diff --git a/Xext/xselinux.c b/Xext/xselinux.c index 3cec21bb1..cdb3b3367 100644 --- a/Xext/xselinux.c +++ b/Xext/xselinux.c @@ -22,8 +22,6 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. * All rights reserved. */ -#include -#include #include #include #include @@ -96,6 +94,42 @@ static char *XSELinuxNonlocalContextDefault = NULL; extern Selection *CurrentSelections; extern int NumCurrentSelections; +/* Dynamically allocated security classes and permissions */ +static struct security_class_mapping map[] = { + { "drawable", + { "create", "destroy", "draw", "copy", "getattr", NULL }}, + { "window", + { "addchild", "create", "destroy", "map", "unmap", "chstack", + "chproplist", "chprop", "listprop", "getattr", "setattr", "setfocus", + "move", "chselection", "chparent", "ctrllife", "enumerate", + "transparent", "mousemotion", "clientcomevent", "inputevent", + "drawevent", "windowchangeevent", "windowchangerequest", + "serverchangeevent", "extensionevent", NULL }}, + { "gc", + { "create", "free", "getattr", "setattr", NULL }}, + { "font", + { "load", "free", "getattr", "use", NULL }}, + { "colormap", + { "create", "free", "install", "uninstall", "list", "read", "store", + "getattr", "setattr", NULL }}, + { "property", + { "create", "free", "read", "write", NULL }}, + { "cursor", + { "create", "createglyph", "free", "assign", "setattr", NULL }}, + { "xclient", + { "kill", NULL }}, + { "xinput", + { "lookup", "getattr", "setattr", "setfocus", "warppointer", + "activegrab", "passivegrab", "ungrab", "bell", "mousemotion", + "relabelinput", NULL }}, + { "xserver", + { "screensaver", "gethostlist", "sethostlist", "getfontpath", + "setfontpath", "getattr", "grab", "ungrab", NULL }}, + { "xextension", + { "query", "use", NULL }}, + { NULL } +}; + /* * list of classes corresponding to SIDs in the * rsid array of the security state structure (below). @@ -1851,6 +1885,10 @@ XSELinuxExtensionInit(INITARGS) return; } + if (selinux_set_mapping(map) < 0) { + FatalError("XSELinux: Failed to set up security class mapping\n"); + } + if (avc_init("xserver", NULL, &alc, NULL, NULL) < 0) { FatalError("XSELinux: Couldn't initialize SELinux userspace AVC\n"); diff --git a/Xext/xselinux.h b/Xext/xselinux.h index eff6db5f4..57fcbb20f 100644 --- a/Xext/xselinux.h +++ b/Xext/xselinux.h @@ -20,10 +20,103 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #ifndef _XSELINUX_H #define _XSELINUX_H +/* Extension info */ #define XSELINUX_EXTENSION_NAME "SELinux" #define XSELINUX_MAJOR_VERSION 1 #define XSELINUX_MINOR_VERSION 0 #define XSELinuxNumberEvents 0 #define XSELinuxNumberErrors 0 +/* Private Flask definitions */ +#define SECCLASS_DRAWABLE 1 +#define DRAWABLE__CREATE 0x00000001UL +#define DRAWABLE__DESTROY 0x00000002UL +#define DRAWABLE__DRAW 0x00000004UL +#define DRAWABLE__COPY 0x00000008UL +#define DRAWABLE__GETATTR 0x00000010UL +#define SECCLASS_WINDOW 2 +#define WINDOW__ADDCHILD 0x00000001UL +#define WINDOW__CREATE 0x00000002UL +#define WINDOW__DESTROY 0x00000004UL +#define WINDOW__MAP 