xserver: Branch 'XACE-SELINUX' - 3 commits
Eamon Walsh
ewalsh at kemper.freedesktop.org
Tue Mar 20 02:43:41 EET 2007
Xext/security.c | 43 ++++++++++++++++++++++++++++++-------------
Xext/xace.c | 8 --------
Xext/xace.h | 7 +++----
Xext/xacestr.h | 6 ------
Xext/xselinux.c | 55 ++++++++++++++++++++++++++++++++++++-------------------
dix/window.c | 4 ----
6 files changed, 69 insertions(+), 54 deletions(-)
New commits:
diff-tree 2945deba1d4a7dce4f6dd0c568297a1c537fdfb4 (from 78c962da76efe644b8d485265f1ecdda84b45d27)
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Mon Mar 19 17:09:10 2007 -0400
xace: drop XACE_WINDOW_INIT hook, it has been superseded by ResourceStateCallback.
diff --git a/Xext/xace.c b/Xext/xace.c
index 6fc5c12..ee0f39c 100644
--- a/Xext/xace.c
+++ b/Xext/xace.c
@@ -182,14 +182,6 @@ int XaceHook(int hook, ...)
calldata = &rec;
break;
}
- case XACE_WINDOW_INIT: {
- XaceWindowRec rec = {
- va_arg(ap, ClientPtr),
- va_arg(ap, WindowPtr)
- };
- calldata = &rec;
- break;
- }
case XACE_AUDIT_BEGIN: {
XaceAuditRec rec = {
va_arg(ap, ClientPtr),
diff --git a/Xext/xace.h b/Xext/xace.h
index 7231b04..7360dae 100644
--- a/Xext/xace.h
+++ b/Xext/xace.h
@@ -54,10 +54,9 @@ CONNECTION WITH THE SOFTWARE OR THE USE
#define XACE_DECLARE_EXT_SECURE 11
#define XACE_AUTH_AVAIL 12
#define XACE_KEY_AVAIL 13
-#define XACE_WINDOW_INIT 14
-#define XACE_AUDIT_BEGIN 15
-#define XACE_AUDIT_END 16
-#define XACE_NUM_HOOKS 17
+#define XACE_AUDIT_BEGIN 14
+#define XACE_AUDIT_END 15
+#define XACE_NUM_HOOKS 16
extern CallbackListPtr XaceHooks[XACE_NUM_HOOKS];
diff --git a/Xext/xacestr.h b/Xext/xacestr.h
index 7114d06..bd30883 100644
--- a/Xext/xacestr.h
+++ b/Xext/xacestr.h
@@ -119,12 +119,6 @@ typedef struct {
int count;
} XaceKeyAvailRec;
-/* XACE_WINDOW_INIT */
-typedef struct {
- ClientPtr client;
- WindowPtr pWin;
-} XaceWindowRec;
-
/* XACE_AUDIT_BEGIN */
/* XACE_AUDIT_END */
typedef struct {
diff --git a/dix/window.c b/dix/window.c
index e33140d..02496f5 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -529,8 +529,6 @@ InitRootWindow(WindowPtr pWin)
/* We SHOULD check for an error value here XXX */
(*pScreen->ChangeWindowAttributes)(pWin, backFlag);
- XaceHook(XACE_WINDOW_INIT, serverClient, pWin);
-
MapWindow(pWin, serverClient);
}
@@ -763,8 +761,6 @@ CreateWindow(Window wid, register Window
REGION_NULL(pScreen, &pWin->winSize);
REGION_NULL(pScreen, &pWin->borderSize);
- XaceHook(XACE_WINDOW_INIT, client, pWin);
-
pHead = RealChildHead(pParent);
if (pHead)
{
diff-tree 78c962da76efe644b8d485265f1ecdda84b45d27 (from 6a89106e9c963a495fd40427d242ba0abd44f764)
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Mon Mar 19 17:04:51 2007 -0400
xselinux: use the new ResourceStateCallback instead of the XACE_WINDOW_INIT hook.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 74d4c60..4056d9e 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -1217,26 +1217,34 @@ XSELinuxClientState(CallbackListPtr *pcb
