xserver: Branch 'XACE-SELINUX' - 2 commits
Eamon Walsh
ewalsh at kemper.freedesktop.org
Wed Oct 24 17:00:21 PDT 2007
Xext/xselinux.c | 51 ++++++++++++++++++++++++++++++++++-----------------
1 file changed, 34 insertions(+), 17 deletions(-)
New commits:
commit 4b05f19cb9e42d8c8eff5ca4e463f5bc2a05433d
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Oct 24 19:59:58 2007 -0400
xselinux: Introduce a type transition when labeling events.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 8361011..cb62cb9 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -194,7 +194,8 @@ SELinuxSelectionToSID(Atom selection, SELinuxStateRec *sid_return)
* Looks up the SID corresponding to the given event type
*/
static int
-SELinuxEventToSID(unsigned type, SELinuxStateRec *sid_return)
+SELinuxEventToSID(unsigned type, security_id_t sid_of_window,
+ SELinuxStateRec *sid_return)
{
const char *name = LookupEventName(type);
security_context_t con;
@@ -212,7 +213,7 @@ SELinuxEventToSID(unsigned type, SELinuxStateRec *sid_return)
}
if (!knownEvents[type]) {
- /* Look in the mappings of property names to contexts */
+ /* Look in the mappings of event names to contexts */
if (selabel_lookup(label_hnd, &con, name, SELABEL_X_EVENT) < 0) {
ErrorF("XSELinux: an event label lookup failed!\n");
return BadValue;
@@ -225,7 +226,13 @@ SELinuxEventToSID(unsigned type, SELinuxStateRec *sid_return)
freecon(con);
}
- sid_return->sid = knownEvents[type];
+ /* Perform a transition to obtain the final SID */
+ if (avc_compute_create(sid_of_window, knownEvents[type], SECCLASS_X_EVENT,
+ &sid_return->sid) < 0) {
+ ErrorF("XSELinux: a compute_create call failed!\n");
+ return BadValue;
+ }
+
return Success;
}
@@ -522,7 +529,7 @@ SELinuxSend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
for (i = 0; i < rec->count; i++) {
SELinuxStateRec ev_sid;
- rc = SELinuxEventToSID(rec->events[i].u.u.type, &ev_sid);
+ rc = SELinuxEventToSID(rec->events[i].u.u.type, obj->sid, &ev_sid);
if (rc != Success)
goto err;
@@ -558,7 +565,7 @@ SELinuxReceive(CallbackListPtr *pcbl, pointer unused, pointer calldata)
for (i = 0; i < rec->count; i++) {
SELinuxStateRec ev_sid;
- rc = SELinuxEventToSID(rec->events[i].u.u.type, &ev_sid);
+ rc = SELinuxEventToSID(rec->events[i].u.u.type, obj->sid, &ev_sid);
if (rc != Success)
goto err;
commit 0d2ef187e77b12713d2a9661932fa01dba58a945
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Oct 24 18:23:31 2007 -0400
xselinux: Add audit message fields for selection and event names.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index f11bc1a..8361011 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -83,7 +83,9 @@ typedef struct {
char *command; /* client's executable path */
unsigned id; /* resource id, if any */
int restype; /* resource type, if any */
+ int event; /* event type, if any */
Atom property; /* property name, if any */
+ Atom selection; /* selection name, if any */
char *extension; /* extension name, if any */
} SELinuxAuditRec;
@@ -413,7 +415,7 @@ SELinuxAudit(void *auditdata,
{
SELinuxAuditRec *audit = auditdata;
ClientPtr client = audit->client;
- char idNum[16], *propertyName;
+ char idNum[16], *propertyName, *selectionName;
int major = -1, minor = -1;
if (client) {
@@ -427,8 +429,9 @@ SELinuxAudit(void *auditdata,
snprintf(idNum, 16, "%x", audit->id);
propertyName = audit->property ? NameForAtom(audit->property) : NULL;
+ selectionName = audit->selection ? NameForAtom(audit->selection) : NULL;
- return snprintf(msgbuf, msgbufsize, "%s%s%s%s%s%s%s%s%s%s%s%s",
+ return snprintf(msgbuf, msgbufsize, "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
(major >= 0) ? "request=" : "",
(major >= 0) ? LookupRequestName(major, minor) : "",
audit->command ? " comm=" : "",
@@ -437,8 +440,12 @@ SELinuxAudit(void *auditdata,
audit->id ? idNum : "",
audit->restype ? " restype=" : "",
audit->restype ? LookupResourceName(audit->restype) : "",
+ audit->event ? " event=" : "",
+ audit->event ? LookupEventName(audit->event & 127) : "",
audit->property ? " property=" : "",
audit->property ? propertyName : "",
+ audit->selection ? " selection=" : "",
+ audit->selection ? selectionName : "",
audit->extension ? " extension=" : "",
audit->extension ? audit->extension : "");
}
@@ -462,7 +469,7 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceDeviceAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
int rc;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
@@ -492,7 +499,7 @@ SELinuxSend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceSendAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
int rc, i, clientIndex;
if (rec->dev) {
@@ -519,6 +526,7 @@ SELinuxSend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
if (rc != Success)
goto err;
+ auditdata.event = rec->events[i].u.u.type;
rc = SELinuxDoCheck(clientIndex, subj, &ev_sid, SECCLASS_X_EVENT,
DixSendAccess, &auditdata);
if (rc != Success)
@@ -534,7 +542,7 @@ SELinuxReceive(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceReceiveAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
int rc, i;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
@@ -554,6 +562,7 @@ SELinuxReceive(CallbackListPtr *pcbl, pointer unused, pointer calldata)
if (rc != Success)
goto err;
+ auditdata.event = rec->events[i].u.u.type;
rc = SELinuxDoCheck(rec->client->index, subj, &ev_sid, SECCLASS_X_EVENT,
DixReceiveAccess, &auditdata);
if (rc != Success)
@@ -569,7 +578,7 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceExtAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj, *serv;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
int rc;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
@@ -623,7 +632,7 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XacePropertyAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
int rc;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
@@ -675,7 +684,7 @@ SELinuxResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceResourceAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj, *pobj;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
PrivateRec **privatePtr;
security_class_t class;
int rc, offset;
@@ -731,7 +740,7 @@ SELinuxScreen(CallbackListPtr *pcbl, pointer is_saver, pointer calldata)
{
XaceScreenAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
Mask access_mode = rec->access_mode;
int rc;
@@ -765,7 +774,7 @@ SELinuxClient(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceClientAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
int rc;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
@@ -782,7 +791,7 @@ SELinuxServer(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceServerAccessRec *rec = calldata;
SELinuxStateRec *subj, *obj;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
int rc;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
@@ -799,7 +808,7 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceSelectionAccessRec *rec = (XaceSelectionAccessRec *)calldata;
SELinuxStateRec *subj, sel_sid;
- SELinuxAuditRec auditdata = { rec->client, NULL, 0, 0, 0, NULL };
+ SELinuxAuditRec auditdata = { .client = rec->client };
int rc;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
@@ -810,6 +819,7 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
return;
}
+ auditdata.selection = rec->name;
rc = SELinuxDoCheck(rec->client->index, subj, &sel_sid,
SECCLASS_X_SELECTION, rec->access_mode, &auditdata);
if (rc != Success)
More information about the xorg-commit
mailing list