xselinux: switch from x_device to separate x_pointer and x_keyboard classes.
This will allow separate controls over pointer and keyboard without having to relabel the devices to separate types. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
This commit is contained in:
parent
4be354c4c2
commit
6c2ae5fec5
|
@ -86,6 +86,16 @@ static void SELinuxScreen(CallbackListPtr *, pointer, pointer);
|
||||||
static pointer truep = (pointer)1;
|
static pointer truep = (pointer)1;
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Returns true if device is a pointer device.
|
||||||
|
* Note: this duplicates dix IsPointerDevice() which is not exported.
|
||||||
|
*/
|
||||||
|
static inline Bool
|
||||||
|
IsPointerDev(DeviceIntPtr dev)
|
||||||
|
{
|
||||||
|
return (dev->type == MASTER_POINTER) || (dev->valuator && dev->button);
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Performs an SELinux permission check.
|
* Performs an SELinux permission check.
|
||||||
*/
|
*/
|
||||||
|
@ -348,6 +358,7 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
SELinuxSubjectRec *subj;
|
SELinuxSubjectRec *subj;
|
||||||
SELinuxObjectRec *obj;
|
SELinuxObjectRec *obj;
|
||||||
SELinuxAuditRec auditdata = { .client = rec->client, .dev = rec->dev };
|
SELinuxAuditRec auditdata = { .client = rec->client, .dev = rec->dev };
|
||||||
|
security_class_t cls;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
subj = dixLookupPrivate(&rec->client->devPrivates, subjectKey);
|
subj = dixLookupPrivate(&rec->client->devPrivates, subjectKey);
|
||||||
|
@ -372,8 +383,8 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = SELinuxDoCheck(subj, obj, SECCLASS_X_DEVICE, rec->access_mode,
|
cls = IsPointerDev(rec->dev) ? SECCLASS_X_POINTER : SECCLASS_X_KEYBOARD;
|
||||||
&auditdata);
|
rc = SELinuxDoCheck(subj, obj, cls, rec->access_mode, &auditdata);
|
||||||
if (rc != Success)
|
if (rc != Success)
|
||||||
rec->status = rc;
|
rec->status = rc;
|
||||||
}
|
}
|
||||||
|
|
|
@ -123,12 +123,13 @@ SELinuxFlaskReset(void);
|
||||||
#define SECCLASS_X_SELECTION 7
|
#define SECCLASS_X_SELECTION 7
|
||||||
#define SECCLASS_X_CURSOR 8
|
#define SECCLASS_X_CURSOR 8
|
||||||
#define SECCLASS_X_CLIENT 9
|
#define SECCLASS_X_CLIENT 9
|
||||||
#define SECCLASS_X_DEVICE 10
|
#define SECCLASS_X_POINTER 10
|
||||||
#define SECCLASS_X_SERVER 11
|
#define SECCLASS_X_KEYBOARD 11
|
||||||
#define SECCLASS_X_EXTENSION 12
|
#define SECCLASS_X_SERVER 12
|
||||||
#define SECCLASS_X_EVENT 13
|
#define SECCLASS_X_EXTENSION 13
|
||||||
#define SECCLASS_X_FAKEEVENT 14
|
#define SECCLASS_X_EVENT 14
|
||||||
#define SECCLASS_X_RESOURCE 15
|
#define SECCLASS_X_FAKEEVENT 15
|
||||||
|
#define SECCLASS_X_RESOURCE 16
|
||||||
|
|
||||||
#ifdef _XSELINUX_NEED_FLASK_MAP
|
#ifdef _XSELINUX_NEED_FLASK_MAP
|
||||||
/* Mapping from DixAccess bits to Flask permissions */
|
/* Mapping from DixAccess bits to Flask permissions */
|
||||||
|
@ -344,7 +345,37 @@ static struct security_class_mapping map[] = {
|
||||||
"", /* DixUseAccess */
|
"", /* DixUseAccess */
|
||||||
"manage", /* DixManageAccess */
|
"manage", /* DixManageAccess */
|
||||||
NULL }},
|
NULL }},
|
||||||
{ "x_device",
|
{ "x_pointer",
|
||||||
|
{ "read", /* DixReadAccess */
|
||||||
|
"write", /* DixWriteAccess */
|
||||||
|
"destroy", /* DixDestroyAccess */
|
||||||
|
"create", /* DixCreateAccess */
|
||||||
|
"getattr", /* DixGetAttrAccess */
|
||||||
|
"setattr", /* DixSetAttrAccess */
|
||||||
|
"list_property", /* DixListPropAccess */
|
||||||
|
"get_property", /* DixGetPropAccess */
|
||||||
|
"set_property", /* DixSetPropAccess */
|
||||||
|
"getfocus", /* DixGetFocusAccess */
|
||||||
|
"setfocus", /* DixSetFocusAccess */
|
||||||
|
"", /* DixListAccess */
|
||||||
|
"add", /* DixAddAccess */
|
||||||
|
"remove", /* DixRemoveAccess */
|
||||||
|
"", /* DixHideAccess */
|
||||||
|
"", /* DixShowAccess */
|
||||||
|
"", /* DixBlendAccess */
|
||||||
|
"grab", /* DixGrabAccess */
|
||||||
|
"freeze", /* DixFreezeAccess */
|
||||||
|
"force_cursor", /* DixForceAccess */
|
||||||
|
"", /* DixInstallAccess */
|
||||||
|
"", /* DixUninstallAccess */
|
||||||
|
"", /* DixSendAccess */
|
||||||
|
"", /* DixReceiveAccess */
|
||||||
|
"use", /* DixUseAccess */
|
||||||
|
"manage", /* DixManageAccess */
|
||||||
|
"", /* DixDebugAccess */
|
||||||
|
"bell", /* DixBellAccess */
|
||||||
|
NULL }},
|
||||||
|
{ "x_keyboard",
|
||||||
{ "read", /* DixReadAccess */
|
{ "read", /* DixReadAccess */
|
||||||
"write", /* DixWriteAccess */
|
"write", /* DixWriteAccess */
|
||||||
"destroy", /* DixDestroyAccess */
|
"destroy", /* DixDestroyAccess */
|
||||||
|
|
Loading…
Reference in New Issue