Navigation

← Previous Changeset
Next Changeset →

Changeset 2618

Timestamp:

02/20/08 08:36:48 (10 months ago)

Author:

pebenito

Message:

xselinux: collapse extra attributes into x_domain where possible.

Files:

branches/xselinux/policy/modules/services/xserver.if (modified) (8 diffs)
branches/xselinux/policy/modules/services/xserver.te (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/xselinux/policy/modules/services/xserver.if

r2609	r2618
17	17	type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
18	18
19		attribute x_server_domain~~, xdevice_type, xresource_type~~;
	19	attribute x_server_domain;
20	20	type x_rootwindow_t, x_rootcolormap_t, x_rootscreen_t;
21	21	class x_drawable all_x_drawable_perms;
…	…
29	29	#
30	30
31		attribute $1_x~~window_type~~;
	31	attribute $1_x_domain;
32	32	attribute $1_input_xevent_type;
33	33
34		type $1_xserver_t, x_server_domain~~, xdevice_type, xresource_type~~;
	34	type $1_xserver_t, x_server_domain;
35	35	domain_type($1_xserver_t)
36	36	domain_entry_file($1_xserver_t,xserver_exec_t)
…	…
194	194	# but typeattribute doesnt work in conditionals
195	195	gen_require(`
196		attribute x_server_domain, xdrawable_type;
197		attribute xscreen_type, xgc_type, xfont_type, xcolormap_type;
198		attribute xproperty_type, xselection_type, xcursor_type;
199		attribute xclient_type, xdevice_type, xserver_type;
200		attribute xextension_type, xresource_type, xevent_type;
	196	attribute x_server_domain, x_domain;
	197	attribute xscreen_type, xfont_type;
	198	attribute xproperty_type, xselection_type;
	199	attribute xextension_type, xevent_type;
	200
	201	type x_rootcolormap_t, x_rootscreen_t;
	202	type x_rootwindow_t, remote_xclient_t;
201	203	')
202	204	allow $1_xserver_t x_server_domain:x_server *;
203		allow $1_xserver_t ~~xdrawable_type~~:x_drawable *;
204		allow $1_xserver_t ~~xscreen_type~~:x_screen *;
205		allow $1_xserver_t x~~gc_type~~:x_gc *;
	205	allow $1_xserver_t { x_domain x_rootwindow_t }:x_drawable *;
	206	allow $1_xserver_t { xscreen_type x_rootscreen_t }:x_screen *;
	207	allow $1_xserver_t x_domain:x_gc *;
206	208	allow $1_xserver_t xfont_type:x_font *;
207		allow $1_xserver_t ~~xcolormap_type~~:x_colormap *;
	209	allow $1_xserver_t { x_domain x_rootcolormap_t }:x_colormap *;
208	210	allow $1_xserver_t xproperty_type:x_property *;
209	211	allow $1_xserver_t xselection_type:x_selection *;
210		allow $1_xserver_t x~~cursor_type~~:x_cursor *;
211		allow $1_xserver_t ~~xclient_type~~:x_client *;
212		allow $1_xserver_t ~~xdevice_type~~:x_device *;
	212	allow $1_xserver_t x_domain:x_cursor *;
	213	allow $1_xserver_t { x_domain remote_xclient_t }:x_client *;
	214	allow $1_xserver_t { x_domain x_server_domain }:x_device *;
213	215	allow $1_xserver_t xextension_type:x_extension *;
214		allow $1_xserver_t ~~xresource_type~~:x_resource *;
	216	allow $1_xserver_t { x_domain x_server_domain }:x_resource *;
215	217	allow $1_xserver_t xevent_type:{ x_event x_synthetic_event } *;
216	218	')
…	…
468	470	tunable_policy(`xserver_object_manager',`
469	471	# Device rules
470		allow $1_xwindow_type $2:x_device { read getattr setattr setfocus grab bell };
471
472		allow $2 $1_input_xevent_type:x_event send;
473		allow $2 $1_xwindow_type:x_drawable send;
474
475		allow $2 input_xevent_t:x_event send;
476		allow $2 x_rootwindow_t:x_drawable send;
	472	allow $1_x_domain $2:x_device { read getattr setattr setfocus grab bell };
	473
	474	allow $2 { input_xevent_t $1_input_xevent_type }:x_event send;
	475	allow $2 { x_rootwindow_t $1_x_domain }:x_drawable send;
477	476	')
478	477	')
…	…
657	656	type clipboard_xselection_t, default_xselection_t;
658	657
659		attribute x_server_domain, x~~device_type, xdrawable_type, xgc_type~~;
660		attribute x~~cursor_type, xresource_type, xcolormap_type, x~~property_type;
661		attribute xevent_type, x~~client_type, x~~extension_type;
662		attribute $1_x~~window_type~~, $1_input_xevent_type;
	658	attribute x_server_domain, x_domain;
	659	attribute xproperty_type;
	660	attribute xevent_type, xextension_type;
	661	attribute $1_x_domain, $1_input_xevent_type;
663	662
664	663	class x_drawable all_x_drawable_perms;
…	…
685	684
686	685	# Type attributes
687		typeattribute $3 $1_xwindow_type;
688		typeattribute $3 xdevice_type;
689		typeattribute $3 xdrawable_type;
690		typeattribute $3 xgc_type;
691		typeattribute $3 xcursor_type;
692		typeattribute $3 xresource_type;
693		typeattribute $3 xcolormap_type;
694		typeattribute $3 xclient_type;
	686	typeattribute $3 $1_x_domain, x_domain;
695	687
696	688	# Types for properties
…	…
713	705	# everyone can get the input focus of everyone else
714	706	# this is a fundamental brokenness in the X protocol
715		allow $3 ~~xdevice_type~~:x_device getfocus;
	707	allow $3 { x_domain x_server_domain }:x_device getfocus;
716	708	# everyone can grab the server
717	709	# everyone does it, it is basically a free DOS attack
…	…
807	799	# but typeattribute doesnt work in conditionals
808	800	gen_require(`
809		attribute x_server_domain, xdrawable_type;
810		attribute xscreen_type, xgc_type, xfont_type, xcolormap_type;
811		attribute xproperty_type, xselection_type, xcursor_type;
812		attribute xclient_type, xdevice_type, xserver_type;
813		attribute xextension_type, xresource_type, xevent_type;
	801	attribute x_server_domain, x_domain;
	802	attribute xscreen_type, xfont_type;
	803	attribute xproperty_type, xselection_type;
	804	attribute xextension_type, xevent_type;
	805
	806	type x_rootcolormap_t, x_rootscreen_t;
	807	type x_rootwindow_t, remote_xclient_t;
814	808	')
815	809	allow $3 x_server_domain:x_server *;
816		allow $3 ~~xdrawable_type~~:x_drawable *;
817		allow $3 ~~xscreen_type~~:x_screen *;
818		allow $3 x~~gc_type~~:x_gc *;
	810	allow $3 { x_domain x_rootwindow_t }:x_drawable *;
	811	allow $3 { xscreen_type x_rootscreen_t }:x_screen *;
	812	allow $3 x_domain:x_gc *;
819	813	allow $3 xfont_type:x_font *;
820		allow $3 ~~xcolormap_type~~:x_colormap *;
	814	allow $3 { x_domain x_rootcolormap_t }:x_colormap *;
821	815	allow $3 xproperty_type:x_property *;
822	816	allow $3 xselection_type:x_selection *;
823		allow $3 x~~cursor_type~~:x_cursor *;
824		allow $3 ~~xclient_type~~:x_client *;
825		allow $3 ~~xdevice_type~~:x_device *;
	817	allow $3 x_domain:x_cursor *;
	818	allow $3 { x_domain remote_xclient_t }:x_client *;
	819	allow $3 { x_domain x_server_domain }:x_device *;
826	820	allow $3 xextension_type:x_extension *;
827		allow $3 ~~xresource_type~~:x_resource *;
	821	allow $3 { x_domain x_server_domain }:x_resource *;
828	822	allow $3 xevent_type:{ x_event x_synthetic_event } *;
829	823	')

