X Object Manager policy revisions to xserver.if.

This commit consists of two parts:

1. Revisions to xserver_object_types_template and
   xserver_common_x_domain_template.  This reflects the dropping
   of many of the specific event, extension, and property types.

2. New interfaces:
   xserver_manage_core_devices: Gives control over core mouse/keyboard.
   xserver_unprotected: Allows all clients to access a domain's X objects.
   Modified interfaces:
   xserver_unconfined: Added x_domain typeattribute statement.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

1 files changed, 63 insertions, 42 deletions

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 99bddecb..8d1e2409 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -324,18 +324,13 @@ interface(`xserver_user_client',`
 #
 template(`xserver_common_x_domain_template',`
 	gen_require(`
-		type $1_xproperty_t, $1_input_xevent_t, $1_property_xevent_t;
-		type $1_focus_xevent_t, $1_manage_xevent_t, $1_default_xevent_t;
-		type $1_client_xevent_t;
-
-		type rootwindow_t, xproperty_t;
-		type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
+		type root_xdrawable_t;
+		type xproperty_t, $1_xproperty_t;
 		type xevent_t, client_xevent_t;
+		type input_xevent_t, $1_input_xevent_t;
 
 		attribute x_domain;
-		attribute xproperty_type;
-		attribute xevent_type;
-		attribute input_xevent_type;
+		attribute xdrawable_type, xcolormap_type;
 
 		class x_drawable all_x_drawable_perms;
 		class x_property all_x_property_perms;
@@ -350,32 +345,28 @@ template(`xserver_common_x_domain_template',`
 
 	# Type attributes
 	typeattribute $2 x_domain;
+	typeattribute $2 xdrawable_type, xcolormap_type;
 
 	# X Properties
-	# can read and write client properties
-	allow $2 $1_xproperty_t:x_property { create destroy read write append };
-	type_transition $2 xproperty_t:x_property $1_xproperty_t;
+	# disable property transitions for the time being.
+#	type_transition $2 xproperty_t:x_property $1_xproperty_t;
 
 	# X Windows
 	# new windows have the domain type
-	type_transition $2 rootwindow_t:x_drawable $2;
+	type_transition $2 root_xdrawable_t:x_drawable $2;
 
 	# X Input
+	# distinguish input events
+	type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
+	# can send own events
+	allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send;
 	# can receive own events
 	allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $2 $1_manage_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $2 $1_default_xevent_t:{ x_event x_synthetic_event } receive;
-	allow $2 $1_client_xevent_t:{ x_event x_synthetic_event } receive;
-	type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
-	type_transition $2 property_xevent_t:x_event $1_property_xevent_t;
-	type_transition $2 focus_xevent_t:x_event $1_focus_xevent_t;
-	type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
-	type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
-	type_transition $2 xevent_t:x_event $1_default_xevent_t;
-	# can send ICCCM events to myself
-	allow $2 $1_manage_xevent_t:x_synthetic_event send;
+	# can receive default events
+	allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
+	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+	# don't audit send failures
+	dontaudit $2 input_xevent_type:x_event send;
 ')
 
 #######################################
@@ -401,27 +392,12 @@ template(`xserver_object_types_template',`
 	#
 
 	# Types for properties
-	type $1_xproperty_t alias $1_default_xproperty_t, xproperty_type;
+	type $1_xproperty_t, xproperty_type;
 	ubac_constrained($1_xproperty_t)
 
 	# Types for events
 	type $1_input_xevent_t, input_xevent_type, xevent_type;
 	ubac_constrained($1_input_xevent_t)
-
-	type $1_property_xevent_t, xevent_type;
-	ubac_constrained($1_property_xevent_t)
-
-	type $1_focus_xevent_t, xevent_type;
-	ubac_constrained($1_focus_xevent_t)
-
-	type $1_manage_xevent_t, xevent_type;
-	ubac_constrained($1_manage_xevent_t)
-
-	type $1_default_xevent_t, xevent_type;
-	ubac_constrained($1_default_xevent_t)
-
-	type $1_client_xevent_t, xevent_type;
-	ubac_constrained($1_client_xevent_t)
 ')
 
 #######################################
@@ -1214,6 +1190,49 @@ interface(`xserver_read_tmp_files',`
 ########################################
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
+##	an X client domain.  Gives the domain permission to read the
+##      virtual core keyboard and virtual core pointer devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_core_devices',`
+	gen_require(`
+		type xserver_t;
+		class x_device all_x_device_perms;
+		class x_pointer all_x_pointer_perms;
+		class x_keyboard all_x_keyboard_perms;
+	')
+
+	allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+')
+
+########################################
+## <summary>
+##	Interface to remove protections on an X client domain.
+##	Gives other X client domains full permissions over the target
+##	domain's X objects.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be unprotected.
+##	</summary>
+## </param>
+#
+interface(`xserver_unprotected',`
+	gen_require(`
+		attribute xserver_unprotected_type;
+	')
+
+	typeattribute $1 xserver_unprotected_type;
+')
+
+########################################
+## <summary>
+##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
 ## </summary>
@@ -1225,8 +1244,10 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
+		attribute x_domain;
 		attribute xserver_unconfined_type;
 	')
 
+	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')