Xnamespace: filter transparency

Silently drop transparency flag if namespace isn't allowed to use it. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-03-19 10:50:56 +01:00 · 2025-03-19 10:50:56 +01:00 · 86dd87d46c
parent 14008eb698
commit 86dd87d46c
6 changed files with 35 additions and 1 deletions
--- a/Xext/namespace/config.c
+++ b/Xext/namespace/config.c
@ -8,6 +8,7 @@
 struct Xnamespace ns_root = {
    .allowMouseMotion = TRUE,
    .allowShape = TRUE,
+    .allowTransparency = TRUE,
    .allowXInput = TRUE,
    .allowXKeyboard = TRUE,
    .builtin = TRUE,
--- a/Xext/namespace/hook-resource.c
+++ b/Xext/namespace/hook-resource.c
@ -0,0 +1,29 @@
+#define HOOK_NAME "resource"
+
+#include <dix-config.h>
+
+#include "dix/dix_priv.h"
+#include "Xext/xacestr.h"
+
+#include "namespace.h"
+#include "hooks.h"
+
+void hookResourceAccess(CallbackListPtr *pcbl, void *unused, void *calldata)
+{
+    XNS_HOOK_HEAD(XaceResourceAccessRec);
+
+    // special filtering for windows: block transparency for untrusted clients
+    if (param->rtype == X11_RESTYPE_WINDOW) {
+        WindowPtr pWindow = (WindowPtr) param->res;
+        if (param->access_mode & DixCreateAccess) {
+            if (!subj->ns->allowTransparency) {
+                pWindow->forcedBG = TRUE;
+                goto pass;
+            }
+        }
+    }
+
+pass:
+    // request is passed as it is (or already had been rewritten)
+    param->status = Success;
+}
--- a/Xext/namespace/hooks.h
+++ b/Xext/namespace/hooks.h
@ -29,6 +29,7 @@ void hookExtAccess(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookExtDispatch(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookInitRootWindow(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookReceive(CallbackListPtr *pcbl, void *unused, void *calldata);
+void hookResourceAccess(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookSelectionFilter(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookWindowProperty(CallbackListPtr *pcbl, void *unused, void *calldata);

--- a/Xext/namespace/meson.build
+++ b/Xext/namespace/meson.build
@ -7,6 +7,7 @@ libxserver_namespace = static_library(
 		'hook-ext-dispatch.c',
 		'hook-init-rootwindow.c',
 		'hook-receive.c',
+		'hook-resource.c',
 		'hook-selection.c',
 		'hook-windowproperty.c',
 		'namespace.c',
--- a/Xext/namespace/namespace.c
+++ b/Xext/namespace/namespace.c
@ -36,7 +36,8 @@ NamespaceExtensionInit(void)
          AddCallback(&SelectionFilterCallback, hookSelectionFilter, NULL) &&
          XaceRegisterCallback(XACE_EXT_DISPATCH, hookExtDispatch, NULL) &&
          XaceRegisterCallback(XACE_EXT_ACCESS, hookExtAccess, NULL) &&
-          XaceRegisterCallback(XACE_RECEIVE_ACCESS, hookReceive, NULL)))
+          XaceRegisterCallback(XACE_RECEIVE_ACCESS, hookReceive, NULL) &&
+          XaceRegisterCallback(XACE_RESOURCE_ACCESS, hookResourceAccess, NULL)))
        FatalError("NamespaceExtensionInit: allocation failure\n");

    /* Do the serverClient */
--- a/Xext/namespace/namespace.h
+++ b/Xext/namespace/namespace.h
@ -16,6 +16,7 @@ struct Xnamespace {
    Bool builtin;
    Bool allowMouseMotion;
    Bool allowShape;
+    Bool allowTransparency;
    Bool allowXInput;
    Bool allowXKeyboard;
    Bool superPower;