[PULL -v2] XACE and SELinux updates for server-1.7-branch

Eamon Walsh ewalsh at tycho.nsa.gov
Wed Oct 21 19:10:14 PDT 2009

On 10/21/2009 09:36 PM, Peter Hutterer wrote:
> On Wed, Oct 21, 2009 at 09:07:40PM -0400, Eamon Walsh wrote:
>> Hi Peter,
>> Please pull these updates into server-1.7-branch.
>> Thanks.
>> The following changes are available in the git repository at:
>>     git://anongit.freedesktop.org/~ewalsh/xserver server-1.7-branch
>> Eamon Walsh (9):
>>       xace: Fake return values on denials in input polling requests.
>>       xselinux: Stop special-casing QueryPointer access checks.
>>       xace: Relax permissions on XkbGetState from Read to Getattr.
>>       xselinux: switch from x_device to separate x_pointer and x_keyboard classes.
>>       xselinux: Allow SetWindowCreateContext to be used for pixmaps as well.
>>       dix: Export IsPointerDevice() and IsKeyboardDevice().
>>       xselinux: Use the now-exported IsPointerDevice() instead of a copy.
>>       xselinux: Note something in the log if disabled by boolean.
>>       Remove some debug messages that trigger on XACE event delivery failure.
> I should have spotted this earlier but - the last patch is not quite
> optimal and the commit message makes it sound like a different issue.
> EventToXI can return BadMatch, BadAlloc and BadImplementation. Both of the
> latter are worth noting in the log file since things are expected to go bad
> if that happens  EventToCore only returns BadMatch or BadImplementation on
> failure (in both cases, BadImplementation is logged anyway).
> The reason why XACE triggered these logs is because the if condition was
> joined. XACE doesn't modify rc either, so just reading this patch and the
> associated commit message is confusing.
> I think it'd be better to split the condition from the current 
> if (rc == Success && XACE(...) == Success)
> to something like this
> if (rc == Success) {
>      if (XACE == Success) {
>          do stuff
>      }
> } else {
>      log message
> }
> any opinions?
> Cheers,
>   Peter

You're right, removing the log message entirely is probably bad.

I rebased the branch, removing the previous commit and adding one that
does what you suggest.

Once I've tested it I'll send a -v3 pull request.

Also, I haven't forgotten about the plan to use internal events instead
of wire events in the XACE hook.  I should get started on that soon.


More information about the xorg-devel mailing list