/* Labeling callbacks */
static void
-XSELinuxWindowInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
+XSELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- XaceWindowRec *rec = (XaceWindowRec*)calldata;
+ ResourceStateInfoRec *rec = (ResourceStateInfoRec *)calldata;
+ WindowPtr pWin;
+ ClientPtr client;
security_context_t ctx;
int rc;
- if (HAVESTATE(rec->client)) {
- rc = avc_sid_to_context(SID(rec->client), &ctx);
+ if (rec->type != RT_WINDOW)
+ return;
+
+ pWin = (WindowPtr)rec->value;
+ client = wClient(pWin);
+
+ if (HAVESTATE(client)) {
+ rc = avc_sid_to_context(SID(client), &ctx);
if (rc < 0)
FatalError("XSELinux: Failed to get security context!\n");
- rc = ChangeWindowProperty(rec->pWin, atom_client_ctx, XA_STRING, 8,
+ rc = ChangeWindowProperty(pWin, atom_client_ctx, XA_STRING, 8,
PropModeReplace, strlen(ctx), ctx, FALSE);
freecon(ctx);
}
else
- rc = ChangeWindowProperty(rec->pWin, atom_client_ctx, XA_STRING, 8,
+ rc = ChangeWindowProperty(pWin, atom_client_ctx, XA_STRING, 8,
PropModeReplace, 10, "UNLABELED!", FALSE);
if (rc != Success)
FatalError("XSELinux: Failed to set context property on window!\n");
-} /* XSELinuxWindowInit */
+} /* XSELinuxResourceState */
static char *XSELinuxKeywords[] = {
#define XSELinuxKeywordComment 0
@@ -1836,6 +1844,8 @@ XSELinuxExtensionInit(INITARGS)
if (!AddCallback(&ClientStateCallback, XSELinuxClientState, NULL))
return;
+ if (!AddCallback(&ResourceStateCallback, XSELinuxResourceState, NULL))
+ return;
/* Create atoms for doing window labeling */
atom_ctx = MakeAtom("_SELINUX_CONTEXT", 16, 1);
@@ -1870,7 +1880,6 @@ XSELinuxExtensionInit(INITARGS)
XaceRegisterCallback(XACE_BACKGRND_ACCESS, XSELinuxBackgrnd, NULL);
XaceRegisterCallback(XACE_DRAWABLE_ACCESS, XSELinuxDrawable, NULL);
XaceRegisterCallback(XACE_PROPERTY_ACCESS, XSELinuxProperty, NULL);
- XaceRegisterCallback(XACE_WINDOW_INIT, XSELinuxWindowInit, NULL);
/* XaceRegisterCallback(XACE_DECLARE_EXT_SECURE, XSELinuxDeclare, NULL);
XaceRegisterCallback(XACE_DEVICE_ACCESS, XSELinuxDevice, NULL); */
diff-tree 6a89106e9c963a495fd40427d242ba0abd44f764 (from fe05ba75a10ec080e7ec34bff6936103185586b3)
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Mon Mar 19 16:51:29 2007 -0400
xselinux + security: remove confusing CALLBACK macro.
diff --git a/Xext/security.c b/Xext/security.c
index 7202d39..98e91ad 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -83,9 +83,6 @@ RESTYPE SecurityAuthorizationResType; /*
static RESTYPE RTEventClient;
-#define CALLBACK(name) static void \
-name(CallbackListPtr *pcbl, pointer nulldata, pointer calldata)
-
/* SecurityAudit
*
* Arguments:
@@ -779,7 +776,9 @@ SecurityDetermineEventPropogationLimits(
* An audit message is generated if access is denied.
