diff --git a/Xext/security.c b/Xext/security.c index 069655964..a3cde2cec 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -70,10 +70,19 @@ static char *SecurityUntrustedExtensions[] = { NULL }; -/* Access modes that untrusted clients can do to trusted stuff */ -static const Mask SecurityAllowedMask = - DixGetAttrAccess | DixListPropAccess | DixGetPropAccess | - DixGetFocusAccess | DixListAccess | DixReceiveAccess; +/* + * Access modes that untrusted clients are allowed on trusted objects. + */ +static const Mask SecurityResourceMask = + DixGetAttrAccess | DixReceiveAccess | DixListPropAccess | + DixGetPropAccess | DixListAccess; +static const Mask SecurityRootWindowExtraMask = + DixReceiveAccess | DixSendAccess | DixAddAccess | DixRemoveAccess; +static const Mask SecurityDeviceMask = + DixGetAttrAccess | DixReceiveAccess | DixGetFocusAccess | + DixGrabAccess | DixSetAttrAccess | DixUseAccess; +static const Mask SecurityServerMask = DixGetAttrAccess | DixGrabAccess; +static const Mask SecurityClientMask = DixGetAttrAccess; /* SecurityAudit @@ -751,11 +760,15 @@ SecurityDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata) XaceDeviceAccessRec *rec = calldata; SecurityStateRec *subj, *obj; Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask; + Mask allowed = SecurityDeviceMask; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&serverClient->devPrivates, stateKey); + if (rec->dev != inputInfo.keyboard) + /* this extension only supports the core keyboard */ + allowed = requested; + if (SecurityDoCheck(subj, obj, requested, allowed) != Success) { SecurityAudit("Security denied client %d keyboard access on request " "%s\n", rec->client->index, @@ -792,7 +805,7 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata) SecurityStateRec *subj, *obj; int cid = CLIENT_ID(rec->id); Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask; + Mask allowed = SecurityResourceMask; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&clients[cid]->devPrivates, stateKey); @@ -801,11 +814,15 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata) if (cid == 0) { if (rec->rtype & RC_DRAWABLE) /* additional operations allowed on root windows */ - allowed |= DixReadAccess|DixSendAccess; + allowed |= SecurityRootWindowExtraMask; else if (rec->rtype == RT_COLORMAP) /* allow access to default colormaps */ allowed = requested; + + else + /* allow read access to other server-owned resources */ + allowed |= DixReadAccess; } if (SecurityDoCheck(subj, obj, requested, allowed) == Success) @@ -816,9 +833,10 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata) return; #endif - SecurityAudit("Security: denied client %d access to resource 0x%x " - "of client %d on request %s\n", rec->client->index, rec->id, - cid, SecurityLookupRequestName(rec->client)); + SecurityAudit("Security: denied client %d access %x to resource 0x%x " + "of client %d on request %s\n", rec->client->index, + requested, rec->id, cid, + SecurityLookupRequestName(rec->client)); rec->status = BadAccess; /* deny access */ } @@ -850,7 +868,7 @@ SecurityServer(CallbackListPtr *pcbl, pointer unused, pointer calldata) XaceServerAccessRec *rec = calldata; SecurityStateRec *subj, *obj; Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask; + Mask allowed = SecurityServerMask; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&serverClient->devPrivates, stateKey); @@ -869,7 +887,7 @@ SecurityClient(CallbackListPtr *pcbl, pointer unused, pointer calldata) XaceClientAccessRec *rec = calldata; SecurityStateRec *subj, *obj; Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask; + Mask allowed = SecurityClientMask; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&rec->target->devPrivates, stateKey); @@ -889,7 +907,7 @@ SecurityProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata) SecurityStateRec *subj, *obj; ATOM name = rec->pProp->propertyName; Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask | DixReadAccess; + Mask allowed = SecurityResourceMask | DixReadAccess; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&wClient(rec->pWin)->devPrivates, stateKey);