From aa340b2c7cbe9ddab53cff08c8ba165558209187 Mon Sep 17 00:00:00 2001 From: Eamon Walsh Date: Wed, 17 Oct 2007 19:27:16 -0400 Subject: [PATCH] xselinux: add hook for device acceses. --- Xext/xselinux.c | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/Xext/xselinux.c b/Xext/xselinux.c index fc91ae384..8bafa1fec 100644 --- a/Xext/xselinux.c +++ b/Xext/xselinux.c @@ -291,6 +291,36 @@ SELinuxLog(int type, const char *fmt, ...) * XACE Callbacks */ +static void +SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata) +{ + XaceDeviceAccessRec *rec = calldata; + SELinuxStateRec *subj, *obj; + SELinuxAuditRec auditdata = { NULL, NULL, 0, 0, 0, NULL }; + int rc; + + subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); + obj = dixLookupPrivate(&rec->dev->devPrivates, stateKey); + + /* If this is a new object that needs labeling, do it now */ + if (rec->access_mode & DixCreateAccess) { + sidput(obj->sid); + + /* Perform a transition to obtain the final SID */ + if (avc_compute_create(subj->sid, subj->sid, SECCLASS_X_DEVICE, + &obj->sid) < 0) { + ErrorF("XSELinux: a compute_create call failed!\n"); + rec->status = BadValue; + return; + } + } + + rc = SELinuxDoCheck(rec->client, obj, SECCLASS_X_DEVICE, + rec->access_mode, &auditdata); + if (rc != Success) + rec->status = rc; +} + static void SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata) { @@ -755,7 +785,7 @@ XSELinuxExtensionInit(INITARGS) ret &= XaceRegisterCallback(XACE_EXT_DISPATCH, SELinuxExtension, 0); ret &= XaceRegisterCallback(XACE_RESOURCE_ACCESS, SELinuxResource, 0); -// ret &= XaceRegisterCallback(XACE_DEVICE_ACCESS, SELinuxDevice, 0); + ret &= XaceRegisterCallback(XACE_DEVICE_ACCESS, SELinuxDevice, 0); ret &= XaceRegisterCallback(XACE_PROPERTY_ACCESS, SELinuxProperty, 0); // ret &= XaceRegisterCallback(XACE_SEND_ACCESS, SELinuxSend, 0); // ret &= XaceRegisterCallback(XACE_RECEIVE_ACCESS, SELinuxReceive, 0);