Changeset 2728
- Timestamp:
- 06/23/08 09:35:51 (2 months ago)
- Files:
-
- branches/rbacsep/policy/modules/services/xserver.if (modified) (8 diffs)
- branches/rbacsep/policy/modules/services/xserver.te (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/rbacsep/policy/modules/services/xserver.if
r2727 r2728 2 2 3 3 interface(`xserver_role',` 4 typeattribute $2 x_userdomain;5 4 6 5 domtrans_pattern($2, xserver_exec_t, xserver_t) … … 50 49 allow $2 xauth_home_t:file { relabelfrom relabelto }; 51 50 51 xserver_common_x_domain_template(user, $2) 52 52 53 53 ############################## … … 229 229 template(`xserver_common_x_domain_template',` 230 230 gen_require(` 231 type xserver_t, rootwindow_t, std_xext_t, shmem_xext_t; 232 type xproperty_t, info_xproperty_t, clipboard_xproperty_t; 231 type rootwindow_t, xproperty_t; 233 232 type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; 234 233 type xevent_t, client_xevent_t; 235 type clipboard_xselection_t, xselection_t;236 234 237 235 attribute x_domain; 238 236 attribute xproperty_type; 239 attribute xevent_type , xextension_type;237 attribute xevent_type; 240 238 attribute input_xevent_type; 241 239 242 240 class x_drawable all_x_drawable_perms; 243 class x_screen all_x_screen_perms;244 class x_gc all_x_gc_perms;245 class x_font all_x_font_perms;246 class x_colormap all_x_colormap_perms;247 241 class x_property all_x_property_perms; 248 class x_selection all_x_selection_perms;249 class x_cursor all_x_cursor_perms;250 class x_client all_x_client_perms;251 class x_device all_x_device_perms;252 class x_server all_x_server_perms;253 class x_extension all_x_extension_perms;254 class x_resource all_x_resource_perms;255 242 class x_event all_x_event_perms; 256 243 class x_synthetic_event all_x_synthetic_event_perms; 257 244 ') 258 259 ##############################260 #261 # Declarations262 #263 264 # Type attributes265 typeattribute $2 x_domain;266 267 # Types for properties268 type $1_xproperty_t alias $1_default_xproperty_t, xproperty_type;269 270 # Types for events271 type $1_input_xevent_t, input_xevent_type, xevent_type;272 type $1_property_xevent_t, xevent_type;273 type $1_focus_xevent_t, xevent_type;274 type $1_manage_xevent_t, xevent_type;275 type $1_default_xevent_t, xevent_type;276 type $1_client_xevent_t, xevent_type;277 245 278 246 ############################## … … 281 249 # 282 250 283 # Hacks 284 # everyone can get the input focus of everyone else 285 # this is a fundamental brokenness in the X protocol 286 allow $2 { x_domain xserver_t }:x_device getfocus; 287 # everyone can grab the server 288 # everyone does it, it is basically a free DOS attack 289 allow $2 xserver_t:x_server grab; 290 # everyone can get the font path, etc. 291 # this could leak out sensitive information 292 allow $2 xserver_t:x_server getattr; 293 # everyone can do override-redirect windows. 294 # this could be used to spoof labels 295 allow $2 self:x_drawable override; 296 # everyone can receive management events on the root window 297 # allows to know when new windows appear, among other things 298 allow $2 manage_xevent_t:x_event receive; 299 300 # X Server 301 # can read server-owned resources 302 allow $2 xserver_t:x_resource read; 303 # can mess with own clients 304 allow $2 self:x_client { manage destroy }; 305 306 # X Protocol Extensions 307 allow $2 std_xext_t:x_extension { query use }; 308 allow $2 shmem_xext_t:x_extension { query use }; 309 dontaudit $2 xextension_type:x_extension { query use }; 251 # Type attributes 252 typeattribute $2 x_domain; 310 253 311 254 # X Properties … … 313 256 allow $2 $1_xproperty_t:x_property { create destroy read write append }; 314 257 type_transition $2 xproperty_t:x_property $1_xproperty_t; 315 # can read and write cut buffers316 allow $2 clipboard_xproperty_t:x_property { create read write append };317 # can read info properties318 allow $2 info_xproperty_t:x_property read;319 # can change properties of root window320 allow $2 rootwindow_t:x_drawable { list_property get_property set_property };321 # can change properties of own windows322 allow $2 self:x_drawable { list_property get_property set_property };323 258 324 259 # X Windows 325 # operations allowed on root windows 326 allow $2 rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive }; 327 # operations allowed on my windows 328 allow $2 self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; 260 # new windows have the domain type 329 261 type_transition $2 rootwindow_t:x_drawable $2; 330 331 # X Colormaps332 # can use the default colormap333 allow $2 rootwindow_t:x_colormap { read use add_color };334 262 335 263 # X Input … … 347 275 type_transition $2 client_xevent_t:x_event $1_client_xevent_t; 348 276 type_transition $2 xevent_t:x_event $1_default_xevent_t; 349 # can receive certain root window events350 allow $2 focus_xevent_t:x_event receive;351 allow $2 property_xevent_t:x_event receive;352 allow $2 client_xevent_t:x_synthetic_event receive;353 allow $2 manage_xevent_t:x_synthetic_event receive;354 277 # can send ICCCM events to myself 355 278 allow $2 $1_manage_xevent_t:x_synthetic_event send; 356 # can send ICCCM events to the root window 357 allow $2 manage_xevent_t:x_synthetic_event send; 358 allow $2 client_xevent_t:x_synthetic_event send; 359 360 # X Selections 361 # can use the clipboard 362 allow $2 clipboard_xselection_t:x_selection { getattr setattr read }; 363 # can query all other selections 364 allow $2 xselection_t:x_selection { getattr read }; 365 366 # Other X Objects 367 # can create and use cursors 368 allow $2 self:x_cursor *; 369 # can create and use graphics contexts 370 allow $2 self:x_gc *; 371 # can create and use colormaps 372 allow $2 self:x_colormap *; 373 # can read and write own objects 374 allow $2 self:x_resource { read write }; 375 376 tunable_policy(`! xserver_object_manager',` 377 # should be xserver_unconfined($2), 378 # but typeattribute doesnt work in conditionals 379 gen_require(` 380 attribute x_domain; 381 attribute xproperty_type, xselection_type; 382 attribute xextension_type, xevent_type; 383 384 type xserver_t, rootwindow_t, remote_xclient_t; 385 ') 386 387 allow $2 xserver_t:x_server *; 388 allow $2 { x_domain rootwindow_t }:x_drawable *; 389 allow $2 xserver_t:x_screen *; 390 allow $2 x_domain:x_gc *; 391 allow $2 { x_domain rootwindow_t }:x_colormap *; 392 allow $2 xproperty_type:x_property *; 393 allow $2 xselection_type:x_selection *; 394 allow $2 x_domain:x_cursor *; 395 allow $2 { x_domain remote_xclient_t }:x_client *; 396 allow $2 { x_domain xserver_t }:x_device *; 397 allow $2 xextension_type:x_extension *; 398 allow $2 { x_domain xserver_t }:x_resource *; 399 allow $2 xevent_type:{ x_event x_synthetic_event } *; 400 ') 279 ') 280 281 template(`xserver_object_types_template',` 282 ############################## 283 # 284 # Declarations 285 # 286 287 # Types for properties 288 type $1_xproperty_t alias $1_default_xproperty_t, xproperty_type; 289 290 # Types for events 291 type $1_input_xevent_t, input_xevent_type, xevent_type; 292 type $1_property_xevent_t, xevent_type; 293 type $1_focus_xevent_t, xevent_type; 294 type $1_manage_xevent_t, xevent_type; 295 type $1_default_xevent_t, xevent_type; 296 type $1_client_xevent_t, xevent_type; 401 297 ') 402 298 … … 429 325 type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; 430 326 ') 327 328 # Type attributes 329 typeattribute $2 x_domain; 431 330 432 331 allow $2 self:shm create_shm_perms; … … 460 359 461 360 # X object manager 361 xserver_object_types_template($1) 462 362 xserver_common_x_domain_template($1,$2) 463 363 branches/rbacsep/policy/modules/services/xserver.te
r2727 r2728 68 68 type unknown_xevent_t, xevent_type; 69 69 70 xserver_object_types_template(user) 71 70 72 type user_fonts_t; 71 73 userdom_user_home_content(user_fonts_t) … … 131 133 type xserver_t; 132 134 type xserver_exec_t; 135 xserver_object_types_template(xdm) 133 136 xserver_common_x_domain_template(xdm,xdm_t) 134 137 init_system_domain(xserver_t, xserver_exec_t) … … 146 149 type xserver_log_t; 147 150 logging_log_file(xserver_log_t) 148 149 # basic object manager rules for user domains150 xserver_common_x_domain_template(user, x_userdomain)151 151 152 152 ifdef(`enable_mcs',` … … 695 695 # but typeattribute doesnt work in conditionals 696 696 697 allow xserver_t x _server_domain:x_server *;698 allow xserver_t { x_domain rootwindow_t ype}:x_drawable *;699 allow xserver_t x _server_domain:x_screen *;697 allow xserver_t xserver_t:x_server *; 698 allow xserver_t { x_domain rootwindow_t }:x_drawable *; 699 allow xserver_t xserver_t:x_screen *; 700 700 allow xserver_t x_domain:x_gc *; 701 allow xserver_t { x_domain rootwindow_t ype}:x_colormap *;701 allow xserver_t { x_domain rootwindow_t }:x_colormap *; 702 702 allow xserver_t xproperty_type:x_property *; 703 703 allow xserver_t xselection_type:x_selection *; 704 704 allow xserver_t x_domain:x_cursor *; 705 705 allow