Merge branch 'XACE-modular'

2006-10-06 18:01:13 -07:00 · 2006-10-06 18:01:13 -07:00 · 4c34224630
parent 8382234a7f 49a70c8570
commit 4c34224630
30 changed files with 1271 additions and 560 deletions
--- a/Xext/Makefile.am
+++ b/Xext/Makefile.am
@ -33,6 +33,10 @@ MODULE_SRCS =			\
 	sync.c			\
 	xcmisc.c
 # Extra configuration files ship with some extensions
 SERVERCONFIGdir = $(libdir)/xserver
 SERVERCONFIG_DATA =
 # Optional sources included if extension enabled by configure.ac rules
 # MIT Shared Memory extension
@ -65,13 +69,19 @@ if XINERAMA
 BUILTIN_SRCS += $(XINERAMA_SRCS)
 endif
 # X-ACE extension: provides hooks for building security policy extensions
 # like XC-Security, X-SELinux & XTSol
 XACE_SRCS = xace.c xace.h xacestr.h
 if XACE
 BUILTIN_SRCS += $(XACE_SRCS)
 endif
 # Security extension: multi-level security to protect clients from each other
 XCSECURITY_SRCS = security.c securitysrv.h
 if XCSECURITY   
 BUILTIN_SRCS += $(XCSECURITY_SRCS)
-SERVERCONFIGdir = $(libdir)/xserver
+SERVERCONFIG_DATA += SecurityPolicy
 SERVERCONFIG_DATA = SecurityPolicy
 AM_CFLAGS += -DDEFAULTPOLICYFILE=\"$(SERVERCONFIGdir)/SecurityPolicy\"
 endif
@ -150,11 +160,12 @@ libXextmodule_la_SOURCES =	$(MODULE_SRCS)
 endif
 EXTRA_DIST = \
-	SecurityPolicy \
+	$(SERVERCONFIG_DATA) \
 	$(MITSHM_SRCS) \
 	$(XV_SRCS) \
 	$(RES_SRCS) \
 	$(SCREENSAVER_SRCS) \
 	$(XACE_SRCS) \
 	$(XCSECURITY_SRCS) \
 	$(XCALIBRATE_SRCS) \
 	$(XINERAMA_SRCS) \
--- a/Xext/appgroup.c
+++ b/Xext/appgroup.c
@ -41,6 +41,7 @@ from The Open Group.
 #include "servermd.h"
 #define _XAG_SERVER_
 #include <X11/extensions/Xagstr.h>
 #include "xacestr.h"
 #include "securitysrv.h"
 #include <X11/Xfuncproto.h>
@ -121,62 +122,11 @@ void XagClientStateChange(
    pointer nulldata,
    pointer calldata)
 {
    SecurityAuthorizationPtr pAuth;
    NewClientInfoRec* pci = (NewClientInfoRec*) calldata;
    ClientPtr pClient = pci->client;
-    AppGroupPtr pAppGrp;
+    AppGroupPtr pAppGrp = pClient->appgroup;
    XID authId = 0;
    int slot;
    if (!pClient->appgroup) {
 	switch (pClient->clientState) {
 	case ClientStateAuthenticating:
 	case ClientStateRunning: 
 	case ClientStateCheckingSecurity:
 	    return;
 	case ClientStateInitial: 
 	case ClientStateCheckedSecurity:
 	    /* 
 	     * If the client is connecting via a firewall proxy (which
 	     * uses XC-QUERY-SECURITY-1, then the authId is available
 	     * during ClientStateCheckedSecurity, otherwise it's
 	     * available during ClientStateInitial.
 	     *
 	     * Don't get it from pClient because can't guarantee the order
 	     * of the callbacks and the security extension might not have
 	     * plugged it in yet.
 	     */
 	    authId = AuthorizationIDOfClient(pClient);
 	    break;
 	case ClientStateGone:
 	case ClientStateRetained:
 	    /*
 	     * Don't get if from AuthorizationIDOfClient because can't
 	     * guarantee the order of the callbacks and the security
 	     * extension may have torn down the client's private data
 	     */
 	    authId = pClient->authId;
 	    break;
 	}
 	if (authId == None)
 	    return;
 	pAuth = (SecurityAuthorizationPtr)SecurityLookupIDByType(pClient,
 		authId, SecurityAuthorizationResType, SecurityReadAccess);
 	if (pAuth == NULL)
 	    return;
 	for (pAppGrp = appGrpList; pAppGrp != NULL; pAppGrp = pAppGrp->next)
 	    if (pAppGrp->appgroupId == pAuth->group) break;
    } else {
 	pAppGrp = pClient->appgroup;
    }
    if (!pAppGrp)
 	return;
@ -233,6 +183,7 @@ XagExtensionInit(INITARGS)
 		      XagResetProc,
 		      StandardMinorOpcode)) {
 	RT_APPGROUP = CreateNewResourceType (XagAppGroupFree);
 	XaceRegisterCallback(XACE_AUTH_AVAIL, XagCallClientStateChange, NULL);
    }
 }
@ -799,12 +750,33 @@ void XagGetDeltaInfo(
 }
 void XagCallClientStateChange(
-    ClientPtr client)
+    CallbackListPtr *pcbl,
    pointer nulldata,
    pointer calldata)
 {
-    if (appGrpList) {
+    XaceAuthAvailRec* rec = (XaceAuthAvailRec*) calldata;
    ClientPtr pClient = rec->client;
    if (!pClient->appgroup) {
 	SecurityAuthorizationPtr pAuth;
 	XID authId = rec->authId;
 	/* can't use SecurityLookupIDByType here -- client
 	 * security state hasn't been setup yet.
 	 */
 	pAuth = (SecurityAuthorizationPtr)LookupIDByType(authId,
 				SecurityAuthorizationResType);
 	if (!pAuth)
 	    return;
 	pClient->appgroup = (AppGroupPtr)LookupIDByType(pAuth->group,
 							RT_APPGROUP);
    }
    if (pClient->appgroup) {
 	NewClientInfoRec clientinfo;
-	clientinfo.client = client;
+	clientinfo.client = pClient;
 	XagClientStateChange (NULL, NULL, (pointer)&clientinfo);
    }
 }
--- a/Xext/appgroup.h
+++ b/Xext/appgroup.h
@ -51,7 +51,9 @@ extern ClientPtr XagLeader(
 );
 extern void XagCallClientStateChange(
-    ClientPtr			/* client */
+    CallbackListPtr *		/* pcbl */,
    pointer 			/* nulldata */,
    pointer 			/* calldata */
 );
 extern Bool XagIsControlledRoot (
--- a/Xext/security.c
+++ b/Xext/security.c
@ -36,6 +36,7 @@ in this Software without prior written authorization from The Open Group.
 #include "gcstruct.h"
 #include "colormapst.h"
 #include "propertyst.h"
 #include "xacestr.h"
 #include "securitysrv.h"
 #include <X11/extensions/securstr.h>
 #include <assert.h>
@ -58,6 +59,23 @@ in this Software without prior written authorization from The Open Group.
 static int SecurityErrorBase;  /* first Security error number */
 static int SecurityEventBase;  /* first Security event number */
 static int securityClientPrivateIndex;
 static int securityExtnsnPrivateIndex;
 /* this is what we store as client security state */
 typedef struct {
    unsigned int trustLevel;
    XID authId;
 } SecurityClientStateRec;
 #define STATEVAL(extnsn) \
    ((extnsn)->devPrivates[securityExtnsnPrivateIndex].val)
 #define STATEPTR(client) \
    ((client)->devPrivates[securityClientPrivateIndex].ptr)
 #define TRUSTLEVEL(client) \
    (((SecurityClientStateRec*)STATEPTR(client))->trustLevel)
 #define AUTHID(client) \
    (((SecurityClientStateRec*)STATEPTR(client))->authId)
 CallbackListPtr SecurityValidateGroupCallback = NULL;  /* see security.h */
@ -65,19 +83,8 @@ RESTYPE SecurityAuthorizationResType; /* resource type for authorizations */
 static RESTYPE RTEventClient;
-/* Proc vectors for untrusted clients, swapped and unswapped versions.
+#define CALLBACK(name) static void \
- * These are the same as the normal proc vectors except that extensions
+name(CallbackListPtr *pcbl, pointer nulldata, pointer calldata)
 * that haven't declared themselves secure will have ProcBadRequest plugged
 * in for their major opcode dispatcher.  This prevents untrusted clients
 * from guessing extension major opcodes and using the extension even though
 * the extension can't be listed or queried.
 */
 int (*UntrustedProcVector[256])(
    ClientPtr /*client*/
 );
 int (*SwappedUntrustedProcVector[256])(
    ClientPtr /*client*/
 );
 /* SecurityAudit
 *
@ -91,7 +98,7 @@ int (*SwappedUntrustedProcVector[256])(
 *	Writes the message to the log file if security logging is on.
 */
-void
+static void
 SecurityAudit(char *format, ...)
 {
    va_list args;
@ -164,7 +171,7 @@ SecurityDeleteAuthorization(
    for (i = 1; i<currentMaxClients; i++)
    {
-	if (clients[i] && (clients[i]->authId == pAuth->id))
+	if (clients[i] && (AUTHID(clients[i]) == pAuth->id))
 	    CloseDownClient(clients[i]);
    }
@ -318,7 +325,7 @@ ProcSecurityQueryVersion(
    /* paranoia: this "can't happen" because this extension is hidden
     * from untrusted clients, but just in case...
     */
-    if (client->trustLevel != XSecurityClientTrusted)
+    if (TRUSTLEVEL(client) != XSecurityClientTrusted)
 	return BadRequest;
    REQUEST_SIZE_MATCH(xSecurityQueryVersionReq);
@ -404,7 +411,7 @@ ProcSecurityGenerateAuthorization(
    /* paranoia: this "can't happen" because this extension is hidden
     * from untrusted clients, but just in case...
     */
-    if (client->trustLevel != XSecurityClientTrusted)
+    if (TRUSTLEVEL(client) != XSecurityClientTrusted)
 	return BadRequest;
    /* check request length */
@ -587,7 +594,7 @@ ProcSecurityRevokeAuthorization(
    /* paranoia: this "can't happen" because this extension is hidden
     * from untrusted clients, but just in case...
     */
-    if (client->trustLevel != XSecurityClientTrusted)
+    if (TRUSTLEVEL(client) != XSecurityClientTrusted)
 	return BadRequest;
    REQUEST_SIZE_MATCH(xSecurityRevokeAuthorizationReq);
@ -772,12 +779,12 @@ SecurityDetermineEventPropogationLimits(
 *	An audit message is generated if access is denied.
 */
-Bool
+CALLBACK(SecurityCheckDeviceAccess)
 SecurityCheckDeviceAccess(client, dev, fromRequest)
    ClientPtr client;
    DeviceIntPtr dev;
    Bool fromRequest;
 {
    XaceDeviceAccessRec *rec = (XaceDeviceAccessRec*)calldata;
    ClientPtr client = rec->client;
    DeviceIntPtr dev = rec->dev;
    Bool fromRequest = rec->fromRequest;
    WindowPtr pWin, pStopWin;
    Bool untrusted_got_event;
    Bool found_event_window;
@ -785,12 +792,12 @@ SecurityCheckDeviceAccess(client, dev, fromRequest)
    int reqtype = 0;
    /* trusted clients always allowed to do anything */
-    if (client->trustLevel == XSecurityClientTrusted)
+    if (TRUSTLEVEL(client) == XSecurityClientTrusted)
-	return TRUE;
+	return;
    /* device security other than keyboard is not implemented yet */
    if (dev != inputInfo.keyboard)
-	return TRUE;
+	return;
    /* some untrusted client wants access */
@ -805,7 +812,8 @@ SecurityCheckDeviceAccess(client, dev, fromRequest)
 	    case X_SetModifierMapping:
 		SecurityAudit("client %d attempted request %d\n",
 			      client->index, reqtype);
-		return FALSE;
+		rec->rval = FALSE;
 		return;
 	    default:
 		break;
 	}
@ -817,7 +825,7 @@ SecurityCheckDeviceAccess(client, dev, fromRequest)
    if (dev->grab)
    {
 	untrusted_got_event =
-	    ((rClient(dev->grab))->trustLevel != XSecurityClientTrusted);
+	    (TRUSTLEVEL(rClient(dev->grab)) != XSecurityClientTrusted);
    }
    else
    {
@ -832,7 +840,7 @@ SecurityCheckDeviceAccess(client, dev, fromRequest)
 	    {
 		found_event_window = TRUE;
 		client = wClient(pWin);
-		if (client->trustLevel != XSecurityClientTrusted)
+		if (TRUSTLEVEL(client) != XSecurityClientTrusted)
 		{
 		    untrusted_got_event = TRUE;
 		}
@ -845,7 +853,7 @@ SecurityCheckDeviceAccess(client, dev, fromRequest)
 		    if (other->mask & eventmask)
 		    {
 			client = rClient(other);
-			if (client->trustLevel != XSecurityClientTrusted)
+			if (TRUSTLEVEL(client) != XSecurityClientTrusted)
 			{
 			    untrusted_got_event = TRUE;
 			    break;
@ -873,8 +881,9 @@ SecurityCheckDeviceAccess(client, dev, fromRequest)
 	else
 	    SecurityAudit("client %d attempted to access device %d (%s)\n",
 			  client->index, dev->id, devname);
 	rec->rval = FALSE;
    }
-    return untrusted_got_event;
+    return;
 } /* SecurityCheckDeviceAccess */
@ -946,20 +955,22 @@ SecurityAuditResourceIDAccess(
 *	Disallowed resource accesses are audited.
 */
-static pointer
+CALLBACK(SecurityCheckResourceIDAccess)
 SecurityCheckResourceIDAccess(
    ClientPtr client,
    XID id,
    RESTYPE rtype,
    Mask access_mode,
    pointer rval)
 {
-    int cid = CLIENT_ID(id);
+    XaceResourceAccessRec *rec = (XaceResourceAccessRec*)calldata;
-    int reqtype = ((xReq *)client->requestBuffer)->reqType;
+    ClientPtr client = rec->client;
    XID id = rec->id;
    RESTYPE rtype = rec->rtype;
    Mask access_mode = rec->access_mode;
    pointer rval = rec->res;
    int cid, reqtype;
-    if (SecurityUnknownAccess == access_mode)
+    if (TRUSTLEVEL(client) == XSecurityClientTrusted ||
-	return rval;  /* for compatibility, we have to allow access */
+	SecurityUnknownAccess == access_mode)
 	return;       /* for compatibility, we have to allow access */
    cid = CLIENT_ID(id);
    reqtype = ((xReq *)client->requestBuffer)->reqType;
    switch (reqtype)
    { /* these are always allowed */
 	case X_QueryTree:
@ -971,7 +982,7 @@ SecurityCheckResourceIDAccess(
 	case X_DeleteProperty:
 	case X_RotateProperties:
        case X_ListProperties:
-	    return rval;
+	    return;
 	default:
 	    break;
    }
@ -991,15 +1002,15 @@ SecurityCheckResourceIDAccess(
      * competing alternative for grouping clients for security purposes is to
      * use app groups.  dpw
      */
-	if (client->trustLevel == clients[cid]->trustLevel
+	if (TRUSTLEVEL(client) == TRUSTLEVEL(clients[cid])
 #ifdef XAPPGROUP
 	    || (RT_COLORMAP == rtype && 
 		XagDefaultColormap (client) == (Colormap) id)
 #endif
 	)
-	    return rval;
+	    return;
 	else
-	    return SecurityAuditResourceIDAccess(client, id);
+	    goto deny;
    }
    else /* server-owned resource - probably a default colormap or root window */
    {
@ -1035,7 +1046,7 @@ SecurityCheckResourceIDAccess(
 			  )
 		       )
 		    { /* not an ICCCM event */
-			return SecurityAuditResourceIDAccess(client, id);
+			goto deny;
 		    }
 		    break;
 		} /* case X_SendEvent on root */
@ -1053,28 +1064,31 @@ SecurityCheckResourceIDAccess(
 			      ~(PropertyChangeMask|StructureNotifyMask)) == 0)
 			    break;
 		    }
-		    return SecurityAuditResourceIDAccess(client, id);
+		    goto deny;
 		} /* case X_ChangeWindowAttributes on root */
 		default:
 		{
 		    /* others not allowed */
-		    return SecurityAuditResourceIDAccess(client, id);
+		    goto deny;
 		}
 	    }
 	} /* end server-owned window or drawable */
 	else if (SecurityAuthorizationResType == rtype)
 	{
 	    SecurityAuthorizationPtr pAuth = (SecurityAuthorizationPtr)rval;
-	    if (pAuth->trustLevel != client->trustLevel)
+	    if (pAuth->trustLevel != TRUSTLEVEL(client))
-		return SecurityAuditResourceIDAccess(client, id);
+		goto deny;
 	}
 	else if (RT_COLORMAP != rtype)
 	{ /* don't allow anything else besides colormaps */
-	    return SecurityAuditResourceIDAccess(client, id);
+	    goto deny;
 	}
    }
-    return rval;
+    return;
  deny:
    SecurityAuditResourceIDAccess(client, id);
    rec->rval = FALSE;	/* deny access */
 } /* SecurityCheckResourceIDAccess */
@ -1093,30 +1107,32 @@ SecurityCheckResourceIDAccess(
 * If a new client is connecting, its authorization ID is copied to
 * client->authID.  If this is a generated authorization, its reference
 * count is bumped, its timer is cancelled if it was running, and its
- * trustlevel is copied to client->trustLevel.
+ * trustlevel is copied to TRUSTLEVEL(client).
 * 
 * If a client is disconnecting and the client was using a generated
 * authorization, the authorization's reference count is decremented, and
 * if it is now zero, the timer for this authorization is started.
 */
-static void
+CALLBACK(SecurityClientStateCallback)
 SecurityClientStateCallback(
    CallbackListPtr *pcbl,
    pointer nulldata,
    pointer calldata)
 {
    NewClientInfoRec *pci = (NewClientInfoRec *)calldata;
    ClientPtr client = pci->client;
    switch (client->clientState)
    {
    case ClientStateInitial:
 	TRUSTLEVEL(serverClient) = XSecurityClientTrusted;
 	AUTHID(serverClient) = None;
 	break;
 	case ClientStateRunning:
 	{ 
 	    XID authId = AuthorizationIDOfClient(client);
 	    SecurityAuthorizationPtr pAuth;
-	    client->authId = authId;
+	    TRUSTLEVEL(client) = XSecurityClientTrusted;
 	    AUTHID(client) = authId;
 	    pAuth = (SecurityAuthorizationPtr)LookupIDByType(authId,
 						SecurityAuthorizationResType);
 	    if (pAuth)
@ -1126,23 +1142,20 @@ SecurityClientStateCallback(
 		{
 		    if (pAuth->timer) TimerCancel(pAuth->timer);
 		}
-		client->trustLevel = pAuth->trustLevel;
+		TRUSTLEVEL(client) = pAuth->trustLevel;
 		if (client->trustLevel != XSecurityClientTrusted)
 		{
 		    client->CheckAccess = SecurityCheckResourceIDAccess;
 		    client->requestVector = client->swapped ?
 			SwappedUntrustedProcVector : UntrustedProcVector;
 		}
 	    }
 	    break;
 	}
 	case ClientStateGone:
 	case ClientStateRetained: /* client disconnected */
 	{
 	    XID authId = client->authId;
 	    SecurityAuthorizationPtr pAuth;
-	    pAuth = (SecurityAuthorizationPtr)LookupIDByType(authId,
+	    /* client may not have any state (bad authorization) */
 	    if (!STATEPTR(client))
 		break;
 	    pAuth = (SecurityAuthorizationPtr)LookupIDByType(AUTHID(client),
 						SecurityAuthorizationResType);
 	    if (pAuth)
 	    { /* it is a generated authorization */
@ -1158,124 +1171,68 @@ SecurityClientStateCallback(
    }
 } /* SecurityClientStateCallback */
-/* SecurityCensorImage
+CALLBACK(SecurityCheckDrawableAccess)
 *
 * Called after pScreen->GetImage to prevent pieces or trusted windows from
 * being returned in image data from an untrusted window.
 *
 * Arguments:
 *	client is the client doing the GetImage.
 *      pVisibleRegion is the visible region of the window.
 *	widthBytesLine is the width in bytes of one horizontal line in pBuf.
 *	pDraw is the source window.
 *	x, y, w, h is the rectangle of image data from pDraw in pBuf.
 *	format is the format of the image data in pBuf: ZPixmap or XYPixmap.
 *	pBuf is the image data.
 *
 * Returns: nothing.
 *
 * Side Effects:
 *	Any part of the rectangle (x, y, w, h) that is outside the visible
 *	region of the window will be destroyed (overwritten) in pBuf.
 */
 void
 SecurityCensorImage(client, pVisibleRegion, widthBytesLine, pDraw, x, y, w, h,
 		    format, pBuf)
    ClientPtr client;
    RegionPtr pVisibleRegion;
    long widthBytesLine;
    DrawablePtr pDraw;
    int x, y, w, h;
    unsigned int format;
    char * pBuf;
 {
-    RegionRec imageRegion;  /* region representing x,y,w,h */
+    XaceDrawableAccessRec *rec = (XaceDrawableAccessRec*)calldata;
    RegionRec censorRegion; /* region to obliterate */
    BoxRec imageBox;
    int nRects;
-    imageBox.x1 = x;
+    if (TRUSTLEVEL(rec->client) != XSecurityClientTrusted)
-    imageBox.y1 = y;
+	rec->rval = FALSE;
-    imageBox.x2 = x + w;
+}
    imageBox.y2 = y + h;
    REGION_INIT(pScreen, &imageRegion, &imageBox, 1);
    REGION_NULL(pScreen, &censorRegion);
-    /* censorRegion = imageRegion - visibleRegion */
+CALLBACK(SecurityCheckMapAccess)
-    REGION_SUBTRACT(pScreen, &censorRegion, &imageRegion, pVisibleRegion);
+{
-    nRects = REGION_NUM_RECTS(&censorRegion);
+    XaceMapAccessRec *rec = (XaceMapAccessRec*)calldata;
-    if (nRects > 0)
+    WindowPtr pWin = rec->pWin;
    { /* we have something to censor */
 	GCPtr pScratchGC = NULL;
 	PixmapPtr pPix = NULL;
 	xRectangle *pRects = NULL;
 	Bool failed = FALSE;
 	int depth = 1;
 	int bitsPerPixel = 1;
 	int i;
 	BoxPtr pBox;
-	/* convert region to list-of-rectangles for PolyFillRect */
+    if (STATEPTR(rec->client) &&
 	(TRUSTLEVEL(rec->client) != XSecurityClientTrusted) &&
 	(pWin->drawable.class == InputOnly) &&
 	(TRUSTLEVEL(wClient(pWin->parent)) == XSecurityClientTrusted))
-	pRects = (xRectangle *)ALLOCATE_LOCAL(nRects * sizeof(xRectangle *));
+	rec->rval = FALSE;
-	if (!pRects)
+}
 	{
 	    failed = TRUE;
 	    goto failSafe;
 	}
 	for (pBox = REGION_RECTS(&censorRegion), i = 0;
 	     i < nRects;
 	     i++, pBox++)
 	{
 	    pRects[i].x = pBox->x1;
 	    pRects[i].y = pBox->y1 - imageBox.y1;
 	    pRects[i].width  = pBox->x2 - pBox->x1;
 	    pRects[i].height = pBox->y2 - pBox->y1;
 	}
-	/* use pBuf as a fake pixmap */
+CALLBACK(SecurityCheckBackgrndAccess)
 {
    XaceMapAccessRec *rec = (XaceMapAccessRec*)calldata;
-	if (format == ZPixmap)
+    if (TRUSTLEVEL(rec->client) != XSecurityClientTrusted)
-	{
+	rec->rval = FALSE;
-	    depth = pDraw->depth;
+}
 	    bitsPerPixel = pDraw->bitsPerPixel;
 	}
-	pPix = GetScratchPixmapHeader(pDraw->pScreen, w, h,
+CALLBACK(SecurityCheckExtAccess)
-		    depth, bitsPerPixel,
+{
-		    widthBytesLine, (pointer)pBuf);
+    XaceExtAccessRec *rec = (XaceExtAccessRec*)calldata;
 	if (!pPix)
 	{
 	    failed = TRUE;
 	    goto failSafe;
 	}
-	pScratchGC = GetScratchGC(depth, pPix->drawable.pScreen);
+    if ((TRUSTLEVEL(rec->client) != XSecurityClientTrusted) &&
-	if (!pScratchGC)
+	!STATEVAL(rec->ext))
 	{
 	    failed = TRUE;
 	    goto failSafe;
 	}
-	ValidateGC(&pPix->drawable, pScratchGC);
+	rec->rval = FALSE;
-	(* pScratchGC->ops->PolyFillRect)(&pPix->drawable,
+}
 			    pScratchGC, nRects, pRects);
-    failSafe:
+CALLBACK(SecurityCheckHostlistAccess)
-	if (failed)
+{
-	{
+    XaceHostlistAccessRec *rec = (XaceHostlistAccessRec*)calldata;
-	    /* Censoring was not completed above.  To be safe, wipe out
+ 
-	     * all the image data so that nothing trusted gets out.
+    if (TRUSTLEVEL(rec->client) != XSecurityClientTrusted)
-	     */
+    {
-	    bzero(pBuf, (int)(widthBytesLine * h));
+	rec->rval = FALSE;
-	}
+	if (rec->access_mode == SecurityWriteAccess)
-	if (pRects)     DEALLOCATE_LOCAL(pRects);
+	    SecurityAudit("client %d attempted to change host access\n",
-	if (pScratchGC) FreeScratchGC(pScratchGC);
+			  rec->client->index);
-	if (pPix)       FreeScratchPixmapHeader(pPix);
+	else
 	    SecurityAudit("client %d attempted to list hosts\n",
 			  rec->client->index);
    }
-    REGION_UNINIT(pScreen, &imageRegion);
+}
-    REGION_UNINIT(pScreen, &censorRegion);
+
-} /* SecurityCensorImage */
+CALLBACK(SecurityDeclareExtSecure)
 {
    XaceDeclareExtSecureRec *rec = (XaceDeclareExtSecureRec*)calldata;
    /* security state for extensions is simply a boolean trust value */
    STATEVAL(rec->ext) = rec->secure;
 }
 /**********************************************************************/
@ -1734,21 +1691,21 @@ SecurityMatchString(
 #endif
-char
+CALLBACK(SecurityCheckPropertyAccess)
-SecurityCheckPropertyAccess(client, pWin, propertyName, access_mode)
+{    
-    ClientPtr client;
+    XacePropertyAccessRec *rec = (XacePropertyAccessRec*)calldata;
-    WindowPtr pWin;
+    ClientPtr client = rec->client;
-    ATOM propertyName;
+    WindowPtr pWin = rec->pWin;
-    Mask access_mode;
+    ATOM propertyName = rec->propertyName;
-{
+    Mask access_mode = rec->access_mode;
    PropertyAccessPtr pacl;
    char action = SecurityDefaultAction;
    /* if client trusted or window untrusted, allow operation */
-    if ( (client->trustLevel == XSecurityClientTrusted) ||
+    if ( (TRUSTLEVEL(client) == XSecurityClientTrusted) ||
-	 (wClient(pWin)->trustLevel != XSecurityClientTrusted) )
+	 (TRUSTLEVEL(wClient(pWin)) != XSecurityClientTrusted) )
-	return SecurityAllowOperation;
+	return;
 #ifdef PROPDEBUG
    /* For testing, it's more convenient if the property rules file gets
@ -1861,7 +1818,9 @@ SecurityCheckPropertyAccess(client, pWin, propertyName, access_mode)
 		client->index, reqtype, pWin->drawable.id,
 		      NameForAtom(propertyName), propertyName, cid, actionstr);
    }
-    return action;
+    /* return codes increase with strictness */
    if (action > rec->rval)
        rec->rval = action;
 } /* SecurityCheckPropertyAccess */
@ -1901,6 +1860,46 @@ XSecurityOptions(argc, argv, i)
 } /* XSecurityOptions */
 /* SecurityExtensionSetup
 *
 * Arguments: none.
 *
 * Returns: nothing.
 *
 * Side Effects:
 *	Sets up the Security extension if possible.
 *      This function contains things that need to be done
 *      before any other extension init functions get called.
 */
 void
 SecurityExtensionSetup(INITARGS)
 {
    /* Allocate the client private index */
    securityClientPrivateIndex = AllocateClientPrivateIndex();
    if (!AllocateClientPrivate(securityClientPrivateIndex,
 			       sizeof (SecurityClientStateRec)))
 	FatalError("SecurityExtensionSetup: Can't allocate client private.\n");
    /* Allocate the extension private index */
    securityExtnsnPrivateIndex = AllocateExtensionPrivateIndex();
    if (!AllocateExtensionPrivate(securityExtnsnPrivateIndex, 0))
 	FatalError("SecurityExtensionSetup: Can't allocate extnsn private.\n");
    /* register callbacks */
 #define XaceRC XaceRegisterCallback
    XaceRC(XACE_RESOURCE_ACCESS, SecurityCheckResourceIDAccess, NULL);
    XaceRC(XACE_DEVICE_ACCESS, SecurityCheckDeviceAccess, NULL);
    XaceRC(XACE_PROPERTY_ACCESS, SecurityCheckPropertyAccess, NULL);
    XaceRC(XACE_DRAWABLE_ACCESS, SecurityCheckDrawableAccess, NULL);
    XaceRC(XACE_MAP_ACCESS, SecurityCheckMapAccess, NULL);
    XaceRC(XACE_BACKGRND_ACCESS, SecurityCheckBackgrndAccess, NULL);
    XaceRC(XACE_EXT_DISPATCH, SecurityCheckExtAccess, NULL);
    XaceRC(XACE_EXT_ACCESS, SecurityCheckExtAccess, NULL);
    XaceRC(XACE_HOSTLIST_ACCESS, SecurityCheckHostlistAccess, NULL);
    XaceRC(XACE_DECLARE_EXT_SECURE, SecurityDeclareExtSecure, NULL);
 } /* SecurityExtensionSetup */
 /* SecurityExtensionInit
 *
@ -1916,7 +1915,6 @@ void
 SecurityExtensionInit(INITARGS)
 {
    ExtensionEntry	*extEntry;
    int i;
    SecurityAuthorizationResType =
 	CreateNewResourceType(SecurityDeleteAuthorization);
@ -1943,25 +1941,6 @@ SecurityExtensionInit(INITARGS)
    EventSwapVector[SecurityEventBase + XSecurityAuthorizationRevoked] =
 	(EventSwapPtr)SwapSecurityAuthorizationRevokedEvent;
    /* initialize untrusted proc vectors */
    for (i = 0; i < 128; i++)
    {
 	UntrustedProcVector[i] = ProcVector[i];
 	SwappedUntrustedProcVector[i] = SwappedProcVector[i];
    }
    /* make sure insecure extensions are not allowed */
    for (i = 128; i < 256; i++)
    {
 	if (!UntrustedProcVector[i])
 	{
 	    UntrustedProcVector[i] = ProcBadRequest;
 	    SwappedUntrustedProcVector[i] = ProcBadRequest;
 	}
    }
    SecurityLoadPropertyAccessList();
 } /* SecurityExtensionInit */
--- a/Xext/securitysrv.h
+++ b/Xext/securitysrv.h
@ -86,46 +86,11 @@ typedef struct {
    Bool valid; /* did anyone recognize it? if so, set to TRUE */
 } SecurityValidateGroupInfoRec;
 /* Proc vectors for untrusted clients, swapped and unswapped versions.
 * These are the same as the normal proc vectors except that extensions
 * that haven't declared themselves secure will have ProcBadRequest plugged
 * in for their major opcode dispatcher.  This prevents untrusted clients
 * from guessing extension major opcodes and using the extension even though
 * the extension can't be listed or queried.
 */
 extern int (*UntrustedProcVector[256])(ClientPtr client);
 extern int (*SwappedUntrustedProcVector[256])(ClientPtr client);
 extern Bool SecurityCheckDeviceAccess(ClientPtr client, DeviceIntPtr dev,
 			       Bool fromRequest);
 extern void SecurityAudit(char *format, ...);
 extern int XSecurityOptions(int argc, char **argv, int i);
 /* Give this value or higher to the -audit option to get security messages */
 #define SECURITY_AUDIT_LEVEL 4
 extern void SecurityCensorImage(
    ClientPtr client,
    RegionPtr pVisibleRegion,
    long widthBytesLine,
    DrawablePtr pDraw,
    int x, int y, int w, int h,
    unsigned int format,
    char * pBuf);
 #define SecurityAllowOperation  0
 #define SecurityIgnoreOperation 1
 #define SecurityErrorOperation  2
 extern char
 SecurityCheckPropertyAccess(
    ClientPtr client,
    WindowPtr pWin,
    ATOM  propertyName,
    Mask access_mode);
 #define SECURITY_POLICY_FILE_VERSION "version-1"
 extern char **SecurityGetSitePolicyStrings(int *n);
--- a/Xext/xace.c
+++ b/Xext/xace.c
@ -0,0 +1,496 @@
 /************************************************************
 Author: Eamon Walsh <ewalsh@epoch.ncsc.mil>
 Permission to use, copy, modify, distribute, and sell this software and its
 documentation for any purpose is hereby granted without fee, provided that
 this permission notice appear in supporting documentation.  This permission
 notice shall be included in all copies or substantial portions of the
 Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
 AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
 AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 ********************************************************/
 #ifdef HAVE_DIX_CONFIG_H
 #include <dix-config.h>
 #endif
 #include <stdarg.h>
 #include "windowstr.h"
 #include "scrnintstr.h"
 #include "gcstruct.h"
 #include "xacestr.h"
 #include "modinit.h"
 CallbackListPtr XaceHooks[XACE_NUM_HOOKS] = {0};
 /* Proc vectors for untrusted clients, swapped and unswapped versions.
 * These are the same as the normal proc vectors except that extensions
 * that haven't declared themselves secure will have ProcBadRequest plugged
 * in for their major opcode dispatcher.  This prevents untrusted clients
 * from guessing extension major opcodes and using the extension even though
 * the extension can't be listed or queried.
 */
 int (*UntrustedProcVector[256])(
    ClientPtr /*client*/
 );
 int (*SwappedUntrustedProcVector[256])(
    ClientPtr /*client*/
 );
 /* Entry point for hook functions.  Called by Xserver.
 */
 int XaceHook(int hook, ...)
 {
    pointer calldata;	/* data passed to callback */
    int *prv = NULL;	/* points to return value from callback */
    va_list ap;		/* argument list */
    va_start(ap, hook);
    /* Marshal arguments for passing to callback.
     * Each callback has its own case, which sets up a structure to hold
     * the arguments and integer return parameter, or in some cases just
     * sets calldata directly to a single argument (with no return result)
     */
    switch (hook)
    {
 	case XACE_CORE_DISPATCH: {
 	    XaceCoreDispatchRec rec = {
 		va_arg(ap, ClientPtr),
 		TRUE	/* default allow */
 	    };
 	    calldata = &rec;
 	    prv = &rec.rval;
 	    break;
 	}
 	case XACE_RESOURCE_ACCESS: {
 	    XaceResourceAccessRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, XID),
 		va_arg(ap, RESTYPE),
 		va_arg(ap, Mask),
 		va_arg(ap, pointer),
 		TRUE	/* default allow */
 	    };
 	    calldata = &rec;
 	    prv = &rec.rval;
 	    break;
 	}
 	case XACE_DEVICE_ACCESS: {
 	    XaceDeviceAccessRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, DeviceIntPtr),
 		va_arg(ap, Bool),
 		TRUE	/* default allow */
 	    };
 	    calldata = &rec;
 	    prv = &rec.rval;
 	    break;
 	}
 	case XACE_PROPERTY_ACCESS: {
 	    XacePropertyAccessRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, WindowPtr),
 		va_arg(ap, Atom),
 		va_arg(ap, Mask),
 		SecurityAllowOperation   /* default allow */
 	    };
 	    calldata = &rec;
 	    prv = &rec.rval;
 	    break;
 	}
 	case XACE_DRAWABLE_ACCESS: {
 	    XaceDrawableAccessRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, DrawablePtr),
 		TRUE	/* default allow */
 	    };
 	    calldata = &rec;
 	    prv = &rec.rval;
 	    break;
 	}
 	case XACE_MAP_ACCESS:
 	case XACE_BACKGRND_ACCESS: {
 	    XaceMapAccessRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, WindowPtr),
 		TRUE	/* default allow */
 	    };
 	    calldata = &rec;
 	    prv = &rec.rval;
 	    break;
 	}
 	case XACE_EXT_DISPATCH:
 	case XACE_EXT_ACCESS: {
 	    XaceExtAccessRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, ExtensionEntry*),
 		TRUE	/* default allow */
 	    };
 	    calldata = &rec;
 	    prv = &rec.rval;
 	    break;
 	}
 	case XACE_HOSTLIST_ACCESS: {
 	    XaceHostlistAccessRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, Mask),
 		TRUE	/* default allow */
 	    };
 	    calldata = &rec;
 	    prv = &rec.rval;
 	    break;
 	}
 	case XACE_SITE_POLICY: {
 	    XaceSitePolicyRec rec = {
 		va_arg(ap, char*),
 		va_arg(ap, int),
 		FALSE	/* default unrecognized */
 	    };
 	    calldata = &rec;
 	    prv = &rec.rval;
 	    break;
 	}
 	case XACE_DECLARE_EXT_SECURE: {
 	    XaceDeclareExtSecureRec rec = {
 		va_arg(ap, ExtensionEntry*),
 		va_arg(ap, Bool)
 	    };
 	    calldata = &rec;
 	    break;
 	}
 	case XACE_AUTH_AVAIL: {
 	    XaceAuthAvailRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, XID)
 	    };
 	    calldata = &rec;
 	    break;
 	}
 	case XACE_KEY_AVAIL: {
 	    XaceKeyAvailRec rec = {
 		va_arg(ap, xEventPtr),
 		va_arg(ap, DeviceIntPtr),
 		va_arg(ap, int)
 	    };
 	    calldata = &rec;
 	    break;
 	}
 	case XACE_WINDOW_INIT: {
 	    XaceWindowRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, WindowPtr)
 	    };
 	    calldata = &rec;
 	    break;
 	}
 	case XACE_AUDIT_BEGIN: {
 	    XaceAuditRec rec = {
 		va_arg(ap, ClientPtr),
 		0
 	    };
 	    calldata = &rec;
 	    break;
 	}
 	case XACE_AUDIT_END: {
 	    XaceAuditRec rec = {
 		va_arg(ap, ClientPtr),
 		va_arg(ap, int)
 	    };
 	    calldata = &rec;
 	    break;
 	}
 	default: {
 	    va_end(ap);
 	    return 0;	/* unimplemented hook number */
 	}
    }
    va_end(ap);
    /* call callbacks and return result, if any. */
    CallCallbacks(&XaceHooks[hook], calldata);
    return prv ? *prv : 0;
 }
 static int
 ProcXaceDispatch(ClientPtr client)
 {
    REQUEST(xReq);
    switch (stuff->data)
    {
 	default:
 	    return BadRequest;
    }
 } /* ProcXaceDispatch */
 static int
 SProcXaceDispatch(ClientPtr client)
 {
    REQUEST(xReq);
    switch (stuff->data)
    {
 	default:
 	    return BadRequest;
    }
 } /* SProcXaceDispatch */
 /* XaceResetProc
 *
 * Arguments:
 *	extEntry is the extension information for the XACE extension.
 *
 * Returns: nothing.
 *
 * Side Effects:
 *	Performs any cleanup needed by XACE at server shutdown time.
 */
 static void
 XaceResetProc(ExtensionEntry *extEntry)
 {
    int i;
    for (i=0; i<XACE_NUM_HOOKS; i++)
    {
 	DeleteCallbackList(&XaceHooks[i]);
 	XaceHooks[i] = NULL;
    }
 } /* XaceResetProc */
 static int
 XaceCatchDispatchProc(ClientPtr client)
 {
    REQUEST(xReq);
    int major = stuff->reqType;
    if (!ProcVector[major])
 	return (BadRequest);
    if (!XaceHook(XACE_CORE_DISPATCH, client))
 	return (BadAccess);
    return client->swapped ? 
 	(* SwappedProcVector[major])(client) :
 	(* ProcVector[major])(client);
 }
 static int
 XaceCatchExtProc(ClientPtr client)
 {
    REQUEST(xReq);
    int major = stuff->reqType;
    ExtensionEntry *ext = GetExtensionEntry(major);
    if (!ext || !ProcVector[major])
 	return (BadRequest);
    if (!XaceHook(XACE_EXT_DISPATCH, client, ext))
 	return (BadRequest); /* pretend extension doesn't exist */
    return client->swapped ?
 	(* SwappedProcVector[major])(client) :
 	(* ProcVector[major])(client);
 }
 /* SecurityClientStateCallback
 *
 * Arguments:
 *	pcbl is &ClientStateCallback.
 *	nullata is NULL.
 *	calldata is a pointer to a NewClientInfoRec (include/dixstruct.h)
 *	which contains information about client state changes.
 *
 * Returns: nothing.
 *
 * Side Effects:
 * 
 * If a new client is connecting, its authorization ID is copied to
 * client->authID.  If this is a generated authorization, its reference
 * count is bumped, its timer is cancelled if it was running, and its
 * trustlevel is copied to TRUSTLEVEL(client).
 * 
 * If a client is disconnecting and the client was using a generated
 * authorization, the authorization's reference count is decremented, and
 * if it is now zero, the timer for this authorization is started.
 */
 static void
 XaceClientStateCallback(
    CallbackListPtr *pcbl,
    pointer nulldata,
    pointer calldata)
 {
    NewClientInfoRec *pci = (NewClientInfoRec *)calldata;
    ClientPtr client = pci->client;
    switch (client->clientState)
    {
 	case ClientStateRunning:
 	{ 
 	    client->requestVector = client->swapped ?
 		SwappedUntrustedProcVector : UntrustedProcVector;
 	    break;
 	}
 	default: break; 
    }
 } /* XaceClientStateCallback */
 /* XaceExtensionInit
 *
 * Initialize the XACE Extension
 */
 void XaceExtensionInit(INITARGS)
 {
    ExtensionEntry	*extEntry;
    int i;
    if (!AddCallback(&ClientStateCallback, XaceClientStateCallback, NULL))
 	return;
    extEntry = AddExtension(XACE_EXTENSION_NAME,
 			    XaceNumberEvents, XaceNumberErrors,
 			    ProcXaceDispatch, SProcXaceDispatch,
 			    XaceResetProc, StandardMinorOpcode);
    /* initialize dispatching intercept functions */
    for (i = 0; i < 128; i++)
    {
 	UntrustedProcVector[i] = XaceCatchDispatchProc;
 	SwappedUntrustedProcVector[i] = XaceCatchDispatchProc;
    }
    for (i = 128; i < 256; i++)
    {
 	UntrustedProcVector[i] = XaceCatchExtProc;
 	SwappedUntrustedProcVector[i] = XaceCatchExtProc;
    }
 }
 /* XaceCensorImage
 *
 * Called after pScreen->GetImage to prevent pieces or trusted windows from
 * being returned in image data from an untrusted window.
 *
 * Arguments:
 *	client is the client doing the GetImage.
 *      pVisibleRegion is the visible region of the window.
 *	widthBytesLine is the width in bytes of one horizontal line in pBuf.
 *	pDraw is the source window.
 *	x, y, w, h is the rectangle of image data from pDraw in pBuf.
 *	format is the format of the image data in pBuf: ZPixmap or XYPixmap.
 *	pBuf is the image data.
 *
 * Returns: nothing.
 *
 * Side Effects:
 *	Any part of the rectangle (x, y, w, h) that is outside the visible
 *	region of the window will be destroyed (overwritten) in pBuf.
 */
 void
 XaceCensorImage(client, pVisibleRegion, widthBytesLine, pDraw, x, y, w, h,
 		format, pBuf)
    ClientPtr client;
    RegionPtr pVisibleRegion;
    long widthBytesLine;
    DrawablePtr pDraw;
    int x, y, w, h;
    unsigned int format;
    char * pBuf;
 {
    ScreenPtr pScreen = pDraw->pScreen;
    RegionRec imageRegion;  /* region representing x,y,w,h */
    RegionRec censorRegion; /* region to obliterate */
    BoxRec imageBox;
    int nRects;
    imageBox.x1 = x;
    imageBox.y1 = y;
    imageBox.x2 = x + w;
    imageBox.y2 = y + h;
    REGION_INIT(pScreen, &imageRegion, &imageBox, 1);
    REGION_NULL(pScreen, &censorRegion);
    /* censorRegion = imageRegion - visibleRegion */
    REGION_SUBTRACT(pScreen, &censorRegion, &imageRegion, pVisibleRegion);
    nRects = REGION_NUM_RECTS(&censorRegion);
    if (nRects > 0)
    { /* we have something to censor */
 	GCPtr pScratchGC = NULL;
 	PixmapPtr pPix = NULL;
 	xRectangle *pRects = NULL;
 	Bool failed = FALSE;
 	int depth = 1;
 	int bitsPerPixel = 1;
 	int i;
 	BoxPtr pBox;
 	/* convert region to list-of-rectangles for PolyFillRect */
 	pRects = (xRectangle *)ALLOCATE_LOCAL(nRects * sizeof(xRectangle *));
 	if (!pRects)
 	{
 	    failed = TRUE;
 	    goto failSafe;
 	}
 	for (pBox = REGION_RECTS(&censorRegion), i = 0;
 	     i < nRects;
 	     i++, pBox++)
 	{
 	    pRects[i].x = pBox->x1;
 	    pRects[i].y = pBox->y1 - imageBox.y1;
 	    pRects[i].width  = pBox->x2 - pBox->x1;
 	    pRects[i].height = pBox->y2 - pBox->y1;
 	}
 	/* use pBuf as a fake pixmap */
 	if (format == ZPixmap)
 	{
 	    depth = pDraw->depth;
 	    bitsPerPixel = pDraw->bitsPerPixel;
 	}
 	pPix = GetScratchPixmapHeader(pDraw->pScreen, w, h,
 		    depth, bitsPerPixel,
 		    widthBytesLine, (pointer)pBuf);
 	if (!pPix)
 	{
 	    failed = TRUE;
 	    goto failSafe;
 	}
 	pScratchGC = GetScratchGC(depth, pPix->drawable.pScreen);
 	if (!pScratchGC)
 	{
 	    failed = TRUE;
 	    goto failSafe;
 	}
 	ValidateGC(&pPix->drawable, pScratchGC);
 	(* pScratchGC->ops->PolyFillRect)(&pPix->drawable,
 			    pScratchGC, nRects, pRects);
    failSafe:
 	if (failed)
 	{
 	    /* Censoring was not completed above.  To be safe, wipe out
 	     * all the image data so that nothing trusted gets out.
 	     */
 	    bzero(pBuf, (int)(widthBytesLine * h));
 	}
 	if (pRects)     DEALLOCATE_LOCAL(pRects);
 	if (pScratchGC) FreeScratchGC(pScratchGC);
 	if (pPix)       FreeScratchPixmapHeader(pPix);
    }
    REGION_UNINIT(pScreen, &imageRegion);
    REGION_UNINIT(pScreen, &censorRegion);
 } /* XaceCensorImage */
--- a/Xext/xace.h
+++ b/Xext/xace.h
@ -0,0 +1,103 @@
 /************************************************************
 Author: Eamon Walsh <ewalsh@epoch.ncsc.mil>
 Permission to use, copy, modify, distribute, and sell this software and its
 documentation for any purpose is hereby granted without fee, provided that
 this permission notice appear in supporting documentation.  This permission
 notice shall be included in all copies or substantial portions of the
 Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
 AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
 AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 ********************************************************/
 #ifndef _XACE_H
 #define _XACE_H
 #define XACE_EXTENSION_NAME		"XAccessControlExtension"
 #define XACE_MAJOR_VERSION		1
 #define XACE_MINOR_VERSION		0
 #include "pixmap.h"     /* for DrawablePtr */
 #include "regionstr.h"  /* for RegionPtr */
 #define XaceNumberEvents		0
 #define XaceNumberErrors		0
 /* security hooks */
 /* Constants used to identify the available security hooks
 */
 #define XACE_CORE_DISPATCH		0
 #define XACE_EXT_DISPATCH		1
 #define XACE_RESOURCE_ACCESS		2
 #define XACE_DEVICE_ACCESS		3
 #define XACE_PROPERTY_ACCESS		4
 #define XACE_DRAWABLE_ACCESS		5
 #define XACE_MAP_ACCESS			6
 #define XACE_BACKGRND_ACCESS		7
 #define XACE_EXT_ACCESS			8
 #define XACE_HOSTLIST_ACCESS		9
 #define XACE_SITE_POLICY		10
 #define XACE_DECLARE_EXT_SECURE		11
 #define XACE_AUTH_AVAIL			12
 #define XACE_KEY_AVAIL			13
 #define XACE_WINDOW_INIT		14
 #define XACE_AUDIT_BEGIN		15
 #define XACE_AUDIT_END			16
 #define XACE_NUM_HOOKS			17
 extern CallbackListPtr XaceHooks[XACE_NUM_HOOKS];
 /* Entry point for hook functions.  Called by Xserver.
 */
 extern int XaceHook(
    int /*hook*/,
    ... /*appropriate args for hook*/
    ); 
 /* Register a callback for a given hook.
 */
 #define XaceRegisterCallback(hook,callback,data) \
    AddCallback(XaceHooks+(hook), callback, data)
 /* Unregister an existing callback for a given hook.
 */
 #define XaceDeleteCallback(hook,callback,data) \
    DeleteCallback(XaceHooks+(hook), callback, data)
 /* From the original Security extension...
 */
 /* Hook return codes */
 #define SecurityAllowOperation  0
 #define SecurityIgnoreOperation 1
 #define SecurityErrorOperation  2
 /* Proc vectors for untrusted clients, swapped and unswapped versions.
 * These are the same as the normal proc vectors except that extensions
 * that haven't declared themselves secure will have ProcBadRequest plugged
 * in for their major opcode dispatcher.  This prevents untrusted clients
 * from guessing extension major opcodes and using the extension even though
 * the extension can't be listed or queried.
 */
 extern int (*UntrustedProcVector[256])(ClientPtr client);
 extern int (*SwappedUntrustedProcVector[256])(ClientPtr client);
 extern void XaceCensorImage(
    ClientPtr client,
    RegionPtr pVisibleRegion,
    long widthBytesLine,
    DrawablePtr pDraw,
    int x, int y, int w, int h,
    unsigned int format,
    char * pBuf
    );
 #endif /* _XACE_H */
--- a/Xext/xacestr.h
+++ b/Xext/xacestr.h
@ -0,0 +1,135 @@
 /************************************************************
 Author: Eamon Walsh <ewalsh@epoch.ncsc.mil>
 Permission to use, copy, modify, distribute, and sell this software and its
 documentation for any purpose is hereby granted without fee, provided that
 this permission notice appear in supporting documentation.  This permission
 notice shall be included in all copies or substantial portions of the
 Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
 AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
 AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 ********************************************************/
 #ifndef _XACESTR_H
 #define _XACESTR_H
 #include <X11/Xdefs.h>
 #include "dixstruct.h"
 #include "resource.h"
 #include "extnsionst.h"
 #include "gcstruct.h"
 #include "windowstr.h"
 #include "inputstr.h"
 #include "xace.h"
 /* XACE_CORE_DISPATCH */
 typedef struct {
    ClientPtr client;
    int rval;
 } XaceCoreDispatchRec;
 /* XACE_RESOURCE_ACCESS */
 /* XACE_RESOURCE_CREATE */
 typedef struct {
    ClientPtr client;
    XID id;
    RESTYPE rtype;
    Mask access_mode;
    pointer res;
    int rval;
 } XaceResourceAccessRec;
 /* XACE_DEVICE_ACCESS */
 typedef struct {
    ClientPtr client;
    DeviceIntPtr dev;
    Bool fromRequest;
    int rval;
 } XaceDeviceAccessRec;
 /* XACE_PROPERTY_ACCESS */
 typedef struct {
    ClientPtr client;
    WindowPtr pWin;
    Atom propertyName;
    Mask access_mode;
    int rval;
 } XacePropertyAccessRec;
 /* XACE_DRAWABLE_ACCESS */
 typedef struct {
    ClientPtr client;
    DrawablePtr pDraw;
    int rval;
 } XaceDrawableAccessRec;
 /* XACE_MAP_ACCESS */
 /* XACE_BACKGRND_ACCESS */
 typedef struct {
    ClientPtr client;
    WindowPtr pWin;
    int rval;
 } XaceMapAccessRec;
 /* XACE_EXT_DISPATCH_ACCESS */
 /* XACE_EXT_ACCESS */
 typedef struct {
    ClientPtr client;
    ExtensionEntry *ext;
    int rval;
 } XaceExtAccessRec;
 /* XACE_HOSTLIST_ACCESS */
 typedef struct {
    ClientPtr client;
    Mask access_mode;
    int rval;
 } XaceHostlistAccessRec;
 /* XACE_SITE_POLICY */
 typedef struct {
    char *policyString;
    int len;
    int rval;
 } XaceSitePolicyRec;
 /* XACE_DECLARE_EXT_SECURE */
 typedef struct {
    ExtensionEntry *ext;
    Bool secure;
 } XaceDeclareExtSecureRec;
 /* XACE_AUTH_AVAIL */
 typedef struct {
    ClientPtr client;
    XID authId;
 } XaceAuthAvailRec;
 /* XACE_KEY_AVAIL */
 typedef struct {
    xEventPtr event;
    DeviceIntPtr keybd;
    int count;
 } XaceKeyAvailRec;
 /* XACE_WINDOW_INIT */
 typedef struct {
    ClientPtr client;
    WindowPtr pWin;
 } XaceWindowRec;
 /* XACE_AUDIT_BEGIN */
 /* XACE_AUDIT_END */
 typedef struct {
    ClientPtr client;
    int requestResult;
 } XaceAuditRec;
 #endif /* _XACESTR_H */
--- a/configure.ac
+++ b/configure.ac
@ -413,11 +413,12 @@ AC_ARG_ENABLE(dri,            AS_HELP_STRING([--enable-dri], [Build DRI extensio
 AC_ARG_ENABLE(xinerama,	      AS_HELP_STRING([--disable-xinerama], [Build Xinerama extension (default: enabled)]), [XINERAMA=$enableval], [XINERAMA=yes])
 AC_ARG_ENABLE(xf86vidmode,    AS_HELP_STRING([--disable-xf86vidmode], [Build XF86VidMode extension (default: enabled)]), [XF86VIDMODE=$enableval], [XF86VIDMODE=yes])
 AC_ARG_ENABLE(xf86misc,       AS_HELP_STRING([--disable-xf86misc], [Build XF86Misc extension (default: enabled)]), [XF86MISC=$enableval], [XF86MISC=yes])
-AC_ARG_ENABLE(xcsecurity,     AS_HELP_STRING([--disable-xcsecurity], [Build Security extension (default: enabled)]), [XCSECURITY=$enableval], [XCSECURITY=yes])
+AC_ARG_ENABLE(xace,     AS_HELP_STRING([--disable-xace], [Build X-ACE extension (default: enabled)]), [XACE=$enableval], [XACE=yes])
 AC_ARG_ENABLE(xcsecurity,     AS_HELP_STRING([--disable-xcsecurity], [Build Security extension (default: enabled)]), [XCSECURITY=$enableval], [XCSECURITY=$XACE])
 AC_ARG_ENABLE(appgroup,       AS_HELP_STRING([--disable-appgroup], [Build XC-APPGROUP extension (default: enabled)]), [APPGROUP=$enableval], [APPGROUP=$XCSECURITY])
 AC_ARG_ENABLE(xcalibrate,     AS_HELP_STRING([--enable-xcalibrate], [Build XCalibrate extension (default: disabled)]), [XCALIBRATE=$enableval], [XCALIBRATE=no])
 AC_ARG_ENABLE(tslib,          AS_HELP_STRING([--enable-tslib], [Build kdrive tslib touchscreen support (default: disabled)]), [TSLIB=$enableval], [TSLIB=no])
 AC_ARG_ENABLE(xevie,          AS_HELP_STRING([--disable-xevie], [Build XEvIE extension (default: enabled)]), [XEVIE=$enableval], [XEVIE=yes])
 AC_ARG_ENABLE(appgroup,       AS_HELP_STRING([--disable-appgroup], [Build XC-APPGROUP extension (default: enabled)]), [APPGROUP=$enableval], [APPGROUP=yes])
 AC_ARG_ENABLE(cup,            AS_HELP_STRING([--disable-cup], [Build TOG-CUP extension (default: enabled)]), [CUP=$enableval], [CUP=yes])
 AC_ARG_ENABLE(evi,            AS_HELP_STRING([--disable-evi], [Build Extended-Visual-Information extension (default: enabled)]), [EVI=$enableval], [EVI=yes])
 AC_ARG_ENABLE(multibuffer,    AS_HELP_STRING([--enable-multibuffer], [Build Multibuffer extension (default: disabled)]), [MULTIBUFFER=$enableval], [MULTIBUFFER=no])
@ -622,8 +623,16 @@ if test "x$XINERAMA" = xyes; then
 	REQUIRED_MODULES="$REQUIRED_MODULES xineramaproto"
 fi
 AM_CONDITIONAL(XACE, [test "x$XACE" = xyes])
 if test "x$XACE" = xyes; then
 	AC_DEFINE(XACE, 1, [Build X-ACE extension])
 fi
 AM_CONDITIONAL(XCSECURITY, [test "x$XCSECURITY" = xyes])
 if test "x$XCSECURITY" = xyes; then
 	if test "x$XACE" != xyes; then
 		AC_MSG_ERROR([cannot build Security extension without X-ACE])
 	fi
 	AC_DEFINE(XCSECURITY, 1, [Build Security extension])
 fi
@ -633,12 +642,11 @@ if test "x$XEVIE" = xyes; then
 	REQUIRED_MODULES="$REQUIRED_MODULES evieproto"
 fi
 if test "x$APPGROUP" = xyes && test "x$XCSECURITY" != xyes; then
 	AC_MSG_NOTICE([Disabling APPGROUP extension])
 	APPGROUP=no
 fi
 AM_CONDITIONAL(APPGROUP, [test "x$APPGROUP" = xyes])
 if test "x$APPGROUP" = xyes; then
 	if test "x$XACE" != xyes || test "x$XCSECURITY" != xyes; then
 		AC_MSG_ERROR([cannot build APPGROUP extension without X-ACE and XC-SECURITY])
 	fi
 	AC_DEFINE(XAPPGROUP, 1, [Build APPGROUP extension])
 fi
--- a/dix/devices.c
+++ b/dix/devices.c
@ -69,8 +69,8 @@ SOFTWARE.
 #ifdef XKB
 #include <X11/extensions/XKBsrv.h>
 #endif
-#ifdef XCSECURITY
+#ifdef XACE
-#include "securitysrv.h"
+#include "xace.h"
 #endif
 #include "dispatch.h"
@ -946,8 +946,8 @@ ProcSetModifierMapping(ClientPtr client)
 	}
    }
-#ifdef XCSECURITY
+#ifdef XACE
-    if (!SecurityCheckDeviceAccess(client, keybd, TRUE))
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, keybd, TRUE))
 	return BadAccess;
 #endif 
@ -1063,9 +1063,8 @@ ProcChangeKeyboardMapping(ClientPtr client)
 	    client->errorValue = stuff->keySymsPerKeyCode;
 	    return BadValue;
    }
-#ifdef XCSECURITY
+#ifdef XACE
-    if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard,
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
 				   TRUE))
 	return BadAccess;
 #endif 
    keysyms.minKeyCode = stuff->firstKeyCode;
@ -1211,8 +1210,8 @@ ProcChangeKeyboardControl (ClientPtr client)
    vmask = stuff->mask;
    if (client->req_len != (sizeof(xChangeKeyboardControlReq)>>2)+Ones(vmask))
 	return BadLength;
-#ifdef XCSECURITY
+#ifdef XACE
-    if (!SecurityCheckDeviceAccess(client, keybd, TRUE))
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, keybd, TRUE))
 	return BadAccess;
 #endif 
    vlist = (XID *)&stuff[1];		/* first word of values */
@ -1600,8 +1599,8 @@ ProcQueryKeymap(ClientPtr client)
    rep.type = X_Reply;
    rep.sequenceNumber = client->sequence;
    rep.length = 2;
-#ifdef XCSECURITY
+#ifdef XACE
-    if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard, TRUE))
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
    {
 	bzero((char *)&rep.map[0], 32);
    }
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@ -104,8 +104,8 @@ int ProcInitialConnection();
 #include "panoramiX.h"
 #include "panoramiXsrv.h"
 #endif
-#ifdef XCSECURITY
+#ifdef XACE
-#include "securitysrv.h"
+#include "xace.h"
 #endif
 #ifdef XAPPGROUP
 #include "appgroup.h"
@ -451,7 +451,15 @@ Dispatch(void)
 		if (result > (maxBigRequestSize << 2))
 		    result = BadLength;
 		else
 #ifdef XACE
 		{
 		    XaceHook(XACE_AUDIT_BEGIN, client);
 		    result = (* client->requestVector[MAJOROP])(client);
 		    XaceHook(XACE_AUDIT_END, client, result);
 		}
 #else
    		    result = (* client->requestVector[MAJOROP])(client);
 #endif /* XACE */
 		if (result != Success) 
 		{
@ -1099,11 +1107,10 @@ ProcConvertSelection(register ClientPtr client)
 	       CurrentSelections[i].selection != stuff->selection) i++;
 	if ((i < NumCurrentSelections) && 
 	    (CurrentSelections[i].window != None)
-#ifdef XCSECURITY
+#ifdef XACE
-	    && (!client->CheckAccess ||
+	    && XaceHook(XACE_RESOURCE_ACCESS, client,
-		(* client->CheckAccess)(client, CurrentSelections[i].window,
+			CurrentSelections[i].window, RT_WINDOW,
-					RT_WINDOW, SecurityReadAccess,
+			SecurityReadAccess, CurrentSelections[i].pWin)
 					CurrentSelections[i].pWin))
 #endif
 	    )
 	{        
@ -2095,7 +2102,7 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable,
    Mask		plane = 0;
    char		*pBuf;
    xGetImageReply	xgi;
-#ifdef XCSECURITY
+#ifdef XACE
    RegionPtr pVisibleRegion = NULL;
 #endif
@ -2201,9 +2208,9 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable,
 	WriteReplyToClient(client, sizeof (xGetImageReply), &xgi);
    }
-#ifdef XCSECURITY
+#ifdef XACE
-    if (client->trustLevel != XSecurityClientTrusted &&
+    if (pDraw->type == DRAWABLE_WINDOW &&
-	pDraw->type == DRAWABLE_WINDOW)
+	!XaceHook(XACE_DRAWABLE_ACCESS, client, pDraw))
    {
 	pVisibleRegion = NotClippedByChildren((WindowPtr)pDraw);
 	if (pVisibleRegion)
@ -2231,9 +2238,9 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable,
 				         format,
 				         planemask,
 				         (pointer) pBuf);
-#ifdef XCSECURITY
+#ifdef XACE
 	    if (pVisibleRegion)
-		SecurityCensorImage(client, pVisibleRegion, widthBytesLine,
+		XaceCensorImage(client, pVisibleRegion, widthBytesLine,
 			pDraw, x, y + linesDone, width, 
 			nlines, format, pBuf);
 #endif
@ -2272,9 +2279,9 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable,
 				                 format,
 				                 plane,
 				                 (pointer)pBuf);
-#ifdef XCSECURITY
+#ifdef XACE
 		    if (pVisibleRegion)
-			SecurityCensorImage(client, pVisibleRegion,
+			XaceCensorImage(client, pVisibleRegion,
 				widthBytesLine,
 				pDraw, x, y + linesDone, width, 
 				nlines, format, pBuf);
@ -2300,7 +2307,7 @@ DoGetImage(register ClientPtr client, int format, Drawable drawable,
            }
 	}
    }
-#ifdef XCSECURITY
+#ifdef XACE
    if (pVisibleRegion)
 	REGION_DESTROY(pDraw->pScreen, pVisibleRegion);
 #endif
@ -3274,11 +3281,10 @@ ProcListHosts(register ClientPtr client)
    /* REQUEST(xListHostsReq); */
    REQUEST_SIZE_MATCH(xListHostsReq);
-#ifdef XCSECURITY
+#ifdef XACE
    /* untrusted clients can't list hosts */
-    if (client->trustLevel != XSecurityClientTrusted)
+    if (!XaceHook(XACE_HOSTLIST_ACCESS, client, SecurityReadAccess))
    {
 	SecurityAudit("client %d attempted to list hosts\n", client->index);
 	return BadAccess;
    }
 #endif
@ -3606,8 +3612,13 @@ CloseDownRetainedResources()
    }
 }
 extern int clientPrivateLen;
 extern unsigned *clientPrivateSizes;
 extern unsigned totalClientSize;
 void InitClient(ClientPtr client, int i, pointer ospriv)
 {
    bzero(client, totalClientSize);
    client->index = i;
    client->sequence = 0; 
    client->clientAsMask = ((Mask)i) << CLIENTOFFSET;
@ -3646,11 +3657,6 @@ void InitClient(ClientPtr client, int i, pointer ospriv)
    }
 #endif
    client->replyBytesRemaining = 0;
 #ifdef XCSECURITY
    client->trustLevel = XSecurityClientTrusted;
    client->CheckAccess = NULL;
    client->authId = 0;
 #endif
 #ifdef XAPPGROUP
    client->appgroup = NULL;
 #endif
@ -3663,10 +3669,6 @@ void InitClient(ClientPtr client, int i, pointer ospriv)
 #endif
 }
 extern int clientPrivateLen;
 extern unsigned *clientPrivateSizes;
 extern unsigned totalClientSize;
 int
 InitClientPrivates(ClientPtr client)
 {
@ -3699,6 +3701,17 @@ InitClientPrivates(ClientPtr client)
 	else
 	    ppriv->ptr = (pointer)NULL;
    }
    /* Allow registrants to initialize the serverClient devPrivates */
    if (!client->index && ClientStateCallback)
    {
 	NewClientInfoRec clientinfo;
 	clientinfo.client = client; 
 	clientinfo.prefix = (xConnSetupPrefix *)NULL;  
 	clientinfo.setup = (xConnSetup *) NULL;
 	CallCallbacks((&ClientStateCallback), (pointer)&clientinfo);
    } 
    return 1;
 }
--- a/dix/dixutils.c
+++ b/dix/dixutils.c
@ -95,8 +95,8 @@ Author:  Adobe Systems Incorporated
 #include "scrnintstr.h"
 #define  XK_LATIN1
 #include <X11/keysymdef.h>
-#ifdef XCSECURITY
+#ifdef XACE
-#include "securitysrv.h"
+#include "xace.h"
 #endif
 /*
@ -196,7 +196,7 @@ CompareISOLatin1Lowered(unsigned char *s1, int s1len,
    return (int) c1 - (int) c2;
 }
-#ifdef XCSECURITY
+#ifdef XACE
 /* SecurityLookupWindow and SecurityLookupDrawable:
 * Look up the window/drawable taking into account the client doing
@ -204,32 +204,16 @@ CompareISOLatin1Lowered(unsigned char *s1, int s1len,
 * if it exists and the client is allowed access, else return NULL.
 * Most Proc* functions should be calling these instead of
 * LookupWindow and LookupDrawable, which do no access checks.
 * XACE note: need to see if client->lastDrawableID can still be used here.
 */
 _X_EXPORT WindowPtr
 SecurityLookupWindow(XID rid, ClientPtr client, Mask access_mode)
 {
    WindowPtr	pWin;
    client->errorValue = rid;
    if(rid == INVALID)
 	return NULL;
-    if (client->trustLevel != XSecurityClientTrusted)
+    return (WindowPtr)SecurityLookupIDByType(client, rid, RT_WINDOW, access_mode);
 	return (WindowPtr)SecurityLookupIDByType(client, rid, RT_WINDOW, access_mode);
    if (client->lastDrawableID == rid)
    {
        if (client->lastDrawable->type == DRAWABLE_WINDOW)
            return ((WindowPtr) client->lastDrawable);
        return (WindowPtr) NULL;
    }
    pWin = (WindowPtr)SecurityLookupIDByType(client, rid, RT_WINDOW, access_mode);
    if (pWin && pWin->drawable.type == DRAWABLE_WINDOW) {
 	client->lastDrawable = (DrawablePtr) pWin;
 	client->lastDrawableID = rid;
 	client->lastGCID = INVALID;
 	client->lastGC = (GCPtr)NULL;
    }
    return pWin;
 }
@ -240,11 +224,6 @@ SecurityLookupDrawable(XID rid, ClientPtr client, Mask access_mode)
    if(rid == INVALID)
 	return (pointer) NULL;
    if (client->trustLevel != XSecurityClientTrusted)
 	return (DrawablePtr)SecurityLookupIDByClass(client, rid, RC_DRAWABLE,
 						    access_mode);
    if (client->lastDrawableID == rid)
 	return ((pointer) client->lastDrawable);
    pDraw = (DrawablePtr)SecurityLookupIDByClass(client, rid, RC_DRAWABLE,
 						 access_mode);
    if (pDraw && (pDraw->type != UNDRAWABLE_WINDOW))
@ -268,7 +247,7 @@ LookupDrawable(XID rid, ClientPtr client)
    return SecurityLookupDrawable(rid, client, SecurityUnknownAccess);
 }
-#else /* not XCSECURITY */
+#else /* not XACE */
 WindowPtr
 LookupWindow(XID rid, ClientPtr client)
@ -310,7 +289,7 @@ LookupDrawable(XID rid, ClientPtr client)
    return (pointer)NULL;
 }
-#endif /* XCSECURITY */
+#endif /* XACE */
 _X_EXPORT ClientPtr
 LookupClient(XID rid, ClientPtr client)
--- a/dix/events.c
+++ b/dix/events.c
@ -135,8 +135,8 @@ of the copyright holder.
 extern Bool XkbFilterEvents(ClientPtr, int, xEvent *);
 #endif
-#ifdef XCSECURITY
+#ifdef XACE
-#include "securitysrv.h"
+#include "xace.h"
 #endif
 #ifdef XEVIE
@ -2476,8 +2476,8 @@ CheckPassiveGrabsOnWindow(
 	     (grab->confineTo->realized && 
 				BorderSizeNotEmpty(grab->confineTo))))
 	{
-#ifdef XCSECURITY
+#ifdef XACE
-	    if (!SecurityCheckDeviceAccess(wClient(pWin), device, FALSE))
+	    if (!XaceHook(XACE_DEVICE_ACCESS, wClient(pWin), device, FALSE))
 		return FALSE;
 #endif
 #ifdef XKB
@ -2846,6 +2846,10 @@ drawable.id:0;
 	DeliverFocusedEvent(keybd, xE, sprite.win, count);
    if (deactivateGrab)
        (*keybd->DeactivateGrab)(keybd);
 #ifdef XACE
    XaceHook(XACE_KEY_AVAIL, xE, keybd, count);
 #endif
 }
 #ifdef XKB
@ -3279,10 +3283,10 @@ EnterLeaveEvent(
    {
 	xKeymapEvent ke;
-#ifdef XCSECURITY
+#ifdef XACE
 	ClientPtr client = grab ? rClient(grab)
 				: clients[CLIENT_ID(pWin->drawable.id)];
-	if (!SecurityCheckDeviceAccess(client, keybd, FALSE))
+	if (!XaceHook(XACE_DEVICE_ACCESS, client, keybd, FALSE))
 	{
 	    bzero((char *)&ke.map[0], 31);
 	}
@ -3374,9 +3378,9 @@ FocusEvent(DeviceIntPtr dev, int type, int mode, int detail, register WindowPtr
 	((pWin->eventMask | wOtherEventMasks(pWin)) & KeymapStateMask))
    {
 	xKeymapEvent ke;
-#ifdef XCSECURITY
+#ifdef XACE
 	ClientPtr client = clients[CLIENT_ID(pWin->drawable.id)];
-	if (!SecurityCheckDeviceAccess(client, dev, FALSE))
+	if (!XaceHook(XACE_DEVICE_ACCESS, client, dev, FALSE))
 	{
 	    bzero((char *)&ke.map[0], 31);
 	}
@ -3645,8 +3649,8 @@ ProcSetInputFocus(client)
    REQUEST(xSetInputFocusReq);
    REQUEST_SIZE_MATCH(xSetInputFocusReq);
-#ifdef XCSECURITY
+#ifdef XACE
-    if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard, TRUE))
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
 	return Success;
 #endif
    return SetInputFocus(client, inputInfo.keyboard, stuff->focus,
@ -3910,8 +3914,8 @@ ProcGrabKeyboard(ClientPtr client)
    int result;
    REQUEST_SIZE_MATCH(xGrabKeyboardReq);
-#ifdef XCSECURITY
+#ifdef XACE
-    if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard, TRUE))
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
    {
 	result = Success;
 	rep.status = AlreadyGrabbed;
--- a/dix/extension.c
+++ b/dix/extension.c
@ -59,8 +59,8 @@ SOFTWARE.
 #include "gcstruct.h"
 #include "scrnintstr.h"
 #include "dispatch.h"
-#ifdef XCSECURITY
+#ifdef XACE
-#include "securitysrv.h"
+#include "xace.h"
 #endif
 #define EXTENSION_BASE  128
@ -76,6 +76,39 @@ int lastEvent = EXTENSION_EVENT_BASE;
 static int lastError = FirstExtensionError;
 static unsigned int NumExtensions = 0;
 extern int extensionPrivateLen;
 extern unsigned *extensionPrivateSizes;
 extern unsigned totalExtensionSize;
 static void
 InitExtensionPrivates(ExtensionEntry *ext)
 {
    register char *ptr;
    DevUnion *ppriv;
    register unsigned *sizes;
    register unsigned size;
    register int i;
    if (totalExtensionSize == sizeof(ExtensionEntry))
 	ppriv = (DevUnion *)NULL;
    else
 	ppriv = (DevUnion *)(ext + 1);
    ext->devPrivates = ppriv;
    sizes = extensionPrivateSizes;
    ptr = (char *)(ppriv + extensionPrivateLen);
    for (i = extensionPrivateLen; --i >= 0; ppriv++, sizes++)
    {
 	if ( (size = *sizes) )
 	{
 	    ppriv->ptr = (pointer)ptr;
 	    ptr += size;
 	}
 	else
 	    ppriv->ptr = (pointer)NULL;
    }
 }
 _X_EXPORT ExtensionEntry *
 AddExtension(char *name, int NumEvents, int NumErrors, 
 	     int (*MainProc)(ClientPtr c1), 
@ -92,9 +125,11 @@ AddExtension(char *name, int NumEvents, int NumErrors,
 	        (unsigned)(lastError + NumErrors > LAST_ERROR))
        return((ExtensionEntry *) NULL);
-    ext = (ExtensionEntry *) xalloc(sizeof(ExtensionEntry));
+    ext = (ExtensionEntry *) xalloc(totalExtensionSize);
    if (!ext)
 	return((ExtensionEntry *) NULL);
    bzero(ext, totalExtensionSize);
    InitExtensionPrivates(ext);
    ext->name = (char *)xalloc(strlen(name) + 1);
    ext->num_aliases = 0;
    ext->aliases = (char **)NULL;
@ -144,9 +179,6 @@ AddExtension(char *name, int NumEvents, int NumErrors,
        ext->errorBase = 0;
        ext->errorLast = 0;
    }
 #ifdef XCSECURITY
    ext->secure = FALSE;
 #endif
    return(ext);
 }
@ -207,26 +239,27 @@ CheckExtension(const char *extname)
 	return NULL;
 }
 /*
 * Added as part of Xace.
 */
 ExtensionEntry *
 GetExtensionEntry(int major)
 {    
    if (major < EXTENSION_BASE)
 	return NULL;
    major -= EXTENSION_BASE;
    if (major >= NumExtensions)
 	return NULL;
    return extensions[major];
 }
 _X_EXPORT void
 DeclareExtensionSecurity(char *extname, Bool secure)
 {
-#ifdef XCSECURITY
+#ifdef XACE
    int i = FindExtension(extname, strlen(extname));
    if (i >= 0)
-    {
+	XaceHook(XACE_DECLARE_EXT_SECURE, extensions[i], secure);
 	int majorop = extensions[i]->base;
 	extensions[i]->secure = secure;
 	if (secure)
 	{
 	    UntrustedProcVector[majorop] = ProcVector[majorop];
 	    SwappedUntrustedProcVector[majorop] = SwappedProcVector[majorop];
 	}
 	else
 	{
 	    UntrustedProcVector[majorop]	= ProcBadRequest;
 	    SwappedUntrustedProcVector[majorop] = ProcBadRequest;
 	}
    }
 #endif
 }
@ -304,10 +337,9 @@ ProcQueryExtension(ClientPtr client)
    {
 	i = FindExtension((char *)&stuff[1], stuff->nbytes);
        if (i < 0
-#ifdef XCSECURITY
+#ifdef XACE
-	    /* don't show insecure extensions to untrusted clients */
+	    /* call callbacks to find out whether to show extension */
-	    || (client->trustLevel == XSecurityClientUntrusted &&
+	    || !XaceHook(XACE_EXT_ACCESS, client, extensions[i])
 		!extensions[i]->secure)
 #endif
 	    )
            reply.present = xFalse;
@ -344,10 +376,9 @@ ProcListExtensions(ClientPtr client)
        for (i=0;  i<NumExtensions; i++)
 	{
-#ifdef XCSECURITY
+#ifdef XACE
-	    /* don't show insecure extensions to untrusted clients */
+	    /* call callbacks to find out whether to show extension */
-	    if (client->trustLevel == XSecurityClientUntrusted &&
+	    if (!XaceHook(XACE_EXT_ACCESS, client, extensions[i]))
 		!extensions[i]->secure)
 		continue;
 #endif
 	    total_length += strlen(extensions[i]->name) + 1;
@ -362,9 +393,8 @@ ProcListExtensions(ClientPtr client)
        for (i=0;  i<NumExtensions; i++)
        {
 	    int len;
-#ifdef XCSECURITY
+#ifdef XACE
-	    if (client->trustLevel == XSecurityClientUntrusted &&
+	    if (!XaceHook(XACE_EXT_ACCESS, client, extensions[i]))
 		!extensions[i]->secure)
 		continue;
 #endif
            *bufptr++ = len = strlen(extensions[i]->name);
--- a/dix/main.c
+++ b/dix/main.c
@ -354,6 +354,7 @@ main(int argc, char *argv[], char *envp[])
 	InitAtoms();
 	InitEvents();
 	InitGlyphCaching();
 	ResetExtensionPrivates();
 	ResetClientPrivates();
 	ResetScreenPrivates();
 	ResetWindowPrivates();
--- a/dix/privates.c
+++ b/dix/privates.c
@ -42,6 +42,7 @@ from The Open Group.
 #include "servermd.h"
 #include "site.h"
 #include "inputstr.h"
 #include "extnsionst.h"
 /*
 *  See the Wrappers and devPrivates section in "Definition of the
@ -49,6 +50,63 @@ from The Open Group.
 *  for information on how to use devPrivates.
 */
 /*
 *  extension private machinery
 */
 static int  extensionPrivateCount;
 int extensionPrivateLen;
 unsigned *extensionPrivateSizes;
 unsigned totalExtensionSize;
 void
 ResetExtensionPrivates()
 {
    extensionPrivateCount = 0;
    extensionPrivateLen = 0;
    xfree(extensionPrivateSizes);
    extensionPrivateSizes = (unsigned *)NULL;
    totalExtensionSize =
 	((sizeof(ExtensionEntry) + sizeof(long) - 1) / sizeof(long)) * sizeof(long);
 }
 _X_EXPORT int
 AllocateExtensionPrivateIndex()
 {
    return extensionPrivateCount++;
 }
 _X_EXPORT Bool
 AllocateExtensionPrivate(int index2, unsigned amount)
 {
    unsigned oldamount;
    /* Round up sizes for proper alignment */
    amount = ((amount + (sizeof(long) - 1)) / sizeof(long)) * sizeof(long);
    if (index2 >= extensionPrivateLen)
    {
 	unsigned *nsizes;
 	nsizes = (unsigned *)xrealloc(extensionPrivateSizes,
 				      (index2 + 1) * sizeof(unsigned));
 	if (!nsizes)
 	    return FALSE;
 	while (extensionPrivateLen <= index2)
 	{
 	    nsizes[extensionPrivateLen++] = 0;
 	    totalExtensionSize += sizeof(DevUnion);
 	}
 	extensionPrivateSizes = nsizes;
    }
    oldamount = extensionPrivateSizes[index2];
    if (amount > oldamount)
    {
 	extensionPrivateSizes[index2] = amount;
 	totalExtensionSize += (amount - oldamount);
    }
    return TRUE;
 }
 /*
 *  client private machinery
 */
--- a/dix/property.c
+++ b/dix/property.c
@ -58,8 +58,8 @@ SOFTWARE.
 #include "dixstruct.h"
 #include "dispatch.h"
 #include "swaprep.h"
-#ifdef XCSECURITY
+#ifdef XACE
-#include "securitysrv.h"
+#include "xace.h"
 #endif
 /*****************************************************************
@ -118,12 +118,12 @@ ProcRotateProperties(ClientPtr client)
 	return(BadAlloc);
    for (i = 0; i < stuff->nAtoms; i++)
    {
-#ifdef XCSECURITY
+#ifdef XACE
-	char action = SecurityCheckPropertyAccess(client, pWin, atoms[i],
+	char action = XaceHook(XACE_PROPERTY_ACCESS, client, pWin, atoms[i],
 				SecurityReadAccess|SecurityWriteAccess);
 #endif
        if (!ValidAtom(atoms[i])
-#ifdef XCSECURITY
+#ifdef XACE
 	    || (SecurityErrorOperation == action)
 #endif
 	   )
@ -132,7 +132,7 @@ ProcRotateProperties(ClientPtr client)
 	    client->errorValue = atoms[i];
            return BadAtom;
        }
-#ifdef XCSECURITY
+#ifdef XACE
 	if (SecurityIgnoreOperation == action)
        {
            DEALLOCATE_LOCAL(props);
@ -233,8 +233,8 @@ ProcChangeProperty(ClientPtr client)
 	return(BadAtom);
    }
-#ifdef XCSECURITY
+#ifdef XACE
-    switch (SecurityCheckPropertyAccess(client, pWin, stuff->property,
+    switch (XaceHook(XACE_PROPERTY_ACCESS, client, pWin, stuff->property,
 					SecurityWriteAccess))
    {
 	case SecurityErrorOperation:
@ -501,13 +501,13 @@ ProcGetProperty(ClientPtr client)
    if (!pProp) 
 	return NullPropertyReply(client, None, 0, &reply);
-#ifdef XCSECURITY
+#ifdef XACE
    {
 	Mask access_mode = SecurityReadAccess;
 	if (stuff->delete)
 	    access_mode |= SecurityDestroyAccess;
-	switch(SecurityCheckPropertyAccess(client, pWin, stuff->property,
+	switch(XaceHook(XACE_PROPERTY_ACCESS, client, pWin, stuff->property,
 					   access_mode))
 	{
 	    case SecurityErrorOperation:
@ -663,8 +663,8 @@ ProcDeleteProperty(register ClientPtr client)
 	return (BadAtom);
    }
-#ifdef XCSECURITY
+#ifdef XACE
-    switch(SecurityCheckPropertyAccess(client, pWin, stuff->property,
+    switch(XaceHook(XACE_PROPERTY_ACCESS, client, pWin, stuff->property,
 				       SecurityDestroyAccess))
    {
 	case SecurityErrorOperation:
--- a/dix/resource.c
+++ b/dix/resource.c
@ -120,6 +120,9 @@ Equipment Corporation.
 #include "panoramiX.h"
 #include "panoramiXsrv.h"
 #endif
 #ifdef XACE
 #include "xace.h"
 #endif
 #include <assert.h>
 static void RebuildTable(
@ -818,8 +821,6 @@ LegalNewID(XID id, register ClientPtr client)
 	     !LookupIDByClass(id, RC_ANY)));
 }
 #ifdef XCSECURITY
 /* SecurityLookupIDByType and SecurityLookupIDByClass:
 * These are the heart of the resource ID security system.  They take
 * two additional arguments compared to the old LookupID functions:
@ -835,10 +836,6 @@ SecurityLookupIDByType(ClientPtr client, XID id, RESTYPE rtype, Mask mode)
    register    ResourcePtr res;
    pointer retval = NULL;
    assert(client == NullClient ||
     (client->index <= currentMaxClients && clients[client->index] == client));
    assert( (rtype & TypeMask) <= lastResourceType);
    if (((cid = CLIENT_ID(id)) < MAXCLIENTS) &&
 	clientTable[cid].buckets)
    {
@ -851,8 +848,11 @@ SecurityLookupIDByType(ClientPtr client, XID id, RESTYPE rtype, Mask mode)
 		break;
 	    }
    }
-    if (retval && client && client->CheckAccess)
+#ifdef XACE
-	retval = (* client->CheckAccess)(client, id, rtype, mode, retval);
+    if (retval && client && 
 	!XaceHook(XACE_RESOURCE_ACCESS, client, id, rtype, mode, retval))
 	retval = NULL;
 #endif
    return retval;
 }
@ -864,10 +864,6 @@ SecurityLookupIDByClass(ClientPtr client, XID id, RESTYPE classes, Mask mode)
    register ResourcePtr res = NULL;
    pointer retval = NULL;
    assert(client == NullClient ||
     (client->index <= currentMaxClients && clients[client->index] == client));
    assert (classes >= lastResourceClass);
    if (((cid = CLIENT_ID(id)) < MAXCLIENTS) &&
 	clientTable[cid].buckets)
    {
@ -880,8 +876,11 @@ SecurityLookupIDByClass(ClientPtr client, XID id, RESTYPE classes, Mask mode)
 		break;
 	    }
    }
-    if (retval && client && client->CheckAccess)
+#ifdef XACE
-	retval = (* client->CheckAccess)(client, id, res->type, mode, retval);
+    if (retval && client &&
 	!XaceHook(XACE_RESOURCE_ACCESS, client, id, res->type, mode, retval))
 	retval = NULL;
 #endif
    return retval;
 }
@ -902,50 +901,3 @@ LookupIDByClass(XID id, RESTYPE classes)
    return SecurityLookupIDByClass(NullClient, id, classes,
 				   SecurityUnknownAccess);
 }
 #else /* not XCSECURITY */
 /*
 *  LookupIDByType returns the object with the given id and type, else NULL.
 */ 
 pointer
 LookupIDByType(XID id, RESTYPE rtype)
 {
    int    cid;
    register    ResourcePtr res;
    if (((cid = CLIENT_ID(id)) < MAXCLIENTS) &&
 	clientTable[cid].buckets)
    {
 	res = clientTable[cid].resources[Hash(cid, id)];
 	for (; res; res = res->next)
 	    if ((res->id == id) && (res->type == rtype))
 		return res->value;
    }
    return (pointer)NULL;
 }
 /*
 *  LookupIDByClass returns the object with the given id and any one of the
 *  given classes, else NULL.
 */ 
 pointer
 LookupIDByClass(XID id, RESTYPE classes)
 {
    int    cid;
    register    ResourcePtr res;
    if (((cid = CLIENT_ID(id)) < MAXCLIENTS) &&
 	clientTable[cid].buckets)
    {
 	res = clientTable[cid].resources[Hash(cid, id)];
 	for (; res; res = res->next)
 	    if ((res->id == id) && (res->type & classes))
 		return res->value;
    }
    return (pointer)NULL;
 }
 #endif /* XCSECURITY */
--- a/dix/window.c
+++ b/dix/window.c
@ -126,8 +126,8 @@ Equipment Corporation.
 #ifdef XAPPGROUP
 #include "appgroup.h"
 #endif
-#ifdef XCSECURITY
+#ifdef XACE
-#include "securitysrv.h"
+#include "xace.h"
 #endif
 /******
@ -530,6 +530,10 @@ InitRootWindow(WindowPtr pWin)
    /* We SHOULD check for an error value here XXX */
    (*pScreen->ChangeWindowAttributes)(pWin, backFlag);
 #ifdef XACE
    XaceHook(XACE_WINDOW_INIT, serverClient, pWin);
 #endif
    MapWindow(pWin, serverClient);
 }
@ -731,11 +735,11 @@ CreateWindow(Window wid, register WindowPtr pParent, int x, int y, unsigned w,
    }
    pWin->borderWidth = bw;
-#ifdef XCSECURITY
+#ifdef XACE
    /*  can't let untrusted clients have background None windows;
     *  they make it too easy to steal window contents
     */
-    if (client->trustLevel != XSecurityClientTrusted)
+    if (!XaceHook(XACE_BACKGRND_ACCESS, client, pWin))
    {
 	pWin->backgroundState = BackgroundPixel;
 	pWin->background.pixel = 0;
@ -762,6 +766,10 @@ CreateWindow(Window wid, register WindowPtr pParent, int x, int y, unsigned w,
    REGION_NULL(pScreen, &pWin->winSize);
    REGION_NULL(pScreen, &pWin->borderSize);
 #ifdef XACE
    XaceHook(XACE_WINDOW_INIT, client, pWin);
 #endif
    pHead = RealChildHead(pParent);
    if (pHead)
    {
@ -1025,9 +1033,9 @@ ChangeWindowAttributes(register WindowPtr pWin, Mask vmask, XID *vlist, ClientPt
 		borderRelative = TRUE;
 	    if (pixID == None)
 	    {
-#ifdef XCSECURITY
+#ifdef XACE
 		/*  can't let untrusted clients have background None windows */
-		if (client->trustLevel == XSecurityClientTrusted)
+		if (XaceHook(XACE_BACKGRND_ACCESS, client, pWin))
 		{
 #endif
 		if (pWin->backgroundState == BackgroundPixmap)
@ -1036,7 +1044,7 @@ ChangeWindowAttributes(register WindowPtr pWin, Mask vmask, XID *vlist, ClientPt
 		    MakeRootTile(pWin);
 		else
 		    pWin->backgroundState = None;
-#ifdef XCSECURITY
+#ifdef XACE
 		}
 		else
 		{ /* didn't change the background to None, so don't tell ddx */
@ -2724,13 +2732,9 @@ MapWindow(register WindowPtr pWin, ClientPtr client)
    if (pWin->mapped)
 	return(Success);
-#ifdef XCSECURITY
+#ifdef XACE
-    /*  don't let an untrusted client map a child-of-trusted-window, InputOnly
+    /*  general check for permission to map window */
-     *  window; too easy to steal device input
+    if (!XaceHook(XACE_MAP_ACCESS, client, pWin))
     */
    if ( (client->trustLevel != XSecurityClientTrusted) &&
 	 (pWin->drawable.class == InputOnly) &&
 	 (wClient(pWin->parent)->trustLevel == XSecurityClientTrusted) )
 	 return Success;
 #endif	
--- a/hw/xfree86/dixmods/extmod/modinit.h
+++ b/hw/xfree86/dixmods/extmod/modinit.h
@ -125,7 +125,12 @@ extern void ShmRegisterFuncs(
    ShmFuncsPtr funcs);
 #endif
 #ifdef XACE
 extern void XaceExtensionInit(INITARGS);
 #endif
 #if 1
 extern void SecurityExtensionSetup(INITARGS);
 extern void SecurityExtensionInit(INITARGS);
 #endif
--- a/hw/xfree86/loader/dixsym.c
+++ b/hw/xfree86/loader/dixsym.c
@ -162,7 +162,7 @@ _X_HIDDEN void *dixLookupTab[] = {
    SYMFUNC(QueueWorkProc)
    SYMFUNC(RegisterBlockAndWakeupHandlers)
    SYMFUNC(RemoveBlockAndWakeupHandlers)
-#ifdef XCSECURITY
+#ifdef XACE
    SYMFUNC(SecurityLookupDrawable)
    SYMFUNC(SecurityLookupWindow)
 #endif
@ -255,6 +255,8 @@ _X_HIDDEN void *dixLookupTab[] = {
    SYMFUNC(GetScratchPixmapHeader)
    SYMFUNC(FreeScratchPixmapHeader)
    /* privates.c */
    SYMFUNC(AllocateExtensionPrivate)
    SYMFUNC(AllocateExtensionPrivateIndex)
    SYMFUNC(AllocateClientPrivate)
    SYMFUNC(AllocateClientPrivateIndex)
    SYMFUNC(AllocateGCPrivate)
@ -282,10 +284,8 @@ _X_HIDDEN void *dixLookupTab[] = {
    SYMFUNC(LookupIDByType)
    SYMFUNC(LookupIDByClass)
    SYMFUNC(LegalNewID)
 #ifdef XCSECURITY
    SYMFUNC(SecurityLookupIDByClass)
    SYMFUNC(SecurityLookupIDByType)
 #endif
    SYMFUNC(FindClientResourcesByType)
    SYMFUNC(FindAllClientResources)
    SYMVAR(lastResourceType)
--- a/include/dix-config.h.in
+++ b/include/dix-config.h.in
@ -308,6 +308,9 @@
 /* unaligned word accesses behave as expected */
 #undef WORKING_UNALIGNED_INT
 /* Build X-ACE extension */
 #undef XACE
 /* Support XCMisc extension */
 #undef XCMISC
--- a/include/dix.h
+++ b/include/dix.h
@ -87,12 +87,9 @@ SOFTWARE.
    ((client->lastDrawableID == did) ? \
     client->lastDrawable : (DrawablePtr)LookupDrawable(did, client))
-#ifdef XCSECURITY
+#ifdef XACE
 #define SECURITY_VERIFY_DRAWABLE(pDraw, did, client, mode)\
    if (client->lastDrawableID == did && !client->trustLevel)\
 	pDraw = client->lastDrawable;\
    else \
    {\
 	pDraw = (DrawablePtr) SecurityLookupIDByClass(client, did, \
 						      RC_DRAWABLE, mode);\
@ -106,9 +103,6 @@ SOFTWARE.
    }
 #define SECURITY_VERIFY_GEOMETRABLE(pDraw, did, client, mode)\
    if (client->lastDrawableID == did && !client->trustLevel)\
 	pDraw = client->lastDrawable;\
    else \
    {\
 	pDraw = (DrawablePtr) SecurityLookupIDByClass(client, did, \
 						      RC_DRAWABLE, mode);\
@ -120,9 +114,6 @@ SOFTWARE.
    }
 #define SECURITY_VERIFY_GC(pGC, rid, client, mode)\
    if (client->lastGCID == rid && !client->trustLevel)\
        pGC = client->lastGC;\
    else\
 	pGC = (GC *) SecurityLookupIDByType(client, rid, RT_GC, mode);\
    if (!pGC)\
    {\
@ -139,7 +130,7 @@ SOFTWARE.
 #define VERIFY_GC(pGC, rid, client)\
 	SECURITY_VERIFY_GC(pGC, rid, client, SecurityUnknownAccess)
-#else /* not XCSECURITY */
+#else /* not XACE */
 #define VERIFY_DRAWABLE(pDraw, did, client)\
    if (client->lastDrawableID == did)\
@ -189,7 +180,7 @@ SOFTWARE.
 #define SECURITY_VERIFY_GC(pGC, rid, client, mode)\
 	VERIFY_GC(pGC, rid, client)
-#endif /* XCSECURITY */
+#endif /* XACE */
 /*
 * We think that most hardware implementations of DBE will want
@ -384,7 +375,7 @@ extern int CompareISOLatin1Lowered(
    unsigned char * /*b*/,
    int blen);
-#ifdef XCSECURITY
+#ifdef XACE
 extern WindowPtr SecurityLookupWindow(
    XID /*rid*/,
@ -420,7 +411,7 @@ extern pointer LookupDrawable(
 #define SecurityLookupDrawable(rid, client, access_mode) \
 	LookupDrawable(rid, client)
-#endif /* XCSECURITY */
+#endif /* XACE */
 extern ClientPtr LookupClient(
    XID /*rid*/,
--- a/include/dixstruct.h
+++ b/include/dixstruct.h
@ -128,16 +128,6 @@ typedef struct _Client {
    int         requestLogIndex;
 #endif
    unsigned long replyBytesRemaining;
 #ifdef XCSECURITY
    XID		authId;
    unsigned int trustLevel;
    pointer (* CheckAccess)(
 	    ClientPtr /*pClient*/,
 	    XID /*id*/,
 	    RESTYPE /*classes*/,
 	    Mask /*access_mode*/,
 	    pointer /*resourceval*/);
 #endif
 #ifdef XAPPGROUP
    struct _AppGroupRec*	appgroup;
 #endif
--- a/include/extension.h
+++ b/include/extension.h
@ -58,6 +58,14 @@ extern Bool EnableDisableExtension(char *name, Bool enable);
 extern void EnableDisableExtensionError(char *name, Bool enable);
 extern void ResetExtensionPrivates(void);
 extern int AllocateExtensionPrivateIndex(void);
 extern Bool AllocateExtensionPrivate(
    int /*index*/,
    unsigned /*amount*/);
 extern void InitExtensions(int argc, char **argv);
 extern void InitVisualWrap(void);
--- a/include/extnsionst.h
+++ b/include/extnsionst.h
@ -48,6 +48,7 @@ SOFTWARE.
 #ifndef EXTENSIONSTRUCT_H
 #define EXTENSIONSTRUCT_H 
 #include "dix.h"
 #include "misc.h"
 #include "screenint.h"
 #include "extension.h"
@ -68,9 +69,7 @@ typedef struct _ExtensionEntry {
    pointer extPrivate;
    unsigned short (* MinorOpcode)(	/* called for errors */
 	ClientPtr /* client */);
-#ifdef XCSECURITY
+    DevUnion *devPrivates;
    Bool secure;		/* extension visible to untrusted clients? */
 #endif
 } ExtensionEntry;
 /* 
@ -127,6 +126,7 @@ extern Bool AddExtensionAlias(
    ExtensionEntry * /*extension*/);
 extern ExtensionEntry *CheckExtension(const char *extname);
 extern ExtensionEntry *GetExtensionEntry(int major);
 extern ExtensionLookupProc LookupProc(
    char* /*name*/,
--- a/include/resource.h
+++ b/include/resource.h
@ -225,8 +225,6 @@ extern pointer LookupClientResourceComplex(
 #define SecurityWriteAccess	(1<<1)	/* changing the object */
 #define SecurityDestroyAccess	(1<<2)	/* destroying the object */
 #ifdef XCSECURITY
 extern pointer SecurityLookupIDByType(
    ClientPtr /*client*/,
    XID /*id*/,
@ -239,15 +237,6 @@ extern pointer SecurityLookupIDByClass(
    RESTYPE /*classes*/,
    Mask /*access_mode*/);
 #else /* not XCSECURITY */
 #define SecurityLookupIDByType(client, id, rtype, access_mode) \
        LookupIDByType(id, rtype)
 #define SecurityLookupIDByClass(client, id, classes, access_mode) \
        LookupIDByClass(id, classes)
 #endif /* XCSECURITY */
 extern void GetXIDRange(
    int /*client*/,
--- a/mi/miinitext.c
+++ b/mi/miinitext.c
@ -241,6 +241,9 @@ typedef void (*InitExtension)(INITARGS);
 #define _XAG_SERVER_
 #include <X11/extensions/Xagstr.h>
 #endif
 #ifdef XACE
 #include "xace.h"
 #endif
 #ifdef XCSECURITY
 #include "securitysrv.h"
 #include <X11/extensions/securstr.h>
@ -311,7 +314,11 @@ extern void DbeExtensionInit(INITARGS);
 #ifdef XAPPGROUP
 extern void XagExtensionInit(INITARGS);
 #endif
 #ifdef XACE
 extern void XaceExtensionInit(INITARGS);
 #endif
 #ifdef XCSECURITY
 extern void SecurityExtensionSetup(INITARGS);
 extern void SecurityExtensionInit(INITARGS);
 #endif
 #ifdef XPRINT
@ -522,6 +529,9 @@ InitExtensions(argc, argv)
    int		argc;
    char	*argv[];
 {
 #ifdef XCSECURITY
    SecurityExtensionSetup();
 #endif
 #ifdef PANORAMIX
 # if !defined(PRINT_ONLY_SERVER) && !defined(NO_PANORAMIX)
  if (!noPanoramiXExtension) PanoramiXExtensionInit();
@ -584,6 +594,9 @@ InitExtensions(argc, argv)
 #ifdef XAPPGROUP
    if (!noXagExtension) XagExtensionInit();
 #endif
 #ifdef XACE
    XaceExtensionInit();
 #endif
 #ifdef XCSECURITY
    if (!noSecurityExtension) SecurityExtensionInit();
 #endif
@ -686,8 +699,11 @@ static ExtensionModule staticExtensions[] = {
 #ifdef XAPPGROUP
    { XagExtensionInit, XAGNAME, &noXagExtension, NULL, NULL },
 #endif
 #ifdef XACE
    { XaceExtensionInit, XACE_EXTENSION_NAME, NULL, NULL, NULL },
 #endif
 #ifdef XCSECURITY
-    { SecurityExtensionInit, SECURITY_EXTENSION_NAME, &noSecurityExtension, NULL, NULL },
+    { SecurityExtensionInit, SECURITY_EXTENSION_NAME, &noSecurityExtension, SecurityExtensionSetup, NULL },
 #endif
 #ifdef XPRINT
    { XpExtensionInit, XP_PRINTNAME, NULL, NULL, NULL },
--- a/os/access.c
+++ b/os/access.c
@ -202,8 +202,8 @@ SOFTWARE.
 #include "dixstruct.h"
 #include "osdep.h"
-#ifdef XCSECURITY
+#ifdef XACE
-#include "securitysrv.h"
+#include "xace.h"
 #endif
 #ifndef PATH_MAX
@ -1386,15 +1386,6 @@ _X_EXPORT Bool LocalClient(ClientPtr client)
    pointer		addr;
    register HOST	*host;
 #ifdef XCSECURITY
    /* untrusted clients can't change host access */
    if (client->trustLevel != XSecurityClientTrusted)
    {
 	SecurityAudit("client %d attempted to change host access\n",
 		      client->index);
 	return FALSE;
    }
 #endif
    if (!_XSERVTransGetPeerAddr (((OsCommPtr)client->osPrivate)->trans_conn,
 	&notused, &alen, &from))
    {
@ -1537,6 +1528,11 @@ AuthorizedClient(ClientPtr client)
 {
    if (!client || defeatAccessControl)
 	return TRUE;
 #ifdef XACE
    /* untrusted clients can't change host access */
    if (!XaceHook(XACE_HOSTLIST_ACCESS, client, SecurityWriteAccess))
 	return FALSE;
 #endif
    return LocalClient(client);
 }
--- a/os/connection.c
+++ b/os/connection.c
@ -148,6 +148,9 @@ extern __const__ int _nfiles;
 #ifdef XAPPGROUP
 #include "appgroup.h"
 #endif
 #ifdef XACE
 #include "xace.h"
 #endif
 #ifdef XCSECURITY
 #include "securitysrv.h"
 #endif
@ -690,9 +693,8 @@ ClientAuthorized(ClientPtr client,
    /* indicate to Xdmcp protocol that we've opened new client */
    XdmcpOpenDisplay(priv->fd);
 #endif /* XDMCP */
-#ifdef XAPPGROUP
+#ifdef XACE
-    if (ClientStateCallback)
+    XaceHook(XACE_AUTH_AVAIL, client, auth_id);
        XagCallClientStateChange (client);
 #endif
    /* At this point, if the client is authorized to change the access control
     * list, we should getpeername() information, and add the client to