From 0a90e70a01c82de4c134b92d2b220630b36da11e Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Thu, 20 Mar 2025 17:22:25 +0100
Subject: [PATCH] Xnamespace: filter access on other clients

Restrict access to other clients within same namespace.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 Xext/namespace/hook-client.c | 34 ++++++++++++++++++++++++++++++++++
 Xext/namespace/hooks.h       |  1 +
 Xext/namespace/meson.build   |  1 +
 Xext/namespace/namespace.c   |  1 +
 4 files changed, 37 insertions(+)
 create mode 100644 Xext/namespace/hook-client.c

diff --git a/Xext/namespace/hook-client.c b/Xext/namespace/hook-client.c
new file mode 100644
index 000000000..8853783de
--- /dev/null
+++ b/Xext/namespace/hook-client.c
@@ -0,0 +1,34 @@
+#define HOOK_NAME "client"
+
+#include <dix-config.h>
+
+#include "dix/dix_priv.h"
+#include "dix/extension_priv.h"
+#include "dix/registry_priv.h"
+
+#include "mi/miinitext.h"
+
+#include "include/extinit.h"
+#include "include/extnsionst.h"
+#include "include/propertyst.h"
+#include "include/protocol-versions.h"
+#include "include/windowstr.h"
+#include "Xext/xacestr.h"
+
+#include "namespace.h"
+#include "hooks.h"
+
+void hookClient(CallbackListPtr *pcbl, void *unused, void *calldata)
+{
+    XNS_HOOK_HEAD(XaceClientAccessRec);
+    struct XnamespaceClientPriv *obj = XnsClientPriv(param->target);
+
+    if (subj->ns->superPower || XnsClientSameNS(subj, obj))
+        return;
+
+    XNS_HOOK_LOG("BLOCKED access on client %d\n", param->target->index);
+
+    /* returning BadValue instead of BadAccess, because we're pretending
+       the requested client doens't even exist at all. */
+    param->status = BadValue;
+}
diff --git a/Xext/namespace/hooks.h b/Xext/namespace/hooks.h
index 05e309f85..8848a5087 100644
--- a/Xext/namespace/hooks.h
+++ b/Xext/namespace/hooks.h
@@ -24,6 +24,7 @@
     } \
     struct XnamespaceClientPriv *subj = XnsClientPriv(client);
 
+void hookClient(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookClientState(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookDevice(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookExtAccess(CallbackListPtr *pcbl, void *unused, void *calldata);
diff --git a/Xext/namespace/meson.build b/Xext/namespace/meson.build
index ab4ccf2c6..efff71ec4 100644
--- a/Xext/namespace/meson.build
+++ b/Xext/namespace/meson.build
@@ -2,6 +2,7 @@ libxserver_namespace = static_library(
 	'libxserver_namespace',
 	[
 		'config.c',
+		'hook-client.c',
 		'hook-clientstate.c',
 		'hook-device.c',
 		'hook-ext-access.c',
diff --git a/Xext/namespace/namespace.c b/Xext/namespace/namespace.c
index e1484e5de..eb9cc92b2 100644
--- a/Xext/namespace/namespace.c
+++ b/Xext/namespace/namespace.c
@@ -34,6 +34,7 @@ NamespaceExtensionInit(void)
           AddCallback(&PostInitRootWindowCallback, hookInitRootWindow, NULL) &&
           AddCallback(&PropertyFilterCallback, hookWindowProperty, NULL) &&
           AddCallback(&SelectionFilterCallback, hookSelectionFilter, NULL) &&
+          XaceRegisterCallback(XACE_CLIENT_ACCESS, hookClient, NULL) &&
           XaceRegisterCallback(XACE_DEVICE_ACCESS, hookDevice, NULL) &&
           XaceRegisterCallback(XACE_EXT_DISPATCH, hookExtDispatch, NULL) &&
           XaceRegisterCallback(XACE_EXT_ACCESS, hookExtAccess, NULL) &&