xserver: Branch 'master' - 3 commits
Eamon Walsh
ewalsh at kemper.freedesktop.org
Wed Feb 13 17:21:39 PST 2008
Xext/security.c | 44 +++++++++++++++++++++++++++++++-------------
Xext/xselinux.c | 2 +-
Xi/chgdctl.c | 2 +-
Xi/chgfctl.c | 2 +-
Xi/chgkmap.c | 2 +-
Xi/closedev.c | 2 +-
Xi/opendev.c | 2 +-
Xi/setbmap.c | 2 +-
Xi/setmmap.c | 2 +-
dix/devices.c | 10 +++++-----
xkb/xkb.c | 14 +++++++-------
11 files changed, 51 insertions(+), 33 deletions(-)
New commits:
commit 4573cb2ce4b859744118d9a33de3599f033cdd2b
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Feb 13 20:16:56 2008 -0500
security: Revise set of permissions granted to untrusted clients.
Bug #14480: untrusted access broken on 7.3.
diff --git a/Xext/security.c b/Xext/security.c
index 0696559..a3cde2c 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -70,10 +70,19 @@ static char *SecurityUntrustedExtensions[] = {
NULL
};
-/* Access modes that untrusted clients can do to trusted stuff */
-static const Mask SecurityAllowedMask =
- DixGetAttrAccess | DixListPropAccess | DixGetPropAccess |
- DixGetFocusAccess | DixListAccess | DixReceiveAccess;
+/*
+ * Access modes that untrusted clients are allowed on trusted objects.
+ */
+static const Mask SecurityResourceMask =
+ DixGetAttrAccess | DixReceiveAccess | DixListPropAccess |
+ DixGetPropAccess | DixListAccess;
+static const Mask SecurityRootWindowExtraMask =
+ DixReceiveAccess | DixSendAccess | DixAddAccess | DixRemoveAccess;
+static const Mask SecurityDeviceMask =
+ DixGetAttrAccess | DixReceiveAccess | DixGetFocusAccess |
+ DixGrabAccess | DixSetAttrAccess | DixUseAccess;
+static const Mask SecurityServerMask = DixGetAttrAccess | DixGrabAccess;
+static const Mask SecurityClientMask = DixGetAttrAccess;
/* SecurityAudit
@@ -751,11 +760,15 @@ SecurityDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
XaceDeviceAccessRec *rec = calldata;
SecurityStateRec *subj, *obj;
Mask requested = rec->access_mode;
- Mask allowed = SecurityAllowedMask;
+ Mask allowed = SecurityDeviceMask;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
+ if (rec->dev != inputInfo.keyboard)
+ /* this extension only supports the core keyboard */
+ allowed = requested;
+
if (SecurityDoCheck(subj, obj, requested, allowed) != Success) {
SecurityAudit("Security denied client %d keyboard access on request "
"%s\n", rec->client->index,
@@ -792,7 +805,7 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
SecurityStateRec *subj, *obj;
int cid = CLIENT_ID(rec->id);
Mask requested = rec->access_mode;
- Mask allowed = SecurityAllowedMask;
+ Mask allowed = SecurityResourceMask;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
obj = dixLookupPrivate(&clients[cid]->devPrivates, stateKey);
@@ -801,11 +814,15 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
if (cid == 0) {
if (rec->rtype & RC_DRAWABLE)
/* additional operations allowed on root windows */
- allowed |= DixReadAccess|DixSendAccess;
+ allowed |= SecurityRootWindowExtraMask;
else if (rec->rtype == RT_COLORMAP)
/* allow access to default colormaps */
allowed = requested;
+
+ else
+ /* allow read access to other server-owned resources */
+ allowed |= DixReadAccess;
}
if (SecurityDoCheck(subj, obj, requested, allowed) == Success)
@@ -816,9 +833,10 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
return;
#endif
