From 21e890e5fc04c0efbbc883d18ad93dc815f229b6 Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Wed, 19 Mar 2025 10:50:56 +0100
Subject: [PATCH] Xnamespace: whitelist access to some server resources

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 Xext/namespace/hook-resource.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/Xext/namespace/hook-resource.c b/Xext/namespace/hook-resource.c
index d3d3afaf1..837e5fff0 100644
--- a/Xext/namespace/hook-resource.c
+++ b/Xext/namespace/hook-resource.c
@@ -6,6 +6,7 @@
 
 #include "dix/dix_priv.h"
 #include "dix/extension_priv.h"
+#include "dix/registry_priv.h"
 #include "dix/window_priv.h"
 #include "Xext/xacestr.h"
 
@@ -103,6 +104,23 @@ void hookResourceAccess(CallbackListPtr *pcbl, void *unused, void *calldata)
         }
     }
 
+    /* server resources */
+    if (obj->isServer) {
+        if (param->rtype == X11_RESTYPE_COLORMAP) {
+            if (checkAllowed(param->access_mode, DixReadAccess | DixGetPropAccess | DixUseAccess | DixGetAttrAccess | DixAddAccess))
+                goto pass;
+        }
+
+        if (param->rtype == X11_RESTYPE_WINDOW) {
+            /* allowed ones should already been catched above */
+            XNS_HOOK_LOG("REJECT server owned window 0x%0x!\n", ((WindowPtr)param->res)->drawable.id);
+            goto reject;
+        }
+
+        if (checkAllowed(param->access_mode, DixReadAccess))
+            goto pass;
+    }
+
 reject: ;
     char accModeStr[128];
     LookupDixAccessName(param->access_mode, (char*)&accModeStr, sizeof(accModeStr));