xserver: Branch 'XACE-SELINUX'
Eamon Walsh
ewalsh at kemper.freedesktop.org
Wed Oct 17 16:22:39 PDT 2007
Xext/xselinux.c | 267 +++++++++++++++++++++++++++++++-------------------------
1 file changed, 150 insertions(+), 117 deletions(-)
New commits:
commit 503f918f55d0cb29585d83b022bbb8dc29f446c5
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Oct 17 19:14:15 2007 -0400
xselinux: Move functions around; add some more comments.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 9ff0554..fc91ae3 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -50,6 +50,11 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <stdarg.h>
#include "modinit.h"
+
+/*
+ * Globals
+ */
+
/* private state record */
static DevPrivateKey stateKey = &stateKey;
@@ -108,6 +113,14 @@ static struct security_class_mapping map[] = {
{ NULL }
};
+/* forward declarations */
+static void SELinuxScreen(CallbackListPtr *, pointer, pointer);
+
+
+/*
+ * Support Routines
+ */
+
/*
* Returns the object class corresponding to the given resource type.
*/
@@ -150,7 +163,6 @@ SELinuxTypeToClass(RESTYPE type)
knownTypes[type] = SECCLASS_X_FONT;
}
-// ErrorF("Returning a class of %d for a type of %d\n", knownTypes[type], type);
return knownTypes[type];
}
@@ -163,8 +175,6 @@ SELinuxDoCheck(ClientPtr client, SELinuxStateRec *obj, security_class_t class,
{
SELinuxStateRec *subj;
-// ErrorF("SuperCheck: client=%d, class=%d, access_mode=%x\n", client->index, class, access_mode);
-
/* serverClient requests OK */
if (client->index == 0)
return Success;
@@ -185,11 +195,101 @@ SELinuxDoCheck(ClientPtr client, SELinuxStateRec *obj, security_class_t class,
return Success;
}
-//static void
-//SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
-//{
-// XaceSelectionAccessRec *rec = calldata;
-//}
+/*
+ * Labels initial server objects.
+ */
+static void
+SELinuxFixupLabels(void)
+{
+ int i;
+ XaceScreenAccessRec srec;
+ SELinuxStateRec *state;
+ security_context_t ctx;
+ pointer unused;
+
+ /* Do the serverClient */
+ state = dixLookupPrivate(&serverClient->devPrivates, stateKey);
+ sidput(state->sid);
+
+ /* Use the context of the X server process for the serverClient */
+ if (getcon(&ctx) < 0)
+ FatalError("Couldn't get context of X server process\n");
+
+ /* Get a SID from the context */
+ if (avc_context_to_sid(ctx, &state->sid) < 0)
+ FatalError("serverClient: context_to_sid(%s) failed\n", ctx);
+
+ freecon(ctx);
+
+ srec.client = serverClient;
+ srec.access_mode = DixCreateAccess;
+ srec.status = Success;
+
+ for (i = 0; i < screenInfo.numScreens; i++) {
+ /* Do the screen object */
+ srec.screen = screenInfo.screens[i];
+ SELinuxScreen(NULL, NULL, &srec);
+
+ /* Do the default colormap */
+ dixLookupResource(&unused, screenInfo.screens[i]->defColormap,
+ RT_COLORMAP, serverClient, DixCreateAccess);
+ }
+}
+
+
+/*
+ * Libselinux Callbacks
+ */
+
+static int
+SELinuxAudit(void *auditdata,
+ security_class_t class,
+ char *msgbuf,
+ size_t msgbufsize)
+{
+ SELinuxAuditRec *audit = auditdata;
+ ClientPtr client = audit->client;
+ char idNum[16], *propertyName;
+ int major = 0, minor = 0;
+ REQUEST(xReq);
+
+ if (audit->id)
+ snprintf(idNum, 16, "%x", audit->id);
+ if (stuff) {
+ major = stuff->reqType;
+ minor = (major < 128) ? 0 : MinorOpcodeOfRequest(client);
+ }
+
+ propertyName = audit->property ? NameForAtom(audit->property) : NULL;
+
+ return snprintf(msgbuf, msgbufsize, "%s%s%s%s%s%s%s%s%s%s%s%s",
+ stuff ? "request=" : "",
+ stuff ? LookupRequestName(major, minor) : "",
+ audit->client_path ? " comm=" : "",
+ audit->client_path ? audit->client_path : "",
+ audit->id ? " resid=" : "",
+ audit->id ? idNum : "",
+ audit->restype ? " restype=" : "",
+ audit->restype ? LookupResourceName(audit->restype) : "",
+ audit->property ? " property=" : "",
+ audit->property ? propertyName : "",
+ audit->extension ? " extension=" : "",
+ audit->extension ? audit->extension : "");
+}
+
+static int
+SELinuxLog(int type, const char *fmt, ...)