0x00000008UL +#define WINDOW__UNMAP 0x00000010UL +#define WINDOW__CHSTACK 0x00000020UL +#define WINDOW__CHPROPLIST 0x00000040UL +#define WINDOW__CHPROP 0x00000080UL +#define WINDOW__LISTPROP 0x00000100UL +#define WINDOW__GETATTR 0x00000200UL +#define WINDOW__SETATTR 0x00000400UL +#define WINDOW__SETFOCUS 0x00000800UL +#define WINDOW__MOVE 0x00001000UL +#define WINDOW__CHSELECTION 0x00002000UL +#define WINDOW__CHPARENT 0x00004000UL +#define WINDOW__CTRLLIFE 0x00008000UL +#define WINDOW__ENUMERATE 0x00010000UL +#define WINDOW__TRANSPARENT 0x00020000UL +#define WINDOW__MOUSEMOTION 0x00040000UL +#define WINDOW__CLIENTCOMEVENT 0x00080000UL +#define WINDOW__INPUTEVENT 0x00100000UL +#define WINDOW__DRAWEVENT 0x00200000UL +#define WINDOW__WINDOWCHANGEEVENT 0x00400000UL +#define WINDOW__WINDOWCHANGEREQUEST 0x00800000UL +#define WINDOW__SERVERCHANGEEVENT 0x01000000UL +#define WINDOW__EXTENSIONEVENT 0x02000000UL +#define SECCLASS_GC 3 +#define GC__CREATE 0x00000001UL +#define GC__FREE 0x00000002UL +#define GC__GETATTR 0x00000004UL +#define GC__SETATTR 0x00000008UL +#define SECCLASS_FONT 4 +#define FONT__LOAD 0x00000001UL +#define FONT__FREE 0x00000002UL +#define FONT__GETATTR 0x00000004UL +#define FONT__USE 0x00000008UL +#define SECCLASS_COLORMAP 5 +#define COLORMAP__CREATE 0x00000001UL +#define COLORMAP__FREE 0x00000002UL +#define COLORMAP__INSTALL 0x00000004UL +#define COLORMAP__UNINSTALL 0x00000008UL +#define COLORMAP__LIST 0x00000010UL +#define COLORMAP__READ 0x00000020UL +#define COLORMAP__STORE 0x00000040UL +#define COLORMAP__GETATTR 0x00000080UL +#define COLORMAP__SETATTR 0x00000100UL +#define SECCLASS_PROPERTY 6 +#define PROPERTY__CREATE 0x00000001UL +#define PROPERTY__FREE 0x00000002UL +#define PROPERTY__READ 0x00000004UL +#define PROPERTY__WRITE 0x00000008UL +#define SECCLASS_CURSOR 7 +#define CURSOR__CREATE 0x00000001UL +#define CURSOR__CREATEGLYPH 0x00000002UL +#define CURSOR__FREE 0x00000004UL +#define CURSOR__ASSIGN 0x00000008UL +#define CURSOR__SETATTR 0x00000010UL +#define SECCLASS_XCLIENT 8 +#define XCLIENT__KILL 0x00000001UL +#define SECCLASS_XINPUT 9 +#define XINPUT__LOOKUP 0x00000001UL +#define XINPUT__GETATTR 0x00000002UL +#define XINPUT__SETATTR 0x00000004UL +#define XINPUT__SETFOCUS 0x00000008UL +#define XINPUT__WARPPOINTER 0x00000010UL +#define XINPUT__ACTIVEGRAB 0x00000020UL +#define XINPUT__PASSIVEGRAB 0x00000040UL +#define XINPUT__UNGRAB 0x00000080UL +#define XINPUT__BELL 0x00000100UL +#define XINPUT__MOUSEMOTION 0x00000200UL +#define XINPUT__RELABELINPUT 0x00000400UL +#define SECCLASS_XSERVER 10 +#define XSERVER__SCREENSAVER 0x00000001UL +#define XSERVER__GETHOSTLIST 0x00000002UL +#define XSERVER__SETHOSTLIST 0x00000004UL +#define XSERVER__GETFONTPATH 0x00000008UL +#define XSERVER__SETFONTPATH 0x00000010UL +#define XSERVER__GETATTR 0x00000020UL +#define XSERVER__GRAB 0x00000040UL +#define XSERVER__UNGRAB 0x00000080UL +#define SECCLASS_XEXTENSION 11 +#define XEXTENSION__QUERY 0x00000001UL +#define XEXTENSION__USE 0x00000002UL + #endif /* _XSELINUX_H */