*/
-CALLBACK(SecurityCheckDeviceAccess)
+static void
+SecurityCheckDeviceAccess(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
XaceDeviceAccessRec *rec = (XaceDeviceAccessRec*)calldata;
ClientPtr client = rec->client;
@@ -955,7 +954,9 @@ SecurityAuditResourceIDAccess(
* Disallowed resource accesses are audited.
*/
-CALLBACK(SecurityCheckResourceIDAccess)
+static void
+SecurityCheckResourceIDAccess(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
XaceResourceAccessRec *rec = (XaceResourceAccessRec*)calldata;
ClientPtr client = rec->client;
@@ -1114,7 +1115,9 @@ CALLBACK(SecurityCheckResourceIDAccess)
* if it is now zero, the timer for this authorization is started.
*/
-CALLBACK(SecurityClientStateCallback)
+static void
+SecurityClientStateCallback(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
NewClientInfoRec *pci = (NewClientInfoRec *)calldata;
ClientPtr client = pci->client;
@@ -1171,7 +1174,9 @@ CALLBACK(SecurityClientStateCallback)
}
} /* SecurityClientStateCallback */
-CALLBACK(SecurityCheckDrawableAccess)
+static void
+SecurityCheckDrawableAccess(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
XaceDrawableAccessRec *rec = (XaceDrawableAccessRec*)calldata;
@@ -1179,7 +1184,9 @@ CALLBACK(SecurityCheckDrawableAccess)
rec->rval = FALSE;
}
-CALLBACK(SecurityCheckMapAccess)
+static void
+SecurityCheckMapAccess(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
XaceMapAccessRec *rec = (XaceMapAccessRec*)calldata;
WindowPtr pWin = rec->pWin;
@@ -1193,7 +1200,9 @@ CALLBACK(SecurityCheckMapAccess)
rec->rval = FALSE;
}
-CALLBACK(SecurityCheckBackgrndAccess)
+static void
+SecurityCheckBackgrndAccess(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
XaceMapAccessRec *rec = (XaceMapAccessRec*)calldata;
@@ -1201,7 +1210,9 @@ CALLBACK(SecurityCheckBackgrndAccess)
rec->rval = FALSE;
}
-CALLBACK(SecurityCheckExtAccess)
+static void
+SecurityCheckExtAccess(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
XaceExtAccessRec *rec = (XaceExtAccessRec*)calldata;
@@ -1211,7 +1222,9 @@ CALLBACK(SecurityCheckExtAccess)
rec->rval = FALSE;
}
-CALLBACK(SecurityCheckHostlistAccess)
+static void
+SecurityCheckHostlistAccess(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
XaceHostlistAccessRec *rec = (XaceHostlistAccessRec*)calldata;
@@ -1227,7 +1240,9 @@ CALLBACK(SecurityCheckHostlistAccess)
}
}
-CALLBACK(SecurityDeclareExtSecure)
+static void
+SecurityDeclareExtSecure(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
XaceDeclareExtSecureRec *rec = (XaceDeclareExtSecureRec*)calldata;
@@ -1692,7 +1707,9 @@ SecurityMatchString(
#endif
-CALLBACK(SecurityCheckPropertyAccess)
+static void
+SecurityCheckPropertyAccess(CallbackListPtr *pcbl, pointer unused,
+ pointer calldata)
{
XacePropertyAccessRec *rec = (XacePropertyAccessRec*)calldata;
ClientPtr client = rec->client;
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index ab4827e..74d4c60 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -503,8 +503,6 @@ FreeClientState(ClientPtr client)
#define IDPERM(client, req, field, class, perm) \
(REQUEST_SIZE_CHECK(client,req) && \
IDPerm(client, SwapXID(client,((req*)stuff)->field), class, perm))
