From f343265a289724c81017f089c024a7618267c4e3 Mon Sep 17 00:00:00 2001 From: Eamon Walsh Date: Fri, 15 Feb 2008 19:53:45 -0500 Subject: [PATCH] XACE: Make the default window background state configurable per-window. To recap: the original XC-SECURITY extension disallowed background "None" if the window was untrusted. XACE 1.0 preserved this check as a hook function. XACE pre-2.0 removed the hook and first abolished background "None entirely, then restored it as a global on/off switch in response to Bug #13683. Now it's back to being per-window, via a flag instead of a hook function. --- Xext/security.c | 5 +++++ Xext/xace.h | 4 ++-- dix/window.c | 9 +++++---- include/windowstr.h | 1 + 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/Xext/security.c b/Xext/security.c index a3cde2cec..27ef38205 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -810,6 +810,11 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata) subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&clients[cid]->devPrivates, stateKey); + /* disable background None for untrusted windows */ + if ((requested & DixCreateAccess) && (rec->rtype == RT_WINDOW)) + if (subj->haveState && subj->trustLevel != XSecurityClientTrusted) + ((WindowPtr)rec->res)->forcedBG = TRUE; + /* special checks for server-owned resources */ if (cid == 0) { if (rec->rtype & RC_DRAWABLE) diff --git a/Xext/xace.h b/Xext/xace.h index 2016ca322..1f07d9fd2 100644 --- a/Xext/xace.h +++ b/Xext/xace.h @@ -31,7 +31,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #include "property.h" /* Default window background */ -#define XaceBackgroundNoneState None +#define XaceBackgroundNoneState(w) ((w)->forcedBG ? BackgroundPixel : None) /* security hooks */ /* Constants used to identify the available security hooks @@ -100,7 +100,7 @@ extern void XaceCensorImage( #else /* XACE */ /* Default window background */ -#define XaceBackgroundNoneState None +#define XaceBackgroundNoneState(w) None /* Define calls away when XACE is not being built. */ diff --git a/dix/window.c b/dix/window.c index 70e32fbcf..9975b5eec 100644 --- a/dix/window.c +++ b/dix/window.c @@ -291,6 +291,7 @@ SetWindowToDefaults(WindowPtr pWin) pWin->dontPropagate = 0; pWin->forcedBS = FALSE; pWin->redirectDraw = RedirectDrawNone; + pWin->forcedBG = FALSE; } static void @@ -702,8 +703,8 @@ CreateWindow(Window wid, WindowPtr pParent, int x, int y, unsigned w, return NullWindow; } - pWin->backgroundState = XaceBackgroundNoneState; - pWin->background.pixel = 0; + pWin->backgroundState = XaceBackgroundNoneState(pWin); + pWin->background.pixel = pScreen->whitePixel; pWin->borderIsPixel = pParent->borderIsPixel; pWin->border = pParent->border; @@ -1014,8 +1015,8 @@ ChangeWindowAttributes(WindowPtr pWin, Mask vmask, XID *vlist, ClientPtr client) if (!pWin->parent) MakeRootTile(pWin); else { - pWin->backgroundState = XaceBackgroundNoneState; - pWin->background.pixel = 0; + pWin->backgroundState = XaceBackgroundNoneState(pWin); + pWin->background.pixel = pScreen->whitePixel; } } else if (pixID == ParentRelative) diff --git a/include/windowstr.h b/include/windowstr.h index a16132458..e06a2f1bd 100644 --- a/include/windowstr.h +++ b/include/windowstr.h @@ -159,6 +159,7 @@ typedef struct _Window { unsigned dontPropagate:3;/* index into DontPropagateMasks */ unsigned forcedBS:1; /* system-supplied backingStore */ unsigned redirectDraw:2; /* COMPOSITE rendering redirect */ + unsigned forcedBG:1; /* must have an opaque background */ } WindowRec; /*