xserver: Branch 'master' - 3 commits
Eamon Walsh
ewalsh at kemper.freedesktop.org
Wed Feb 27 19:48:47 PST 2008
Xext/xselinux.c | 15 ++++++++-------
xkb/xkb.c | 2 +-
2 files changed, 9 insertions(+), 8 deletions(-)
New commits:
commit f616735f17a681e3add866bf199540327c322490
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Feb 27 22:46:14 2008 -0500
xselinux: Prefix a few remaining error messages with "SELinux".
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 6862bb3..98e1ec5 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -316,7 +316,7 @@ SELinuxDoCheck(SELinuxSubjectRec *subj, SELinuxObjectRec *obj,
return Success; /* DixUnknownAccess requests OK ... for now */
if (errno == EACCES)
return BadAccess;
- ErrorF("ServerPerm: unexpected error %d\n", errno);
+ ErrorF("SELinux: avc_has_perm: unexpected error %d\n", errno);
return BadValue;
}
@@ -348,7 +348,7 @@ SELinuxLabelClient(ClientPtr client)
/* For local clients, can get context from the socket */
if (getpeercon(fd, &ctx) < 0)
- FatalError("Client %d: couldn't get context from socket\n",
+ FatalError("SELinux: client %d: couldn't get context from socket\n",
client->index);
/* Try and determine the client's executable name */
@@ -375,13 +375,12 @@ SELinuxLabelClient(ClientPtr client)
} else
/* For remote clients, need to use a default context */
if (selabel_lookup(label_hnd, &ctx, NULL, SELABEL_X_CLIENT) < 0)
- FatalError("Client %d: couldn't get default remote context\n",
- client->index);
+ FatalError("SELinux: failed to look up remote-client context\n");
finish:
/* Get a SID from the context */
if (avc_context_to_sid(ctx, &subj->sid) < 0)
- FatalError("Client %d: context_to_sid(%s) failed\n",
+ FatalError("SELinux: client %d: context_to_sid(%s) failed\n",
client->index, ctx);
sidget(subj->sid);
@@ -410,11 +409,11 @@ SELinuxLabelInitial(void)
/* Use the context of the X server process for the serverClient */
if (getcon(&ctx) < 0)
- FatalError("Couldn't get context of X server process\n");
+ FatalError("SELinux: couldn't get context of X server process\n");
/* Get a SID from the context */
if (avc_context_to_sid(ctx, &subj->sid) < 0)
- FatalError("serverClient: context_to_sid(%s) failed\n", ctx);
+ FatalError("SELinux: serverClient: context_to_sid(%s) failed\n", ctx);
sidget(subj->sid);
obj->sid = subj->sid;
commit e40cc5305bec656108077ab13fcc8e6e82b3707a
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Feb 27 22:29:15 2008 -0500
xselinux: Don't throw BadAccess if DixUnknownAccess is passed in to a hook.
The avc will still appear, however, so that the callsite can be fixed.
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index d3fe86b..6862bb3 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -312,6 +312,8 @@ SELinuxDoCheck(SELinuxSubjectRec *subj, SELinuxObjectRec *obj,
if (avc_has_perm(subj->sid, obj->sid, class, mode, &subj->aeref,
auditdata) < 0) {
+ if (mode == DixUnknownAccess)
+ return Success; /* DixUnknownAccess requests OK ... for now */
if (errno == EACCES)
return BadAccess;
ErrorF("ServerPerm: unexpected error %d\n", errno);
commit 3b1df47bd400be9dca34b5e5d1ac2b117f8cc4ed
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date: Wed Feb 27 22:28:54 2008 -0500
XACE: Require "manage" permission for XKBSetNames.
diff --git a/xkb/xkb.c b/xkb/xkb.c
index b0d2f0d..07f57a7 100644
--- a/xkb/xkb.c
+++ b/xkb/xkb.c
@@ -3545,7 +3545,7 @@ ProcXkbSetNames(ClientPtr client)
if (!(client->xkbClientFlags&_XkbClientInitialized))
return BadAccess;
- CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixUnknownAccess);
+ CHK_KBD_DEVICE(dev, stuff->deviceSpec, client, DixManageAccess);
CHK_MASK_LEGAL(0x01,stuff->which,XkbAllNamesMask);
xkb = dev->key->xkbInfo->desc;
More information about the xorg-commit
mailing list