawableContext: + return ProcSELinuxGetDrawableContext(client); case X_SELinuxSetPropertyCreateContext: return ProcSELinuxSetCreateContext(client, CTX_PRP); case X_SELinuxGetPropertyCreateContext: @@ -569,14 +574,14 @@ SProcSELinuxGetDeviceContext(ClientPtr client) } static int -SProcSELinuxGetWindowContext(ClientPtr client) +SProcSELinuxGetDrawableContext(ClientPtr client) { REQUEST(SELinuxGetContextReq); int n; REQUEST_SIZE_MATCH(SELinuxGetContextReq); swapl(&stuff->id, n); - return ProcSELinuxGetWindowContext(client); + return ProcSELinuxGetDrawableContext(client); } static int @@ -643,12 +648,12 @@ SProcSELinuxDispatch(ClientPtr client) return SProcSELinuxSetDeviceContext(client); case X_SELinuxGetDeviceContext: return SProcSELinuxGetDeviceContext(client); - case X_SELinuxSetWindowCreateContext: + case X_SELinuxSetDrawableCreateContext: return SProcSELinuxSetCreateContext(client, CTX_WIN); - case X_SELinuxGetWindowCreateContext: + case X_SELinuxGetDrawableCreateContext: return ProcSELinuxGetCreateContext(client, CTX_WIN); - case X_SELinuxGetWindowContext: - return SProcSELinuxGetWindowContext(client); + case X_SELinuxGetDrawableContext: + return SProcSELinuxGetDrawableContext(client); case X_SELinuxSetPropertyCreateContext: return SProcSELinuxSetCreateContext(client, CTX_PRP); case X_SELinuxGetPropertyCreateContext: diff --git a/xorg-server/Xext/xselinux_hooks.c b/xorg-server/Xext/xselinux_hooks.c index 43683ff24..6c8c8cdbe 100644 --- a/xorg-server/Xext/xselinux_hooks.c +++ b/xorg-server/Xext/xselinux_hooks.c @@ -69,9 +69,6 @@ DevPrivateKey dataKey = &dataKeyIndex; /* audit file descriptor */ static int audit_fd; -/* whether AVC is active */ -static int avc_active; - /* atoms for window label properties */ static Atom atom_ctx; static Atom atom_client_ctx; @@ -125,9 +122,7 @@ SELinuxLabelClient(ClientPtr client) security_context_t ctx; subj = dixLookupPrivate(&client->devPrivates, subjectKey); - sidput(subj->sid); obj = dixLookupPrivate(&client->devPrivates, objectKey); - sidput(obj->sid); /* Try to get a context from the socket */ if (fd < 0 || getpeercon_raw(fd, &ctx) < 0) { @@ -170,7 +165,7 @@ finish: FatalError("SELinux: client %d: context_to_sid_raw(%s) failed\n", client->index, ctx); - sidget(obj->sid = subj->sid); + obj->sid = subj->sid; freecon(ctx); } @@ -191,7 +186,6 @@ SELinuxLabelInitial(void) subj = dixLookupPrivate(&serverClient->devPrivates, subjectKey); obj = dixLookupPrivate(&serverClient->devPrivates, objectKey); subj->privileged = 1; - sidput(subj->sid); /* Use the context of the X server process for the serverClient */ if (getcon_raw(&ctx) < 0) @@ -201,7 +195,7 @@ SELinuxLabelInitial(void) if (avc_context_to_sid_raw(ctx, &subj->sid) < 0) FatalError("SELinux: serverClient: context_to_sid(%s) failed\n", ctx); - sidget(obj->sid = subj->sid); + obj->sid = subj->sid; freecon(ctx); srec.client = serverClient; @@ -230,8 +224,8 @@ SELinuxLabelResource(XaceResourceAccessRec *rec, SELinuxSubjectRec *subj, security_id_t tsid; /* Check for a create context */ - if (rec->rtype == RT_WINDOW && subj->win_create_sid) { - sidget(obj->sid = subj->win_create_sid); + if (rec->rtype & RC_DRAWABLE && subj->win_create_sid) { + obj->sid = subj->win_create_sid; return Success; } @@ -359,17 +353,14 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata) SELinuxSubjectRec *dsubj; dsubj = dixLookupPrivate(&rec->dev->devPrivates, subjectKey); - sidput(dsubj->sid); - sidput(obj->sid); - if (subj->dev_create_sid) { /* Label the device with the create context */ - sidget(obj->sid = subj->dev_create_sid); - sidget(dsubj->sid = subj->dev_create_sid); + obj->sid = subj->dev_create_sid; + dsubj->sid = subj->dev_create_sid; } else { /* Label the device directly with the process SID */ - sidget(obj->sid = subj->sid); - sidget(dsubj->sid = subj->sid); + obj->sid = subj->sid; + dsubj->sid = subj->sid; } } @@ -483,8 +474,6 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata) return; } - sidput(obj->sid); - /* Perform a transition to obtain the final SID */ if (avc_compute_create(serv->sid, sid, SECCLASS_X_EXTENSION, &obj->sid) < 0) { @@ -520,7 +509,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata) /* If this is a new object that needs labeling, do it now */ if (access_mode & DixCreateAccess) { - sidput(obj->sid); rc = SELinuxSelectionToSID(name, subj, &obj->sid, &obj->poly); if (rc != Success) obj->sid = unlabeled_sid; @@ -538,7 +526,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata) break; obj = dixLookupPrivate(&pSel->devPrivates, objectKey); } - sidput(tsid); if (pSel) *rec->ppSel = pSel; @@ -557,11 +544,10 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata) /* Label the content (advisory only) */ if (access_mode & DixSetAttrAccess) { data = dixLookupPrivate(&pSel->devPrivates, dataKey); - sidput(data->sid); if (subj->sel_create_sid) - sidget(data->sid = subj->sel_create_sid); + data->sid = subj->sel_create_sid; else - sidget(data->sid = obj->sid); + data->sid = obj->sid; } } @@ -586,7 +572,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata) /* If this is a new object that needs labeling, do it now */ if (rec->access_mode & DixCreateAccess) { - sidput(obj->sid); rc = SELinuxPropertyToSID(name, subj, &obj->sid, &obj->poly); if (rc != Success) { rec->status = rc; @@ -605,7 +590,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata) break; obj = dixLookupPrivate(&pProp->devPrivates, objectKey); } - sidput(tsid); if (pProp) *rec->ppProp = pProp; @@ -624,11 +608,10 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata) /* Label the content (advisory only) */ if (rec->access_mode & DixWriteAccess) { data = dixLookupPrivate(&pProp->devPrivates, dataKey); - sidput(data->sid); if (subj->prp_create_sid) - sidget(data->sid = subj->prp_create_sid); + data->sid = subj->prp_create_sid; else - sidget(data->sid = obj->sid); + data->sid = obj->sid; } } @@ -705,8 +688,6 @@ SELinuxScreen(CallbackListPtr *pcbl, pointer is_saver, pointer calldata) /* If this is a new object that needs labeling, do it now */ if (access_mode & DixCreateAccess) { - sidput(obj->sid); - /* Perform a transition to obtain the final SID */ if (avc_compute_create(subj->sid, subj->sid, SECCLASS_X_SCREEN, &obj->sid) < 0) { @@ -838,7 +819,6 @@ SELinuxSubjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata) PrivateCallbackRec *rec = calldata; SELinuxSubjectRec *subj = *rec->value; - sidget(unlabeled_sid); subj->sid = unlabeled_sid; avc_entry_ref_init(&subj->aeref); @@ -851,14 +831,6 @@ SELinuxSubjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata) SELinuxSubjectRec *subj = *rec->value; xfree(subj->command); - - if (avc_active) { - sidput(subj->sid); - sidput(subj->dev_create_sid); - sidput(subj->win_create_sid); - sidput(subj->sel_create_sid); - sidput(subj->prp_create_sid); - } } static void @@ -867,21 +839,9 @@ SELinuxObjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata) PrivateCallbackRec *rec = calldata; SELinuxObjectRec *obj = *rec->value; - sidget(unlabeled_sid); obj->sid = unlabeled_sid; } -static void -SELinuxObjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata) -{ - PrivateCallbackRec *rec = calldata; - SELinuxObjectRec *obj = *rec->value; - - if (avc_active) - sidput(obj->sid); -} - -#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD static int netlink_fd; static void @@ -895,7 +855,6 @@ SELinuxWakeupHandler(void *data, int err, void *read_mask) if (FD_ISSET(netlink_fd, (fd_set *)read_mask)) avc_netlink_check_nb(); } -#endif void SELinuxFlaskReset(void) @@ -919,15 +878,12 @@ SELinuxFlaskReset(void) /* Tear down SELinux stuff */ audit_close(audit_fd); -#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD avc_netlink_release_fd(); RemoveBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler, NULL); RemoveGeneralSocket(netlink_fd); -#endif avc_destroy(); - avc_active = 0; } void @@ -965,7 +921,6 @@ SELinuxFlaskInit(void) if (avc_open(&avc_option, 1) < 0) FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n"); - avc_active = 1; if (security_get_initial_context_raw("unlabeled", &ctx) < 0) FatalError("SELinux: Failed to look up unlabeled context\n"); @@ -992,20 +947,16 @@ SELinuxFlaskInit(void) if (atom_client_ctx == BAD_RESOURCE) FatalError("SELinux: Failed to create atom\n"); -#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD netlink_fd = avc_netlink_acquire_fd(); AddGeneralSocket(netlink_fd); RegisterBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler, NULL); -#endif /* Register callbacks */ ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL); ret &= dixRegisterPrivateDeleteFunc(subjectKey, SELinuxSubjectFree, NULL); ret &= dixRegisterPrivateInitFunc(objectKey, SELinuxObjectInit, NULL); - ret &= dixRegisterPrivateDeleteFunc(objectKey, SELinuxObjectFree, NULL); ret &= dixRegisterPrivateInitFunc(dataKey, SELinuxObjectInit, NULL); - ret &= dixRegisterPrivateDeleteFunc(dataKey, SELinuxObjectFree, NULL); ret &= AddCallback(&ClientStateCallback, SELinuxClientState, NULL); ret &= AddCallback(&ResourceStateCallback, SELinuxResourceState, NULL); diff --git a/xorg-server/Xext/xselinux_label.c b/xorg-server/Xext/xselinux_label.c index 239536cf3..9b5023a53 100644 --- a/xorg-server/Xext/xselinux_label.c +++ b/xorg-server/Xext/xselinux_label.c @@ -177,20 +177,17 @@ SELinuxSelectionToSID(Atom selection, SELinuxSubjectRec *subj, /* Check for an override context next */ if (subj->sel_use_sid) { - sidget(tsid = subj->sel_use_sid); + tsid = subj->sel_use_sid; goto out; } - sidget(tsid = obj->sid); + tsid = obj->sid; /* Polyinstantiate if necessary to obtain the final SID */ - if (obj->poly) { - sidput(tsid); - if (avc_compute_member(subj->sid, obj->sid, - SECCLASS_X_SELECTION, &tsid) < 0) { - ErrorF("SELinux: a compute_member call failed!\n"); - return BadValue; - } + if (obj->poly && avc_compute_member(subj->sid, obj->sid, + SECCLASS_X_SELECTION, &tsid) < 0) { + ErrorF("SELinux: a compute_member call failed!\n"); + return BadValue; } out: *sid_rtn = tsid; @@ -217,7 +214,7 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj, /* Check for an override context next */ if (subj->prp_use_sid) { - sidget(tsid = subj->prp_use_sid); + tsid = subj->prp_use_sid; goto out; } @@ -234,10 +231,8 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj, if (avc_compute_member(subj->sid, tsid2, SECCLASS_X_PROPERTY, &tsid) < 0) { ErrorF("SELinux: a compute_member call failed!\n"); - sidput(tsid2); return BadValue; } - sidput(tsid2); } out: *sid_rtn = tsid; @@ -273,10 +268,8 @@ SELinuxEventToSID(unsigned type, security_id_t sid_of_window, } freecon(ctx); /* Cache the SID value */ - if (!SELinuxArraySet(&arr_events, type, sid)) { - sidput(sid); + if (!SELinuxArraySet(&arr_events, type, sid)) return BadAlloc; - } } /* Perform a transition to obtain the final SID */ |