diff options
author | Eamon Walsh <ewalsh@tycho.nsa.gov> | 2009-09-22 13:31:49 -0700 |
---|---|---|
committer | Eamon Walsh <ewalsh@tycho.nsa.gov> | 2009-10-21 19:32:05 -0400 |
commit | 5560f270c8c28cdae2ed84aca165724487399ece (patch) | |
tree | c99f5fb433384ae71fe1e92855421ff0476fbd77 | |
parent | 4814532133e6c57f2656e8363ec051edd312f26c (diff) |
xselinux: switch from x_device to separate x_pointer and x_keyboard classes.
This will allow separate controls over pointer and keyboard without having
to relabel the devices to separate types.
[Backport to 1.7]
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
(cherry picked from commit 6c2ae5fec552366e11ad64a27626eb5dec4becf0)
-rw-r--r-- | Xext/xselinux.c | 15 | ||||
-rw-r--r-- | Xext/xselinux.h | 45 |
2 files changed, 51 insertions, 9 deletions
diff --git a/Xext/xselinux.c b/Xext/xselinux.c index 7bf96fdc7..3093bf25a 100644 --- a/Xext/xselinux.c +++ b/Xext/xselinux.c @@ -400,6 +400,16 @@ SELinuxTypeToClass(RESTYPE type) } /* + * Returns true if device is a pointer device. + * Note: this duplicates dix IsPointerDevice() which is not exported. + */ +static inline Bool +IsPointerDev(DeviceIntPtr dev) +{ + return (dev->type == MASTER_POINTER) || (dev->valuator && dev->button); +} + +/* * Performs an SELinux permission check. */ static int @@ -662,6 +672,7 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata) SELinuxSubjectRec *subj; SELinuxObjectRec *obj; SELinuxAuditRec auditdata = { .client = rec->client, .dev = rec->dev }; + security_class_t cls; int rc; subj = dixLookupPrivate(&rec->client->devPrivates, subjectKey); @@ -686,8 +697,8 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata) } } - rc = SELinuxDoCheck(subj, obj, SECCLASS_X_DEVICE, rec->access_mode, - &auditdata); + cls = IsPointerDev(rec->dev) ? SECCLASS_X_POINTER : SECCLASS_X_KEYBOARD; + rc = SELinuxDoCheck(subj, obj, cls, rec->access_mode, &auditdata); if (rc != Success) rec->status = rc; } diff --git a/Xext/xselinux.h b/Xext/xselinux.h index e99f05b09..fef207adc 100644 --- a/Xext/xselinux.h +++ b/Xext/xselinux.h @@ -150,12 +150,13 @@ typedef struct { #define SECCLASS_X_SELECTION 7 #define SECCLASS_X_CURSOR 8 #define SECCLASS_X_CLIENT 9 -#define SECCLASS_X_DEVICE 10 -#define SECCLASS_X_SERVER 11 -#define SECCLASS_X_EXTENSION 12 -#define SECCLASS_X_EVENT 13 -#define SECCLASS_X_FAKEEVENT 14 -#define SECCLASS_X_RESOURCE 15 +#define SECCLASS_X_POINTER 10 +#define SECCLASS_X_KEYBOARD 11 +#define SECCLASS_X_SERVER 12 +#define SECCLASS_X_EXTENSION 13 +#define SECCLASS_X_EVENT 14 +#define SECCLASS_X_FAKEEVENT 15 +#define SECCLASS_X_RESOURCE 16 /* Mapping from DixAccess bits to Flask permissions */ static struct security_class_mapping map[] = { @@ -370,7 +371,37 @@ static struct security_class_mapping map[] = { "", /* DixUseAccess */ "manage", /* DixManageAccess */ NULL }}, - { "x_device", + { "x_pointer", + { "read", /* DixReadAccess */ + "write", /* DixWriteAccess */ + "destroy", /* DixDestroyAccess */ + "create", /* DixCreateAccess */ + "getattr", /* DixGetAttrAccess */ + "setattr", /* DixSetAttrAccess */ + "list_property", /* DixListPropAccess */ + "get_property", /* DixGetPropAccess */ + "set_property", /* DixSetPropAccess */ + "getfocus", /* DixGetFocusAccess */ + "setfocus", /* DixSetFocusAccess */ + "", /* DixListAccess */ + "add", /* DixAddAccess */ + "remove", /* DixRemoveAccess */ + "", /* DixHideAccess */ + "", /* DixShowAccess */ + "", /* DixBlendAccess */ + "grab", /* DixGrabAccess */ + "freeze", /* DixFreezeAccess */ + "force_cursor", /* DixForceAccess */ + "", /* DixInstallAccess */ + "", /* DixUninstallAccess */ + "", /* DixSendAccess */ + "", /* DixReceiveAccess */ + "use", /* DixUseAccess */ + "manage", /* DixManageAccess */ + "", /* DixDebugAccess */ + "bell", /* DixBellAccess */ + NULL }}, + { "x_keyboard", { "read", /* DixReadAccess */ "write", /* DixWriteAccess */ "destroy", /* DixDestroyAccess */ |