Whitelisting some XI operations in various hooks.
Note that some additional filtering needs to be done in send or
receive hook in order to prevent clients to receive possibly sensible
input data from the root window.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Filter message sending by clients. Only sending within the same
namespace is allowed (except for clients in a NS with superpowers,
e.g. root)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Filter device access, whitelist several commonly used operations that
should be safe (eg. query keyboard layout).
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
CreateWindow() needs access to root window, in order to create
top level windows. Whitelisting this operation.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Whitelist several extension calls that are safe. Also allow namespaces
to be configured for unrestricted access.
TBD: doesn't actually reject yet
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Only namespaces with allowMouseOption flag enabled can receive
raw mouse motion events. Raw key press events are always blocked.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Redirecting access to root window properties to the per-namespace
virtual root windows. This isolates a lot of communication via root
window, e.g. the cut buffers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
For each namespace creating a fake (invisible) root window, which can be
used for storing per-namespace properties (eg. cut buffers), etc.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Selection names (as seen by the client) are internally prefixed with the
namespace ID, so each client can only access those within it's namespace.
If a client within namespace "foo" want's to operate on "PRIMARY",
it actually will be doing so on "<foo>PRIMARY", w/o ever noticing it.
Events will sent back to the client still pointing to "PRIMARY".
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Adding data structure and initial data for namespace configuration.
Built-in namespaces are ROOT and ANONYMOUS.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Add tiny skeleton for the namespace extension. Disabled by default,
can be enabled via +extension arg, but doesn't actually do something yet.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
When looking up the window to select on and security hook returns
BadAccess, the request is just silently ignored, instead of rejected.
This way, security hook can prevent untrusted clients to listen on
arbitrary windows, without the client even noticing. The client won't
get this BadAccess error, but instead thinking everything's fine,
just not getting the actual events.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Simplify cases where callers need to check whether an entry already is
in a list before adding / appending.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This function walks through the list and checks whether an entry is already
present. This check sometimes is neccessary, since trying to add an entry
twice has catastrophic consequences: iteration will become endless loop.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Up until now, xorg_list's always need to be explicitly initialized by
calling xorg_list_init(), otherwise next access attempt will segfault.
This is adding extra complexity and risk of subtle bugs.
Adding some extra NULL check are trivial and their cost is so tiny
that it's even hard to practically measure.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This helper checks whether a given XID belongs to some screen's
root window. It does so by looking up the window and comparing that
with the window's screen's root window pointer. The resource lookup
is intentionally being on behalf of the serverClient, so the fired
XACE hook doesn't treat it as an actual client's request.
It's explicitly designed for being used by callback handlers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Add a little helper that's looking up the ClientPtr to the client
of the owner of given XID. The lookup is solely done on the ID space,
the actual resource doesn't even need to exist.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Add hooks for filtering and fully rewrite rewrite selection requests
and events (what existing XACE hooks cannot do), e.g. for supporting
separate selection name spaces.
The hook can change individual fields in the parameter struct, so
operation continues with these changed values (eg. replace the original
selection name atom by a different one). It's also possible to stop
operations completely (with given result code) - in that case the
hook needs to take care of the remaining work to do (eg. sending events)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This hook allows extensions to intercept client requests for changing
window attributes. It can either change the parameters or skip the
entire call (eg. handle all itself) so just the hook provided result
code is returned to the client.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
a) no need to checking for win->optional == NULL before calling
MakeWindowOptional(), because it checks itself
(except some cases where it's presence has it's own semantics,
or prevent unnecessary allocations)
b) lots of call sites didn't check for allocation failure.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Allow extensions to catch in right after a screen's root window has
been finally initialized
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
These are used by the in-tree libwfb.so module. As long as this an shared
object, instead of being directly linked into the executable, these symbols
need to be in the executable's symbol table. Nevertheless, they're not making
them part of the public SDK/module ABI, unless there's a really hard reason.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Xwayland is a separate project/team and has it's own releases, so it's better
trying to to intefer with them and disable it by default.
It still can be easily enabled via meson arguments, and it's still enabled
in the CI. Let distros and operators decide on their own whether they want it.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Modules are now placed into a sub-directory by major Xserver release,
so we have less hassle with trying to load drivers w/ incompatible ABI.
The legacy directories are still searched (after the versioned ones)
for backwards compat with badly maintained proprietary drivers (Nvidia).
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs this function for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia's proprietary driver does it's own randr implementation (why ?)
and needs those fields for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
NVidia yet again doing crazy shit in their proprietary drivers:
This is an DIX-*internal* function for triggering client teardown when
connection broke or somehow lack of resources to accept new connections.
Video drivers have no business with that whatsoever - having them messing
with client client connections is just insane.
But still trying to be kind with Nvidia victims, thus adding a little wrapper
function under the old name. It spills out a log warning calling users to file
bug reports their driver vendor.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Enrico Weigelt, metux IT consult