From 86dd87d46c0c71314a2dc8e08ab4928e7a67ac6c Mon Sep 17 00:00:00 2001 From: "Enrico Weigelt, metux IT consult" Date: Wed, 19 Mar 2025 10:50:56 +0100 Subject: [PATCH] Xnamespace: filter transparency Silently drop transparency flag if namespace isn't allowed to use it. Signed-off-by: Enrico Weigelt, metux IT consult --- Xext/namespace/config.c | 1 + Xext/namespace/hook-resource.c | 29 +++++++++++++++++++++++++++++ Xext/namespace/hooks.h | 1 + Xext/namespace/meson.build | 1 + Xext/namespace/namespace.c | 3 ++- Xext/namespace/namespace.h | 1 + 6 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 Xext/namespace/hook-resource.c diff --git a/Xext/namespace/config.c b/Xext/namespace/config.c index 72a05faa9..741c5ed0a 100644 --- a/Xext/namespace/config.c +++ b/Xext/namespace/config.c @@ -8,6 +8,7 @@ struct Xnamespace ns_root = { .allowMouseMotion = TRUE, .allowShape = TRUE, + .allowTransparency = TRUE, .allowXInput = TRUE, .allowXKeyboard = TRUE, .builtin = TRUE, diff --git a/Xext/namespace/hook-resource.c b/Xext/namespace/hook-resource.c new file mode 100644 index 000000000..d25f581a8 --- /dev/null +++ b/Xext/namespace/hook-resource.c @@ -0,0 +1,29 @@ +#define HOOK_NAME "resource" + +#include + +#include "dix/dix_priv.h" +#include "Xext/xacestr.h" + +#include "namespace.h" +#include "hooks.h" + +void hookResourceAccess(CallbackListPtr *pcbl, void *unused, void *calldata) +{ + XNS_HOOK_HEAD(XaceResourceAccessRec); + + // special filtering for windows: block transparency for untrusted clients + if (param->rtype == X11_RESTYPE_WINDOW) { + WindowPtr pWindow = (WindowPtr) param->res; + if (param->access_mode & DixCreateAccess) { + if (!subj->ns->allowTransparency) { + pWindow->forcedBG = TRUE; + goto pass; + } + } + } + +pass: + // request is passed as it is (or already had been rewritten) + param->status = Success; +} diff --git a/Xext/namespace/hooks.h b/Xext/namespace/hooks.h index 5f0b35040..eab2125d1 100644 --- a/Xext/namespace/hooks.h +++ b/Xext/namespace/hooks.h @@ -29,6 +29,7 @@ void hookExtAccess(CallbackListPtr *pcbl, void *unused, void *calldata); void hookExtDispatch(CallbackListPtr *pcbl, void *unused, void *calldata); void hookInitRootWindow(CallbackListPtr *pcbl, void *unused, void *calldata); void hookReceive(CallbackListPtr *pcbl, void *unused, void *calldata); +void hookResourceAccess(CallbackListPtr *pcbl, void *unused, void *calldata); void hookSelectionFilter(CallbackListPtr *pcbl, void *unused, void *calldata); void hookWindowProperty(CallbackListPtr *pcbl, void *unused, void *calldata); diff --git a/Xext/namespace/meson.build b/Xext/namespace/meson.build index d11666131..3b6abe555 100644 --- a/Xext/namespace/meson.build +++ b/Xext/namespace/meson.build @@ -7,6 +7,7 @@ libxserver_namespace = static_library( 'hook-ext-dispatch.c', 'hook-init-rootwindow.c', 'hook-receive.c', + 'hook-resource.c', 'hook-selection.c', 'hook-windowproperty.c', 'namespace.c', diff --git a/Xext/namespace/namespace.c b/Xext/namespace/namespace.c index 04371d70a..6a1d69f04 100644 --- a/Xext/namespace/namespace.c +++ b/Xext/namespace/namespace.c @@ -36,7 +36,8 @@ NamespaceExtensionInit(void) AddCallback(&SelectionFilterCallback, hookSelectionFilter, NULL) && XaceRegisterCallback(XACE_EXT_DISPATCH, hookExtDispatch, NULL) && XaceRegisterCallback(XACE_EXT_ACCESS, hookExtAccess, NULL) && - XaceRegisterCallback(XACE_RECEIVE_ACCESS, hookReceive, NULL))) + XaceRegisterCallback(XACE_RECEIVE_ACCESS, hookReceive, NULL) && + XaceRegisterCallback(XACE_RESOURCE_ACCESS, hookResourceAccess, NULL))) FatalError("NamespaceExtensionInit: allocation failure\n"); /* Do the serverClient */ diff --git a/Xext/namespace/namespace.h b/Xext/namespace/namespace.h index c5aee7dd8..626f0a9da 100644 --- a/Xext/namespace/namespace.h +++ b/Xext/namespace/namespace.h @@ -16,6 +16,7 @@ struct Xnamespace { Bool builtin; Bool allowMouseMotion; Bool allowShape; + Bool allowTransparency; Bool allowXInput; Bool allowXKeyboard; Bool superPower;