xserver_t { x_domain remote_xclient_t }:x_client *; 706 allow xserver_t { x_domain x _server_domain}:x_device *;706 allow xserver_t { x_domain xserver_t }:x_device *; 707 707 allow xserver_t xextension_type:x_extension *; 708 allow xserver_t { x_domain x _server_domain}:x_resource *;708 allow xserver_t { x_domain xserver_t }:x_resource *; 709 709 allow xserver_t xevent_type:{ x_event x_synthetic_event } *; 710 710 ') … … 790 790 rhgb_rw_shm(xserver_t) 791 791 rhgb_rw_tmpfs_files(xserver_t) 792 ') 793 794 ######################################## 795 # 796 # Rules common to all X window domains 797 # 798 799 # Hacks 800 # everyone can get the input focus of everyone else 801 # this is a fundamental brokenness in the X protocol 802 allow x_domain { x_domain xserver_t }:x_device getfocus; 803 # everyone can grab the server 804 # everyone does it, it is basically a free DOS attack 805 allow x_domain xserver_t:x_server grab; 806 # everyone can get the font path, etc. 807 # this could leak out sensitive information 808 allow x_domain xserver_t:x_server getattr; 809 # everyone can do override-redirect windows. 810 # this could be used to spoof labels 811 allow x_domain self:x_drawable override; 812 # everyone can receive management events on the root window 813 # allows to know when new windows appear, among other things 814 allow x_domain manage_xevent_t:x_event receive; 815 816 # X Server 817 # can read server-owned resources 818 allow x_domain xserver_t:x_resource read; 819 # can mess with own clients 820 allow x_domain self:x_client { manage destroy }; 821 822 # X Protocol Extensions 823 allow x_domain std_xext_t:x_extension { query use }; 824 allow x_domain shmem_xext_t:x_extension { query use }; 825 dontaudit x_domain xextension_type:x_extension { query use }; 826 827 # X Properties 828 # can read and write cut buffers 829 allow x_domain clipboard_xproperty_t:x_property { create read write append }; 830 # can read info properties 831 allow x_domain info_xproperty_t:x_property read; 832 # can change properties of root window 833 allow x_domain rootwindow_t:x_drawable { list_property get_property set_property }; 834 # can change properties of own windows 835 allow x_domain self:x_drawable { list_property get_property set_property }; 836 837 # X Windows 838 # operations allowed on root windows 839 allow x_domain rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive }; 840 # operations allowed on my windows 841 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; 842 843 # X Colormaps 844 # can use the default colormap 845 allow x_domain rootwindow_t:x_colormap { read use add_color }; 846 847 # X Input 848 # can receive certain root window events 849 allow x_domain focus_xevent_t:x_event receive; 850 allow x_domain property_xevent_t:x_event receive; 851 allow x_domain client_xevent_t:x_synthetic_event receive; 852 allow x_domain manage_xevent_t:x_synthetic_event receive; 853 # can send ICCCM events to the root window 854 allow x_domain manage_xevent_t:x_synthetic_event send; 855 allow x_domain client_xevent_t:x_synthetic_event send; 856 # X Selections 857 # can use the clipboard 858 allow x_domain clipboard_xselection_t:x_selection { getattr setattr read }; 859 # can query all other selections 860 allow x_domain xselection_t:x_selection { getattr read }; 861 862 # Other X Objects 863 # can create and use cursors 864 allow x_domain self:x_cursor *; 865 # can create and use graphics contexts 866 allow x_domain self:x_gc *; 867 # can create and use colormaps 868 allow x_domain self:x_colormap *; 869 # can read and write own objects 870 allow x_domain self:x_resource { read write }; 871 872 tunable_policy(`! xserver_object_manager',` 873 # should be xserver_unconfined(x_domain), 874 # but typeattribute doesnt work in conditionals 875 876 allow x_domain xserver_t:x_server *; 877 allow x_domain { x_domain rootwindow_t }:x_drawable *; 878 allow x_domain xserver_t:x_screen *; 879 allow x_domain x_domain:x_gc *; 880 allow x_domain { x_domain rootwindow_t }:x_colormap *; 881 allow x_domain xproperty_type:x_property *; 882 allow x_domain xselection_type:x_selection *; 883 allow x_domain x_domain:x_cursor *; 884 allow x_domain { x_domain remote_xclient_t }:x_client *; 885 allow x_domain { x_domain xserver_t }:x_device *; 886 allow x_domain xextension_type:x_extension *; 887 allow x_domain { x_domain xserver_t }:x_resource *; 888 allow x_domain xevent_type:{ x_event x_synthetic_event } *; 792 889 ') 793 890
