security: Revise set of permissions granted to untrusted clients.
Bug #14480: untrusted access broken on 7.3.
This commit is contained in:
Eamon Walsh
Eamon Walsh
parent
e99aadbc26
commit
4573cb2ce4
|
|
@ -70,10 +70,19 @@ static char *SecurityUntrustedExtensions[] = {
|
|||
NULL
|
||||
};
|
||||
|
||||
/* Access modes that untrusted clients can do to trusted stuff */
|
||||
static const Mask SecurityAllowedMask =
|
||||
DixGetAttrAccess | DixListPropAccess | DixGetPropAccess |
|
||||
DixGetFocusAccess | DixListAccess | DixReceiveAccess;
|
||||
/*
|
||||
* Access modes that untrusted clients are allowed on trusted objects.
|
||||
*/
|
||||
static const Mask SecurityResourceMask =
|
||||
DixGetAttrAccess | DixReceiveAccess | DixListPropAccess |
|
||||
DixGetPropAccess | DixListAccess;
|
||||
static const Mask SecurityRootWindowExtraMask =
|
||||
DixReceiveAccess | DixSendAccess | DixAddAccess | DixRemoveAccess;
|
||||
static const Mask SecurityDeviceMask =
|
||||
DixGetAttrAccess | DixReceiveAccess | DixGetFocusAccess |
|
||||
DixGrabAccess | DixSetAttrAccess | DixUseAccess;
|
||||
static const Mask SecurityServerMask = DixGetAttrAccess | DixGrabAccess;
|
||||
static const Mask SecurityClientMask = DixGetAttrAccess;
|
||||
|
||||
|
||||
/* SecurityAudit
|
||||
|
|
@ -751,11 +760,15 @@ SecurityDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|||
XaceDeviceAccessRec *rec = calldata;
|
||||
SecurityStateRec *subj, *obj;
|
||||
Mask requested = rec->access_mode;
|
||||
Mask allowed = SecurityAllowedMask;
|
||||
Mask allowed = SecurityDeviceMask;
|
||||
|
||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||
obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
|
||||
|
||||
if (rec->dev != inputInfo.keyboard)
|
||||
/* this extension only supports the core keyboard */
|
||||
allowed = requested;
|
||||
|
||||
if (SecurityDoCheck(subj, obj, requested, allowed) != Success) {
|
||||
SecurityAudit("Security denied client %d keyboard access on request "
|
||||
"%s\n", rec->client->index,
|
||||
|
|
@ -792,7 +805,7 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|||
SecurityStateRec *subj, *obj;
|
||||
int cid = CLIENT_ID(rec->id);
|
||||
Mask requested = rec->access_mode;
|
||||
Mask allowed = SecurityAllowedMask;
|
||||
Mask allowed = SecurityResourceMask;
|
||||
|
||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||
obj = dixLookupPrivate(&clients[cid]->devPrivates, stateKey);
|
||||
|
|
@ -801,11 +814,15 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|||
if (cid == 0) {
|
||||
if (rec->rtype & RC_DRAWABLE)
|
||||
/* additional operations allowed on root windows */
|
||||
allowed |= DixReadAccess|DixSendAccess;
|
||||
allowed |= SecurityRootWindowExtraMask;
|
||||
|
||||
else if (rec->rtype == RT_COLORMAP)
|
||||
/* allow access to default colormaps */
|
||||
allowed = requested;
|
||||
|
||||
else
|
||||
/* allow read access to other server-owned resources */
|
||||
allowed |= DixReadAccess;
|
||||
}
|
||||
|
||||
if (SecurityDoCheck(subj, obj, requested, allowed) == Success)
|
||||
|
|
@ -816,9 +833,10 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|||
return;
|
||||
#endif
|
||||
|
||||
SecurityAudit("Security: denied client %d access to resource 0x%x "
|
||||
"of client %d on request %s\n", rec->client->index, rec->id,
|
||||
cid, SecurityLookupRequestName(rec->client));
|
||||
SecurityAudit("Security: denied client %d access %x to resource 0x%x "
|
||||
"of client %d on request %s\n", rec->client->index,
|
||||
requested, rec->id, cid,
|
||||
SecurityLookupRequestName(rec->client));
|
||||
rec->status = BadAccess; /* deny access */
|
||||
}
|
||||
|
||||
|
|
@ -850,7 +868,7 @@ SecurityServer(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|||
XaceServerAccessRec *rec = calldata;
|
||||
SecurityStateRec *subj, *obj;
|
||||
Mask requested = rec->access_mode;
|
||||
Mask allowed = SecurityAllowedMask;
|
||||
Mask allowed = SecurityServerMask;
|
||||
|
||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||
obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
|
||||
|
|
@ -869,7 +887,7 @@ SecurityClient(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|||
XaceClientAccessRec *rec = calldata;
|
||||
SecurityStateRec *subj, *obj;
|
||||
Mask requested = rec->access_mode;
|
||||
Mask allowed = SecurityAllowedMask;
|
||||
Mask allowed = SecurityClientMask;
|
||||
|
||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||
obj = dixLookupPrivate(&rec->target->devPrivates, stateKey);
|
||||
|
|
@ -889,7 +907,7 @@ SecurityProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|||
SecurityStateRec *subj, *obj;
|
||||
ATOM name = rec->pProp->propertyName;
|
||||
Mask requested = rec->access_mode;
|
||||
Mask allowed = SecurityAllowedMask | DixReadAccess;
|
||||
Mask allowed = SecurityResourceMask | DixReadAccess;
|
||||
|
||||
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
|
||||
obj = dixLookupPrivate(&wClient(rec->pWin)->devPrivates, stateKey);
|
||||
|
|
|
|||
Loading…
Reference in New Issue