Whitelisting some XI operations in various hooks.
Note that some additional filtering needs to be done in send or
receive hook in order to prevent clients to receive possibly sensible
input data from the root window.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Filter message sending by clients. Only sending within the same
namespace is allowed (except for clients in a NS with superpowers,
e.g. root)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Filter device access, whitelist several commonly used operations that
should be safe (eg. query keyboard layout).
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
CreateWindow() needs access to root window, in order to create
top level windows. Whitelisting this operation.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Whitelist several extension calls that are safe. Also allow namespaces
to be configured for unrestricted access.
TBD: doesn't actually reject yet
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Only namespaces with allowMouseOption flag enabled can receive
raw mouse motion events. Raw key press events are always blocked.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Redirecting access to root window properties to the per-namespace
virtual root windows. This isolates a lot of communication via root
window, e.g. the cut buffers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
For each namespace creating a fake (invisible) root window, which can be
used for storing per-namespace properties (eg. cut buffers), etc.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Selection names (as seen by the client) are internally prefixed with the
namespace ID, so each client can only access those within it's namespace.
If a client within namespace "foo" want's to operate on "PRIMARY",
it actually will be doing so on "<foo>PRIMARY", w/o ever noticing it.
Events will sent back to the client still pointing to "PRIMARY".
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Adding data structure and initial data for namespace configuration.
Built-in namespaces are ROOT and ANONYMOUS.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Add tiny skeleton for the namespace extension. Disabled by default,
can be enabled via +extension arg, but doesn't actually do something yet.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
When looking up the window to select on and security hook returns
BadAccess, the request is just silently ignored, instead of rejected.
This way, security hook can prevent untrusted clients to listen on
arbitrary windows, without the client even noticing. The client won't
get this BadAccess error, but instead thinking everything's fine,
just not getting the actual events.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Simplify cases where callers need to check whether an entry already is
in a list before adding / appending.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This function walks through the list and checks whether an entry is already
present. This check sometimes is neccessary, since trying to add an entry
twice has catastrophic consequences: iteration will become endless loop.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Up until now, xorg_list's always need to be explicitly initialized by
calling xorg_list_init(), otherwise next access attempt will segfault.
This is adding extra complexity and risk of subtle bugs.
Adding some extra NULL check are trivial and their cost is so tiny
that it's even hard to practically measure.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This helper checks whether a given XID belongs to some screen's
root window. It does so by looking up the window and comparing that
with the window's screen's root window pointer. The resource lookup
is intentionally being on behalf of the serverClient, so the fired
XACE hook doesn't treat it as an actual client's request.
It's explicitly designed for being used by callback handlers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Add a little helper that's looking up the ClientPtr to the client
of the owner of given XID. The lookup is solely done on the ID space,
the actual resource doesn't even need to exist.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Add hooks for filtering and fully rewrite rewrite selection requests
and events (what existing XACE hooks cannot do), e.g. for supporting
separate selection name spaces.
The hook can change individual fields in the parameter struct, so
operation continues with these changed values (eg. replace the original
selection name atom by a different one). It's also possible to stop
operations completely (with given result code) - in that case the
hook needs to take care of the remaining work to do (eg. sending events)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This hook allows extensions to intercept client requests for changing
window attributes. It can either change the parameters or skip the
entire call (eg. handle all itself) so just the hook provided result
code is returned to the client.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
a) no need to checking for win->optional == NULL before calling
MakeWindowOptional(), because it checks itself
(except some cases where it's presence has it's own semantics,
or prevent unnecessary allocations)
b) lots of call sites didn't check for allocation failure.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Allow extensions to catch in right after a screen's root window has
been finally initialized
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
a) an internal function that's not used by any drivers
b) conflicting with function/define of same name on win32
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
When destroying a resource, the lookup needs to be done with
DixDestroyAccess (instead of DixWriteAccess) flag - otherwise
xace hooks can't properly differenciate what's happening.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Fixes: 6c46645cfc
Several places outside Xi (eg. dix, security hooks, ...) need to know the
actual XI base opcode. This formerly had been done by a global variable,
which is filled on XI init. This has some drawbacks, eg. requires that
XI really is initialized before anybody else attempting to access this
variable - changes in extension init order could be dangerous.
Since extension opcodes are now (compile-time) fixed for all known
extensions (including XI), this isn't needed anymore. We can really
rely on the XI extension always having the same opcode base. So we
can drop that variable entirely and use the corresponding define instead.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Assign fixed opcodes for known (in-tree) extensions and add
defines for them. Other places (eg. security extensions) that
need to know those opcodes now can directly use those defines
not having to look them up at runtime.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
In order to allow extensions being registered at fixed opcodes,
there need to be a reserved slot range. Thus `NumExtensions` needs
to start out with the upper ceiling of the reserved slot space.
Thus it cannot tell whether the array already had been allocated,
and some slots now may be NULL, so we need some extra checks.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Using simple case statements with actual opcode define's instead
of call vector arrays where the exact order matters.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Protect the Add() proto funcs from adding duplicate auth keys.
If adding a duplicate is attempted, the XID of the already
existing one is returned instead.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
No need for loading the address into temporary variable and later doing
indirect call, since we can easily do direct call in each branch.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
XID = 0 already is used as sign for error in several places,
so let's use that here, too.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Generate the auth object XIDs inside the proto funcs and only
on success, so we don't unnecessarily allocate XIDs.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Enrico Weigelt, metux IT consult