- SecurityAudit("Security: denied client %d access to resource 0x%x "
- "of client %d on request %s\n", rec->client->index, rec->id,
- cid, SecurityLookupRequestName(rec->client));
+ SecurityAudit("Security: denied client %d access %x to resource 0x%x "
+ "of client %d on request %s\n", rec->client->index,
+ requested, rec->id, cid,
+ SecurityLookupRequestName(rec->client));
rec->status = BadAccess; /* deny access */
}
@@ -850,7 +868,7 @@ SecurityServer(CallbackListPtr *pcbl, pointer unused, pointer calldata)
XaceServerAccessRec *rec = calldata;
SecurityStateRec *subj, *obj;
Mask requested = rec->access_mode;
- Mask allowed = SecurityAllowedMask;
+ Mask allowed = SecurityServerMask;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
@@ -869,7 +887,7 @@ SecurityClient(CallbackListPtr *pcbl, pointer unused, pointer calldata)
XaceClientAccessRec *rec = calldata;
SecurityStateRec *subj, *obj;
Mask requested = rec->access_mode;
- Mask allowed = SecurityAllowedMask;
+ Mask allowed = SecurityClientMask;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
obj = dixLookupPrivate(&rec->target->devPrivates, stateKey);
@@ -889,7 +907,7 @@ SecurityProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
SecurityStateRec *subj, *obj;
ATOM name = rec->pProp->propertyName;
Mask requested = rec->access_mode;
- Mask allowed = SecurityAllowedMask | DixReadAccess;
+ Mask allowed = SecurityResourceMask | DixReadAccess;
subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
obj = dixLookupPrivate(&wClient(rec->pWin)->devPrivates, stateKey);
commit e99aadbc2635e87543fc9980d8156c3ede83544f
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Feb 13 19:46:29 2008 -0500
xselinux: Add use to permission map for devices.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 9acc93c..5aa2ad3 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -138,7 +138,7 @@ static struct security_class_mapping map[] = {
{ "x_selection", { "read", "", "", "", "getattr", "setattr", NULL }},
{ "x_cursor", { "read", "write", "destroy", "create", "getattr", "setattr", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "use", NULL }},
{ "x_client", { "", "", "destroy", "", "getattr", "setattr", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "manage", NULL }},
- { "x_device", { "read", "write", "", "", "getattr", "setattr", "", "", "", "getfocus", "setfocus", "", "", "", "", "", "", "grab", "freeze", "force_cursor", "", "", "", "", "", "manage", "", "bell", NULL }},
+ { "x_device", { "read", "write", "", "", "getattr", "setattr", "", "", "", "getfocus", "setfocus", "", "", "", "", "", "", "grab", "freeze", "force_cursor", "", "", "", "", "use", "manage", "", "bell", NULL }},
{ "x_server", { "record", "", "", "", "getattr", "setattr", "", "", "", "", "", "", "", "", "", "", "", "grab", "", "", "", "", "", "", "", "manage", "debug", NULL }},
{ "x_extension", { "", "", "", "", "query", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "use", NULL }},
{ "x_event", { "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "send", "receive", NULL }},
commit ae43d835bdaef96c3c73d7cee5b105f07340833d
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Feb 13 19:39:49 2008 -0500
XACE: Change access modes for some device-related requests.
Opening a device is not really "reading" it.
Requests that globally configure a device should require "manage" access.
diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
index e7d04a7..30174f4 100644
--- a/Xi/chgdctl.c
+++ b/Xi/chgdctl.c
@@ -111,7 +111,7 @@ ProcXChangeDeviceControl(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
len = stuff->length - (sizeof(xChangeDeviceControlReq) >> 2);
- ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
+ ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
if (ret != Success)
goto out;
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 696b74a..3155e87 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -444,7 +444,7 @@ ProcXChangeFeedbackControl(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xChangeFeedbackControlReq);
len = stuff->length - (sizeof(xChangeFeedbackControlReq) >> 2);
- rc = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
+ rc = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
if (rc != Success)
return rc;
diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
index df334c1..3f51648 100644
--- a/Xi/chgkmap.c
+++ b/Xi/chgkmap.c
@@ -106,7 +106,7 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
- ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
+ ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
if (ret != Success)
return ret;
len = stuff->length - (sizeof(xChangeDeviceKeyMappingReq) >> 2);
diff --git a/Xi/closedev.c b/Xi/closedev.c
index b2b5f69..94b7391 100644
--- a/Xi/closedev.c
+++ b/Xi/closedev.c
@@ -146,7 +146,7 @@ ProcXCloseDevice(ClientPtr client)
REQUEST(xCloseDeviceReq);
REQUEST_SIZE_MATCH(xCloseDeviceReq);
- rc = dixLookupDevice(&d, stuff->deviceid, client, DixGetAttrAccess);
+ rc = dixLookupDevice(&d, stuff->deviceid, client, DixUseAccess);
if (rc != Success)
return rc;
diff --git a/Xi/opendev.c b/Xi/opendev.c
index 128b1bd..acda385 100644
--- a/Xi/opendev.c
+++ b/Xi/opendev.c
@@ -106,7 +106,7 @@ ProcXOpenDevice(ClientPtr client)
stuff->deviceid == inputInfo.keyboard->id)
return BadDevice;
- status = dixLookupDevice(&dev, stuff->deviceid, client, DixReadAccess);
+ status = dixLookupDevice(&dev, stuff->deviceid, client, DixUseAccess);
if (status == BadDevice) { /* not open */
for (dev = inputInfo.off_devices; dev; dev = dev->next)
if (dev->id == stuff->deviceid)
diff --git a/Xi/setbmap.c b/Xi/setbmap.c
index 3035c64..f052255 100644
--- a/Xi/setbmap.c
+++ b/Xi/setbmap.c
@@ -109,7 +109,7 @@ ProcXSetDeviceButtonMapping(ClientPtr client)
rep.sequenceNumber = client->sequence;
rep.status = MappingSuccess;
- ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
+ ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
if (ret != Success)
return ret;
diff --git a/Xi/setmmap.c b/Xi/setmmap.c
index be3d3cb..34efde5 100644
--- a/Xi/setmmap.c
+++ b/Xi/setmmap.c
@@ -98,7 +98,7 @@ ProcXSetDeviceModifierMapping(ClientPtr client)
REQUEST(xSetDeviceModifierMappingReq);
REQUEST_AT_LEAST_SIZE(xSetDeviceModifierMappingReq);
- ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
+ ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
if (ret != Success)
return ret;
diff --git a/dix/devices.c b/dix/devices.c
index 534a0b9..bdcca5a 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -1295,7 +1295,7 @@ DoSetModifierMapping(ClientPtr client, KeyCode *inputMap,
}
}
- rc = XaceHook(XACE_DEVICE_ACCESS, client, pDev, DixSetAttrAccess);
+ rc = XaceHook(XACE_DEVICE_ACCESS, client, pDev, DixManageAccess);
if (rc != Success)
return rc;
@@ -1435,7 +1435,7 @@ ProcChangeKeyboardMapping(ClientPtr client)
for (pDev = inputInfo.devices; pDev; pDev = pDev->next) {
if ((pDev->coreEvents || pDev == inputInfo.keyboard) && pDev->key) {
- rc = XaceHook(XACE_DEVICE_ACCESS, client, pDev, DixSetAttrAccess);
+ rc = XaceHook(XACE_DEVICE_ACCESS, client, pDev, DixManageAccess);
if (rc != Success)
