xserver: Branch 'master' - 3 commits

Eamon Walsh ewalsh at kemper.freedesktop.org
Thu Feb 28 19:18:48 PST 2008 

 Xext/xselinux.c     |   12 ++++++++++++
 composite/compext.c |    4 ++--
 2 files changed, 14 insertions(+), 2 deletions(-)

New commits:
commit d04ea267a4a51c16088d9ef429681a1edde536b1
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Thu Feb 28 21:53:16 2008 -0500

    xselinux: Don't require device "read" permission for XQueryPointer.
    
    These keyboard and pointer state polling calls are a real problem.

diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 3aa62e2..9adc931 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -532,6 +532,17 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 	dsubj->sid = subj->sid;
     }
 
+    /* XXX only check read permission on XQueryKeymap */
+    /* This is to allow the numerous apps that call XQueryPointer to work */
+    if (rec->access_mode & DixReadAccess) {
+	ClientPtr client = rec->client;
+	REQUEST(xReq);
+	if (stuff && stuff->reqType != X_QueryKeymap) {
+	    rec->access_mode &= ~DixReadAccess;
+	    rec->access_mode |= DixGetAttrAccess;
+	}
+    }
+
     rc = SELinuxDoCheck(subj, obj, SECCLASS_X_DEVICE, rec->access_mode,
 			&auditdata);
     if (rc != Success)
commit 3fb17a3e647e926688c91a49a9b5b97f37dbc367
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Thu Feb 28 21:52:57 2008 -0500

    xselinux: Log messages to both libaudit and Xorg.0.log.

diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 98e1ec5..3aa62e2 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -497,6 +497,7 @@ SELinuxLog(int type, const char *fmt, ...)
     vsnprintf(buf, MAX_AUDIT_MESSAGE_LENGTH, fmt, ap);
     rc = audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
     va_end(ap);
+    LogMessageVerb(X_WARNING, 0, "%s", buf);
     return 0;
 }
 
commit 4d91b1d5e422c5c460b1b7050baa9487a59b8aa8
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Thu Feb 28 21:52:32 2008 -0500

    XACE: Adjust the location of the COMPOSITE creation hook.
    Avoids incrementing the refcnt if the hook fails.

diff --git a/composite/compext.c b/composite/compext.c
index 97ea6d6..b3433f7 100644
--- a/composite/compext.c
+++ b/composite/compext.c
@@ -289,14 +289,14 @@ ProcCompositeNameWindowPixmap (ClientPtr client)
     if (!pPixmap)
 	return BadMatch;
 
-    ++pPixmap->refcnt;
-    
     /* security creation/labeling check */
     rc = XaceHook(XACE_RESOURCE_ACCESS, client, stuff->pixmap, RT_PIXMAP,
 		  pPixmap, RT_WINDOW, pWin, DixCreateAccess);
     if (rc != Success)
 	return rc;
 
+    ++pPixmap->refcnt;
+
     if (!AddResource (stuff->pixmap, RT_PIXMAP, (pointer) pPixmap))
 	return BadAlloc;

More information about the xorg-commit mailing list