+{
+ va_list ap;
+ va_start(ap, fmt);
+ VErrorF(fmt, ap);
+ va_end(ap);
+ return 0;
+}
+
+/*
+ * XACE Callbacks
+ */
static void
SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
@@ -418,30 +518,10 @@ SELinuxServer(CallbackListPtr *pcbl, pointer unused, pointer calldata)
rec->status = rc;
}
-/* Extension callbacks */
-static void
-SELinuxStateInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
-{
- PrivateCallbackRec *rec = calldata;
- SELinuxStateRec *state = *rec->value;
-
- sidget(unlabeled_sid);
- state->sid = unlabeled_sid;
-
- avc_entry_ref_init(&state->aeref);
-}
-
-static void
-SELinuxStateFree(CallbackListPtr *pcbl, pointer unused, pointer calldata)
-{
- PrivateCallbackRec *rec = calldata;
- SELinuxStateRec *state = *rec->value;
- xfree(state->client_path);
-
- if (avc_active)
- sidput(state->sid);
-}
+/*
+ * DIX Callbacks
+ */
static void
SELinuxClientState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
@@ -506,7 +586,6 @@ finish:
freecon(ctx);
}
-/* Labeling callbacks */
static void
SELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
@@ -553,113 +632,67 @@ SELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
FatalError("XSELinux: Unexpected unlabeled window found\n");
}
-/* Extension dispatch functions */
-static int
-ProcSELinuxDispatch(ClientPtr client)
-{
- return BadRequest;
-}
+
+/*
+ * DevPrivates Callbacks
+ */
static void
-SELinuxResetProc(ExtensionEntry *extEntry)
+SELinuxStateInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- /* XXX unregister all callbacks here */
-
- selabel_close(label_hnd);
- label_hnd = NULL;
-
- audit_close(audit_fd);
+ PrivateCallbackRec *rec = calldata;
+ SELinuxStateRec *state = *rec->value;
- avc_destroy();
- avc_active = 0;
+ sidget(unlabeled_sid);
+ state->sid = unlabeled_sid;
- xfree(knownTypes);
- knownTypes = NULL;
- numKnownTypes = 0;
+ avc_entry_ref_init(&state->aeref);
}
-static int
-SELinuxAudit(void *auditdata,
- security_class_t class,
- char *msgbuf,
- size_t msgbufsize)
+static void
+SELinuxStateFree(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
- SELinuxAuditRec *audit = auditdata;
- ClientPtr client = audit->client;
- char idNum[16], *propertyName;
- int major = 0, minor = 0;
- REQUEST(xReq);
-
- if (audit->id)
- snprintf(idNum, 16, "%x", audit->id);
- if (stuff) {
- major = stuff->reqType;
- minor = (major < 128) ? 0 : MinorOpcodeOfRequest(client);
- }
+ PrivateCallbackRec *rec = calldata;
+ SELinuxStateRec *state = *rec->value;
- propertyName = audit->property ? NameForAtom(audit->property) : NULL;
+ xfree(state->client_path);
- return snprintf(msgbuf, msgbufsize, "%s%s%s%s%s%s%s%s%s%s%s%s",
- stuff ? "request=" : "",
- stuff ? LookupRequestName(major, minor) : "",
- audit->client_path ? " client=" : "",
- audit->client_path ? audit->client_path : "",
- audit->id ? " resid=" : "",
- audit->id ? idNum : "",
- audit->restype ? " restype=" : "",
- audit->restype ? LookupResourceName(audit->restype) : "",
- audit->property ? " property=" : "",
- audit->property ? propertyName : "",
- audit->extension ? " extension=" : "",
- audit->extension ? audit->extension : "");
+ if (avc_active)
+ sidput(state->sid);
}
+
+/*
+ * Extension Dispatch
+ */
+
static int
-SELinuxLog(int type, const char *fmt, ...)
+ProcSELinuxDispatch(ClientPtr client)
{
- va_list ap;
- va_start(ap, fmt);
- VErrorF(fmt, ap);
- va_end(ap);
- return 0;
+ return BadRequest;
}
-static void
-SELinuxFixupLabels(void)
-{
- int i;
- XaceScreenAccessRec srec;
- SELinuxStateRec *state;
- security_context_t ctx;
- pointer unused;
- /* Do the serverClient */
- state = dixLookupPrivate(&serverClient->devPrivates, stateKey);
- sidput(state->sid);
-
- /* Use the context of the X server process for the serverClient */
- if (getcon(&ctx) < 0)
- FatalError("Couldn't get context of X server process\n");
+/*
+ * Extension Setup / Teardown
+ */
- /* Get a SID from the context */
- if (avc_context_to_sid(ctx, &state->sid) < 0)
- FatalError("serverClient: context_to_sid(%s) failed\n", ctx);
+static void
+SELinuxResetProc(ExtensionEntry *extEntry)
+{
+ /* XXX unregister all callbacks here */
- freecon(ctx);
+ selabel_close(label_hnd);
+ label_hnd = NULL;
- srec.client = serverClient;
- srec.access_mode = DixCreateAccess;
- srec.status = Success;
+ audit_close(audit_fd);
- for (i = 0; i < screenInfo.numScreens; i++) {
- /* Do the screen object */
- srec.screen = screenInfo.screens[i];
- SELinuxScreen(NULL, NULL, &srec);
+ avc_destroy();
+ avc_active = 0;
- /* Do the default colormap */
- dixLookupResource(&unused, screenInfo.screens[i]->defColormap,
- RT_COLORMAP, serverClient, DixCreateAccess);
- }
+ xfree(knownTypes);
+ knownTypes = NULL;
+ numKnownTypes = 0;
}
void
More information about the xorg-commit
mailing list