-#define CALLBACK(name) static void \
-name(CallbackListPtr *pcbl, pointer nulldata, pointer calldata)
static int
CheckSendEventPerms(ClientPtr client)
@@ -632,7 +630,8 @@ CheckSetSelectionOwnerPerms(ClientPtr cl
return rval;
}
-CALLBACK(XSELinuxCoreDispatch)
+static void
+XSELinuxCoreDispatch(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceCoreDispatchRec *rec = (XaceCoreDispatchRec*)calldata;
ClientPtr client = rec->client;
@@ -1017,7 +1016,8 @@ CALLBACK(XSELinuxCoreDispatch)
rec->rval = FALSE;
}
-CALLBACK(XSELinuxExtDispatch)
+static void
+XSELinuxExtDispatch(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceExtAccessRec *rec = (XaceExtAccessRec*)calldata;
ClientPtr client = rec->client;
@@ -1058,7 +1058,8 @@ CALLBACK(XSELinuxExtDispatch)
ErrorF("No client state in extension dispatcher!\n");
} /* XSELinuxExtDispatch */
-CALLBACK(XSELinuxProperty)
+static void
+XSELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XacePropertyAccessRec *rec = (XacePropertyAccessRec*)calldata;
WindowPtr pWin = rec->pWin;
@@ -1106,7 +1107,8 @@ CALLBACK(XSELinuxProperty)
sidput(propsid);
} /* XSELinuxProperty */
-CALLBACK(XSELinuxResLookup)
+static void
+XSELinuxResLookup(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceResourceAccessRec *rec = (XaceResourceAccessRec*)calldata;
ClientPtr client = rec->client;
@@ -1147,7 +1149,8 @@ CALLBACK(XSELinuxResLookup)
rec->rval = FALSE;
} /* XSELinuxResLookup */
-CALLBACK(XSELinuxMap)
+static void
+XSELinuxMap(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceMapAccessRec *rec = (XaceMapAccessRec*)calldata;
if (!IDPerm(rec->client, rec->pWin->drawable.id,
@@ -1155,7 +1158,8 @@ CALLBACK(XSELinuxMap)
rec->rval = FALSE;
} /* XSELinuxMap */
-CALLBACK(XSELinuxBackgrnd)
+static void
+XSELinuxBackgrnd(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceMapAccessRec *rec = (XaceMapAccessRec*)calldata;
if (!IDPerm(rec->client, rec->pWin->drawable.id,
@@ -1163,7 +1167,8 @@ CALLBACK(XSELinuxBackgrnd)
rec->rval = FALSE;
} /* XSELinuxBackgrnd */
-CALLBACK(XSELinuxDrawable)
+static void
+XSELinuxDrawable(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceDrawableAccessRec *rec = (XaceDrawableAccessRec*)calldata;
if (!IDPerm(rec->client, rec->pDraw->id,
@@ -1171,7 +1176,8 @@ CALLBACK(XSELinuxDrawable)
rec->rval = FALSE;
} /* XSELinuxDrawable */
-CALLBACK(XSELinuxHostlist)
+static void
+XSELinuxHostlist(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceHostlistAccessRec *rec = (XaceHostlistAccessRec*)calldata;
access_vector_t perm = (rec->access_mode == DixReadAccess) ?
@@ -1182,7 +1188,8 @@ CALLBACK(XSELinuxHostlist)
} /* XSELinuxHostlist */
/* Extension callbacks */
-CALLBACK(XSELinuxClientState)
+static void
+XSELinuxClientState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
NewClientInfoRec *pci = (NewClientInfoRec *)calldata;
ClientPtr client = pci->client;
@@ -1209,7 +1216,8 @@ CALLBACK(XSELinuxClientState)
} /* XSELinuxClientState */
/* Labeling callbacks */
-CALLBACK(XSELinuxWindowInit)
+static void
+XSELinuxWindowInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceWindowRec *rec = (XaceWindowRec*)calldata;
security_context_t ctx;
More information about the xorg-commit
mailing list