branches/xselinux/policy/modules/services/xserver.te

r2609	r2618
39	39
40	40	# Per-object attributes
41		attribute x~~drawable_type~~;
	41	attribute x_domain;
42	42	attribute xscreen_type;
43		~~attribute xgc_type;~~
44	43	attribute xfont_type;
45		~~attribute xcolormap_type;~~
46	44	attribute xproperty_type;
47	45	attribute xselection_type;
48		~~attribute xcursor_type;~~
49		~~attribute xclient_type;~~
50		~~attribute xdevice_type;~~
51		~~attribute xserver_type;~~
52	46	attribute xextension_type;
53		~~attribute xresource_type;~~
54	47	attribute xevent_type;
55	48
…	…
73	66	type output_xext_t, xextension_type;
74	67	type property_xevent_t, xevent_type;
75		type remote_xclient_t~~, xclient_type~~;
	68	type remote_xclient_t;
76	69	type screensaver_xext_t, xextension_type;
77	70	type security_xext_t, xextension_type;
…	…
81	74	type unknown_xevent_t, xevent_type;
82	75	type unknown_xext_t, xextension_type;
83		type x_rootcolormap_t~~, xcolormap_type~~;
84		type x_rootscreen_t~~, xscreen_type~~;
85		type x_rootwindow_t~~, xdrawable_type~~;
	76	type x_rootcolormap_t;
	77	type x_rootscreen_t;
	78	type x_rootwindow_t;
86	79
87	80	type xauth_exec_t;
…	…
509	502
510	503	allow xserver_unconfined_type x_server_domain:x_server *;
511		allow xserver_unconfined_type ~~xdrawable_type~~:x_drawable *;
512		allow xserver_unconfined_type ~~xscreen_type~~:x_screen *;
513		allow xserver_unconfined_type x~~gc_type~~:x_gc *;
	504	allow xserver_unconfined_type { x_domain x_rootwindow_t }:x_drawable *;
	505	allow xserver_unconfined_type { xscreen_type x_rootscreen_t }:x_screen *;
	506	allow xserver_unconfined_type x_domain:x_gc *;
514	507	allow xserver_unconfined_type xfont_type:x_font *;
515		allow xserver_unconfined_type ~~xcolormap_type~~:x_colormap *;
	508	allow xserver_unconfined_type { x_domain x_rootcolormap_t }:x_colormap *;
516	509	allow xserver_unconfined_type xproperty_type:x_property *;
517	510	allow xserver_unconfined_type xselection_type:x_selection *;
518		allow xserver_unconfined_type x~~cursor_type~~:x_cursor *;
519		allow xserver_unconfined_type ~~xclient_type~~:x_client *;
520		allow xserver_unconfined_type ~~xdevice_type~~:x_device *;
	511	allow xserver_unconfined_type x_domain:x_cursor *;
	512	allow xserver_unconfined_type { x_domain remote_xclient_t }:x_client *;
	513	allow xserver_unconfined_type { x_domain x_server_domain }:x_device *;
521	514	allow xserver_unconfined_type xextension_type:x_extension *;
522		allow xserver_unconfined_type ~~xresource_type~~:x_resource *;
	515	allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *;
523	516	allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
524	517

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.