return rc;
}
@@ -1472,7 +1472,7 @@ DoSetPointerMapping(ClientPtr client, DeviceIntPtr device, BYTE *map, int n)
for (dev = inputInfo.devices; dev; dev = dev->next) {
if ((dev->coreEvents || dev == inputInfo.pointer) && dev->button) {
- rc = XaceHook(XACE_DEVICE_ACCESS, client, dev, DixSetAttrAccess);
+ rc = XaceHook(XACE_DEVICE_ACCESS, client, dev, DixManageAccess);
if (rc != Success)
return rc;
}
@@ -1810,7 +1810,7 @@ ProcChangeKeyboardControl (ClientPtr client)
for (pDev = inputInfo.devices; pDev; pDev = pDev->next) {
if ((pDev->coreEvents || pDev == inputInfo.keyboard) &&
pDev->kbdfeed && pDev->kbdfeed->CtrlProc) {
- ret = XaceHook(XACE_DEVICE_ACCESS, client, pDev, DixSetAttrAccess);
+ ret = XaceHook(XACE_DEVICE_ACCESS, client, pDev, DixManageAccess);
if (ret != Success)
return ret;
}
@@ -1961,7 +1961,7 @@ ProcChangePointerControl(ClientPtr client)
for (mouse = inputInfo.devices; mouse; mouse = mouse->next) {
if ((mouse->coreEvents || mouse == inputInfo.pointer) &&
mouse->ptrfeed && mouse->ptrfeed->CtrlProc) {
- rc = XaceHook(XACE_DEVICE_ACCESS, client, mouse, DixSetAttrAccess);
+ rc = XaceHook(XACE_DEVICE_ACCESS, client, mouse, DixManageAccess);
if (rc != Success)
return rc;
}
diff --git a/xkb/xkb.c b/xkb/xkb.c
index 23e1dc7..26f2812 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -211,7 +211,7 @@ ProcXkbSelectEvents(ClientPtr client)
if (!(client->xkbClientFlags&_XkbClientInitialized))
return BadAccess;
- CHK_ANY_DEVICE(dev, stuff->deviceSpec, client, DixReadAccess);
+ CHK_ANY_DEVICE(dev, stuff->deviceSpec, client, DixUseAccess);
if (((stuff->affectWhich&XkbMapNotifyMask)!=0)&&(stuff->affectMap)) {
client->mapNotifyMask&= ~stuff->affectMap;
@@ -694,7 +694,7 @@ ProcXkbSetControls(ClientPtr client)
if (!(client->xkbClientFlags & _XkbClientInitialized))
return BadAccess;
- CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixSetAttrAccess);
+ CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
CHK_MASK_LEGAL(0x01, stuff->changeCtrls, XkbAllControlsMask);
for (tmpd = inputInfo.keyboard; tmpd; tmpd = tmpd->next) {
@@ -2304,7 +2304,7 @@ ProcXkbSetMap(ClientPtr client)
if (!(client->xkbClientFlags&_XkbClientInitialized))
return BadAccess;
- CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixSetAttrAccess);
+ CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
CHK_MASK_LEGAL(0x01,stuff->present,XkbAllMapComponentsMask);
XkbSetCauseXkbReq(&cause,X_kbSetMap,client);
@@ -2618,7 +2618,7 @@ ProcXkbSetCompatMap(ClientPtr client)
if (!(client->xkbClientFlags&_XkbClientInitialized))
return BadAccess;
- CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixSetAttrAccess);
+ CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
data = (char *)&stuff[1];
xkbi = dev->key->xkbInfo;
@@ -4844,7 +4844,7 @@ ProcXkbSetGeometry(ClientPtr client)
if (!(client->xkbClientFlags&_XkbClientInitialized))
return BadAccess;
- CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixSetAttrAccess);
+ CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
CHK_ATOM_OR_NONE(stuff->name);
xkb= dev->key->xkbInfo->desc;
@@ -5126,7 +5126,7 @@ ProcXkbGetKbdByName(ClientPtr client)
Bool geom_changed;
XkbSrvLedInfoPtr old_sli;
XkbSrvLedInfoPtr sli;
- Mask access_mode = DixGetAttrAccess | DixSetAttrAccess;
+ Mask access_mode = DixGetAttrAccess | DixManageAccess;
REQUEST(xkbGetKbdByNameReq);
REQUEST_AT_LEAST_SIZE(xkbGetKbdByNameReq);
@@ -5997,7 +5997,7 @@ xkbExtensionDeviceNotify ed;
change= stuff->change;
- CHK_ANY_DEVICE(dev, stuff->deviceSpec, client, DixSetAttrAccess);
+ CHK_ANY_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
CHK_MASK_LEGAL(0x01,change,XkbXI_AllFeaturesMask);
wire= (char *)&stuff[1];
More information about the xorg-commit
mailing list