security: Revise set of permissions granted to untrusted clients.
Bug #14480: untrusted access broken on 7.3.
This commit is contained in:
Eamon Walsh
Eamon Walsh
parent
e99aadbc26
commit
4573cb2ce4
|
|
@ -70,10 +70,19 @@ static char *SecurityUntrustedExtensions[] = {
|
||||||
NULL
|
NULL
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Access modes that untrusted clients can do to trusted stuff */
|
/*
|
||||||
static const Mask SecurityAllowedMask =
|
* Access modes that untrusted clients are allowed on trusted objects.
|
||||||
DixGetAttrAccess | DixListPropAccess | DixGetPropAccess |
|
*/
|
||||||
DixGetFocusAccess | DixListAccess | DixReceiveAccess;
|
static const Mask SecurityResourceMask =
|
||||||
|
DixGetAttrAccess | DixReceiveAccess | DixListPropAccess |
|
||||||
|
DixGetPropAccess | DixListAccess;
|
||||||
|
static const Mask SecurityRootWindowExtraMask =
|
||||||
|
DixReceiveAccess | DixSendAccess | DixAddAccess | DixRemoveAccess;
|
||||||
|
static const Mask SecurityDeviceMask =
|
||||||
|
DixGetAttrAccess | DixReceiveAccess | DixGetFocusAccess |
|
||||||
|
DixGrabAccess | DixSetAttrAccess | DixUseAccess;
|
||||||
|
static const Mask SecurityServerMask = DixGetAttrAccess | DixGrabAccess;
|
||||||
|
static const Mask SecurityClientMask = DixGetAttrAccess;
|
||||||
|
|
||||||
|
|
||||||
/* SecurityAudit
|
/* SecurityAudit
|
||||||
|
|
@ -751,11 +760,15 @@ SecurityDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
XaceDeviceAccessRec *rec = calldata;
|
XaceDeviceAccessRec *rec = calldata;
|
||||||
SecurityStateRec *subj, *obj;
|
SecurityStateRec *subj, *obj;
|
||||||
Mask requested = rec->access_mode;
|
Mask requested = rec->access_mode;
|
||||||
Mask allowed = SecurityAllowedMask;
|
Mask allowed = SecurityDeviceMask;
|
||||||
|
|
||||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||||
obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
|
obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
|
||||||
|
|
||||||
|
if (rec->dev != inputInfo.keyboard)
|
||||||
|
/* this extension only supports the core keyboard */
|
||||||
|
allowed = requested;
|
||||||
|
|
||||||
if (SecurityDoCheck(subj, obj, requested, allowed) != Success) {
|
if (SecurityDoCheck(subj, obj, requested, allowed) != Success) {
|
||||||
SecurityAudit("Security denied client %d keyboard access on request "
|
SecurityAudit("Security denied client %d keyboard access on request "
|
||||||
"%s\n", rec->client->index,
|
"%s\n", rec->client->index,
|
||||||
|
|
@ -792,7 +805,7 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
SecurityStateRec *subj, *obj;
|
SecurityStateRec *subj, *obj;
|
||||||
int cid = CLIENT_ID(rec->id);
|
int cid = CLIENT_ID(rec->id);
|
||||||
Mask requested = rec->access_mode;
|
Mask requested = rec->access_mode;
|
||||||
Mask allowed = SecurityAllowedMask;
|
Mask allowed = SecurityResourceMask;
|
||||||
|
|
||||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||||
obj = dixLookupPrivate(&clients[cid]->devPrivates, stateKey);
|
obj = dixLookupPrivate(&clients[cid]->devPrivates, stateKey);
|
||||||
|
|
@ -801,11 +814,15 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
if (cid == 0) {
|
if (cid == 0) {
|
||||||
if (rec->rtype & RC_DRAWABLE)
|
if (rec->rtype & RC_DRAWABLE)
|
||||||
/* additional operations allowed on root windows */
|
/* additional operations allowed on root windows */
|
||||||
allowed |= DixReadAccess|DixSendAccess;
|
allowed |= SecurityRootWindowExtraMask;
|
||||||
|
|
||||||
else if (rec->rtype == RT_COLORMAP)
|
else if (rec->rtype == RT_COLORMAP)
|
||||||
/* allow access to default colormaps */
|
/* allow access to default colormaps */
|
||||||
allowed = requested;
|
allowed = requested;
|
||||||
|
|
||||||
|
else
|
||||||
|
/* allow read access to other server-owned resources */
|
||||||
|
allowed |= DixReadAccess;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (SecurityDoCheck(subj, obj, requested, allowed) == Success)
|
if (SecurityDoCheck(subj, obj, requested, allowed) == Success)
|
||||||
|
|
@ -816,9 +833,10 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
return;
|
return;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
SecurityAudit("Security: denied client %d access to resource 0x%x "
|
SecurityAudit("Security: denied client %d access %x to resource 0x%x "
|
||||||
"of client %d on request %s\n", rec->client->index, rec->id,
|
"of client %d on request %s\n", rec->client->index,
|
||||||
cid, SecurityLookupRequestName(rec->client));
|
requested, rec->id, cid,
|
||||||
|
SecurityLookupRequestName(rec->client));
|
||||||
rec->status = BadAccess; /* deny access */
|
rec->status = BadAccess; /* deny access */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -850,7 +868,7 @@ SecurityServer(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
XaceServerAccessRec *rec = calldata;
|
XaceServerAccessRec *rec = calldata;
|
||||||
SecurityStateRec *subj, *obj;
|
SecurityStateRec *subj, *obj;
|
||||||
Mask requested = rec->access_mode;
|
Mask requested = rec->access_mode;
|
||||||
Mask allowed = SecurityAllowedMask;
|
Mask allowed = SecurityServerMask;
|
||||||
|
|
||||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||||
obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
|
obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
|
||||||
|
|
@ -869,7 +887,7 @@ SecurityClient(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
XaceClientAccessRec *rec = calldata;
|
XaceClientAccessRec *rec = calldata;
|
||||||
SecurityStateRec *subj, *obj;
|
SecurityStateRec *subj, *obj;
|
||||||
Mask requested = rec->access_mode;
|
Mask requested = rec->access_mode;
|
||||||
Mask allowed = SecurityAllowedMask;
|
Mask allowed = SecurityClientMask;
|
||||||
|
|
||||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||||
obj = dixLookupPrivate(&rec->target->devPrivates, stateKey);
|
obj = dixLookupPrivate(&rec->target->devPrivates, stateKey);
|
||||||
|
|
@ -889,7 +907,7 @@ SecurityProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
SecurityStateRec *subj, *obj;
|
SecurityStateRec *subj, *obj;
|
||||||
ATOM name = rec->pProp->propertyName;
|
ATOM name = rec->pProp->propertyName;
|
||||||
Mask requested = rec->access_mode;
|
Mask requested = rec->access_mode;
|
||||||
Mask allowed = SecurityAllowedMask | DixReadAccess;
|
Mask allowed = SecurityResourceMask | DixReadAccess;
|
||||||
|
|
||||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||||
obj = dixLookupPrivate(&wClient(rec->pWin)->devPrivates, stateKey);
|
obj = dixLookupPrivate(&wClient(rec->pWin)->devPrivates, stateKey);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue