Xnamespace: filter server access

Whitelisting several server access calls that are safe, rejecting the rest. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-03-19 10:50:56 +01:00 · 2025-03-19 10:50:56 +01:00 · 5a2903901a
parent e293308ef7
commit 5a2903901a
4 changed files with 41 additions and 1 deletions
--- a/Xext/namespace/hook-server.c
+++ b/Xext/namespace/hook-server.c
@ -0,0 +1,37 @@
+#define HOOK_NAME "server"
+
+#include <dix-config.h>
+
+#include "dix/dix_priv.h"
+#include "dix/registry_priv.h"
+#include "Xext/xacestr.h"
+
+#include "namespace.h"
+#include "hooks.h"
+
+void hookServerAccess(CallbackListPtr *pcbl, void *unused, void *calldata)
+{
+    XNS_HOOK_HEAD(XaceServerAccessRec);
+
+    if (subj->ns->superPower)
+        goto pass;
+
+    switch (client->majorOp) {
+        case X_ListFonts:
+        case X_ListFontsWithInfo:
+            goto pass;
+
+        case X_GrabServer:
+            goto reject;
+    }
+
+    XNS_HOOK_LOG("BLOCKED access to server configuration request %s\n",
+        LookupRequestName(client->majorOp, client->minorOp));
+
+reject:
+    param->status = BadAccess;
+    return;
+
+pass:
+    param->status = Success;
+}
--- a/Xext/namespace/hooks.h
+++ b/Xext/namespace/hooks.h
@ -32,6 +32,7 @@ void hookInitRootWindow(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookReceive(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookResourceAccess(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookSelectionFilter(CallbackListPtr *pcbl, void *unused, void *calldata);
+void hookServerAccess(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookWindowProperty(CallbackListPtr *pcbl, void *unused, void *calldata);

 #endif /* __XSERVER_NAMESPACE_HOOKS_H */
--- a/Xext/namespace/meson.build
+++ b/Xext/namespace/meson.build
@ -10,6 +10,7 @@ libxserver_namespace = static_library(
 		'hook-receive.c',
 		'hook-resource.c',
 		'hook-selection.c',
+		'hook-server.c',
 		'hook-windowproperty.c',
 		'namespace.c',
 	],
--- a/Xext/namespace/namespace.c
+++ b/Xext/namespace/namespace.c
@ -38,7 +38,8 @@ NamespaceExtensionInit(void)
          XaceRegisterCallback(XACE_EXT_DISPATCH, hookExtDispatch, NULL) &&
          XaceRegisterCallback(XACE_EXT_ACCESS, hookExtAccess, NULL) &&
          XaceRegisterCallback(XACE_RECEIVE_ACCESS, hookReceive, NULL) &&
-          XaceRegisterCallback(XACE_RESOURCE_ACCESS, hookResourceAccess, NULL)))
+          XaceRegisterCallback(XACE_RESOURCE_ACCESS, hookResourceAccess, NULL) &&
+          XaceRegisterCallback(XACE_SERVER_ACCESS, hookServerAccess, NULL)))
        FatalError("NamespaceExtensionInit: allocation failure\n");

    /* Do the serverClient */