diff options
Diffstat (limited to 'Xext/security.c')
-rw-r--r-- | Xext/security.c | 403 |
1 files changed, 191 insertions, 212 deletions
diff --git a/Xext/security.c b/Xext/security.c index 4684d783b..54a2b3e3f 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -36,6 +36,7 @@ in this Software without prior written authorization from The Open Group. #include "gcstruct.h" #include "colormapst.h" #include "propertyst.h" +#include "xacestr.h" #include "securitysrv.h" #include <X11/extensions/securstr.h> #include <assert.h> @@ -58,6 +59,23 @@ in this Software without prior written authorization from The Open Group. static int SecurityErrorBase; /* first Security error number */ static int SecurityEventBase; /* first Security event number */ +static int securityClientPrivateIndex; +static int securityExtnsnPrivateIndex; + +/* this is what we store as client security state */ +typedef struct { + unsigned int trustLevel; + XID authId; +} SecurityClientStateRec; + +#define STATEVAL(extnsn) \ + ((extnsn)->devPrivates[securityExtnsnPrivateIndex].val) +#define STATEPTR(client) \ + ((client)->devPrivates[securityClientPrivateIndex].ptr) +#define TRUSTLEVEL(client) \ + (((SecurityClientStateRec*)STATEPTR(client))->trustLevel) +#define AUTHID(client) \ + (((SecurityClientStateRec*)STATEPTR(client))->authId) CallbackListPtr SecurityValidateGroupCallback = NULL; /* see security.h */ @@ -65,19 +83,8 @@ RESTYPE SecurityAuthorizationResType; /* resource type for authorizations */ static RESTYPE RTEventClient; -/* Proc vectors for untrusted clients, swapped and unswapped versions. - * These are the same as the normal proc vectors except that extensions - * that haven't declared themselves secure will have ProcBadRequest plugged - * in for their major opcode dispatcher. This prevents untrusted clients - * from guessing extension major opcodes and using the extension even though - * the extension can't be listed or queried. - */ -int (*UntrustedProcVector[256])( - ClientPtr /*client*/ -); -int (*SwappedUntrustedProcVector[256])( - ClientPtr /*client*/ -); +#define CALLBACK(name) static void \ +name(CallbackListPtr *pcbl, pointer nulldata, pointer calldata) /* SecurityAudit * @@ -91,7 +98,7 @@ int (*SwappedUntrustedProcVector[256])( * Writes the message to the log file if security logging is on. */ -void +static void SecurityAudit(char *format, ...) { va_list args; @@ -164,7 +171,7 @@ SecurityDeleteAuthorization( for (i = 1; i<currentMaxClients; i++) { - if (clients[i] && (clients[i]->authId == pAuth->id)) + if (clients[i] && (AUTHID(clients[i]) == pAuth->id)) CloseDownClient(clients[i]); } @@ -318,7 +325,7 @@ ProcSecurityQueryVersion( /* paranoia: this "can't happen" because this extension is hidden * from untrusted clients, but just in case... */ - if (client->trustLevel != XSecurityClientTrusted) + if (TRUSTLEVEL(client) != XSecurityClientTrusted) return BadRequest; REQUEST_SIZE_MATCH(xSecurityQueryVersionReq); @@ -404,7 +411,7 @@ ProcSecurityGenerateAuthorization( /* paranoia: this "can't happen" because this extension is hidden * from untrusted clients, but just in case... */ - if (client->trustLevel != XSecurityClientTrusted) + if (TRUSTLEVEL(client) != XSecurityClientTrusted) return BadRequest; /* check request length */ @@ -587,7 +594,7 @@ ProcSecurityRevokeAuthorization( /* paranoia: this "can't happen" because this extension is hidden * from untrusted clients, but just in case... */ - if (client->trustLevel != XSecurityClientTrusted) + if (TRUSTLEVEL(client) != XSecurityClientTrusted) return BadRequest; REQUEST_SIZE_MATCH(xSecurityRevokeAuthorizationReq); @@ -772,12 +779,12 @@ SecurityDetermineEventPropogationLimits( * An audit message is generated if access is denied. */ -Bool -SecurityCheckDeviceAccess(client, dev, fromRequest) - ClientPtr client; - DeviceIntPtr dev; - Bool fromRequest; +CALLBACK(SecurityCheckDeviceAccess) { + XaceDeviceAccessRec *rec = (XaceDeviceAccessRec*)calldata; + ClientPtr client = rec->client; + DeviceIntPtr dev = rec->dev; + Bool fromRequest = rec->fromRequest; WindowPtr pWin, pStopWin; Bool untrusted_got_event; Bool found_event_window; @@ -785,12 +792,12 @@ SecurityCheckDeviceAccess(client, dev, fromRequest) int reqtype = 0; /* trusted clients always allowed to do anything */ - if (client->trustLevel == XSecurityClientTrusted) - return TRUE; + if (TRUSTLEVEL(client) == XSecurityClientTrusted) + return; /* device security other than keyboard is not implemented yet */ if (dev != inputInfo.keyboard) - return TRUE; + return; /* some untrusted client wants access */ @@ -805,7 +812,8 @@ SecurityCheckDeviceAccess(client, dev, fromRequest) case X_SetModifierMapping: SecurityAudit("client %d attempted request %d\n", client->index, reqtype); - return FALSE; + rec->rval = FALSE; + return; default: break; } @@ -817,7 +825,7 @@ SecurityCheckDeviceAccess(client, dev, fromRequest) if (dev->grab) { untrusted_got_event = - ((rClient(dev->grab))->trustLevel != XSecurityClientTrusted); + (TRUSTLEVEL(rClient(dev->grab)) != XSecurityClientTrusted); } else { @@ -832,7 +840,7 @@ SecurityCheckDeviceAccess(client, dev, fromRequest) { found_event_window = TRUE; client = wClient(pWin); - if (client->trustLevel != XSecurityClientTrusted) + if (TRUSTLEVEL(client) != XSecurityClientTrusted) { untrusted_got_event = TRUE; } @@ -845,7 +853,7 @@ SecurityCheckDeviceAccess(client, dev, fromRequest) if (other->mask & eventmask) { client = rClient(other); - if (client->trustLevel != XSecurityClientTrusted) + if (TRUSTLEVEL(client) != XSecurityClientTrusted) { untrusted_got_event = TRUE; break; @@ -873,8 +881,9 @@ SecurityCheckDeviceAccess(client, dev, fromRequest) else SecurityAudit("client %d attempted to access device %d (%s)\n", client->index, dev->id, devname); + rec->rval = FALSE; } - return untrusted_got_event; + return; } /* SecurityCheckDeviceAccess */ @@ -946,20 +955,22 @@ SecurityAuditResourceIDAccess( * Disallowed resource accesses are audited. */ -static pointer -SecurityCheckResourceIDAccess( - ClientPtr client, - XID id, - RESTYPE rtype, - Mask access_mode, - pointer rval) +CALLBACK(SecurityCheckResourceIDAccess) { - int cid = CLIENT_ID(id); - int reqtype = ((xReq *)client->requestBuffer)->reqType; - - if (SecurityUnknownAccess == access_mode) - return rval; /* for compatibility, we have to allow access */ - + XaceResourceAccessRec *rec = (XaceResourceAccessRec*)calldata; + ClientPtr client = rec->client; + XID id = rec->id; + RESTYPE rtype = rec->rtype; + Mask access_mode = rec->access_mode; + pointer rval = rec->res; + int cid, reqtype; + + if (TRUSTLEVEL(client) == XSecurityClientTrusted || + SecurityUnknownAccess == access_mode) + return; /* for compatibility, we have to allow access */ + + cid = CLIENT_ID(id); + reqtype = ((xReq *)client->requestBuffer)->reqType; switch (reqtype) { /* these are always allowed */ case X_QueryTree: @@ -971,7 +982,7 @@ SecurityCheckResourceIDAccess( case X_DeleteProperty: case X_RotateProperties: case X_ListProperties: - return rval; + return; default: break; } @@ -991,15 +1002,15 @@ SecurityCheckResourceIDAccess( * competing alternative for grouping clients for security purposes is to * use app groups. dpw */ - if (client->trustLevel == clients[cid]->trustLevel + if (TRUSTLEVEL(client) == TRUSTLEVEL(clients[cid]) #ifdef XAPPGROUP || (RT_COLORMAP == rtype && XagDefaultColormap (client) == (Colormap) id) #endif ) - return rval; + return; else - return SecurityAuditResourceIDAccess(client, id); + goto deny; } else /* server-owned resource - probably a default colormap or root window */ { @@ -1035,7 +1046,7 @@ SecurityCheckResourceIDAccess( ) ) { /* not an ICCCM event */ - return SecurityAuditResourceIDAccess(client, id); + goto deny; } break; } /* case X_SendEvent on root */ @@ -1053,28 +1064,31 @@ SecurityCheckResourceIDAccess( ~(PropertyChangeMask|StructureNotifyMask)) == 0) break; } - return SecurityAuditResourceIDAccess(client, id); + goto deny; } /* case X_ChangeWindowAttributes on root */ default: { /* others not allowed */ - return SecurityAuditResourceIDAccess(client, id); + goto deny; } } } /* end server-owned window or drawable */ else if (SecurityAuthorizationResType == rtype) { SecurityAuthorizationPtr pAuth = (SecurityAuthorizationPtr)rval; - if (pAuth->trustLevel != client->trustLevel) - return SecurityAuditResourceIDAccess(client, id); + if (pAuth->trustLevel != TRUSTLEVEL(client)) + goto deny; } else if (RT_COLORMAP != rtype) { /* don't allow anything else besides colormaps */ - return SecurityAuditResourceIDAccess(client, id); + goto deny; } } - return rval; + return; + deny: + SecurityAuditResourceIDAccess(client, id); + rec->rval = FALSE; /* deny access */ } /* SecurityCheckResourceIDAccess */ @@ -1093,30 +1107,32 @@ SecurityCheckResourceIDAccess( * If a new client is connecting, its authorization ID is copied to * client->authID. If this is a generated authorization, its reference * count is bumped, its timer is cancelled if it was running, and its - * trustlevel is copied to client->trustLevel. + * trustlevel is copied to TRUSTLEVEL(client). * * If a client is disconnecting and the client was using a generated * authorization, the authorization's reference count is decremented, and * if it is now zero, the timer for this authorization is started. */ -static void -SecurityClientStateCallback( - CallbackListPtr *pcbl, - pointer nulldata, - pointer calldata) +CALLBACK(SecurityClientStateCallback) { NewClientInfoRec *pci = (NewClientInfoRec *)calldata; ClientPtr client = pci->client; switch (client->clientState) { + case ClientStateInitial: + TRUSTLEVEL(serverClient) = XSecurityClientTrusted; + AUTHID(serverClient) = None; + break; + case ClientStateRunning: { XID authId = AuthorizationIDOfClient(client); SecurityAuthorizationPtr pAuth; - client->authId = authId; + TRUSTLEVEL(client) = XSecurityClientTrusted; + AUTHID(client) = authId; pAuth = (SecurityAuthorizationPtr)LookupIDByType(authId, SecurityAuthorizationResType); if (pAuth) @@ -1126,23 +1142,20 @@ SecurityClientStateCallback( { if (pAuth->timer) TimerCancel(pAuth->timer); } - client->trustLevel = pAuth->trustLevel; - if (client->trustLevel != XSecurityClientTrusted) - { - client->CheckAccess = SecurityCheckResourceIDAccess; - client->requestVector = client->swapped ? - SwappedUntrustedProcVector : UntrustedProcVector; - } + TRUSTLEVEL(client) = pAuth->trustLevel; } break; } case ClientStateGone: case ClientStateRetained: /* client disconnected */ { - XID authId = client->authId; SecurityAuthorizationPtr pAuth; - pAuth = (SecurityAuthorizationPtr)LookupIDByType(authId, + /* client may not have any state (bad authorization) */ + if (!STATEPTR(client)) + break; + + pAuth = (SecurityAuthorizationPtr)LookupIDByType(AUTHID(client), SecurityAuthorizationResType); if (pAuth) { /* it is a generated authorization */ @@ -1158,124 +1171,68 @@ SecurityClientStateCallback( } } /* SecurityClientStateCallback */ -/* SecurityCensorImage - * - * Called after pScreen->GetImage to prevent pieces or trusted windows from - * being returned in image data from an untrusted window. - * - * Arguments: - * client is the client doing the GetImage. - * pVisibleRegion is the visible region of the window. - * widthBytesLine is the width in bytes of one horizontal line in pBuf. - * pDraw is the source window. - * x, y, w, h is the rectangle of image data from pDraw in pBuf. - * format is the format of the image data in pBuf: ZPixmap or XYPixmap. - * pBuf is the image data. - * - * Returns: nothing. - * - * Side Effects: - * Any part of the rectangle (x, y, w, h) that is outside the visible - * region of the window will be destroyed (overwritten) in pBuf. - */ -void -SecurityCensorImage(client, pVisibleRegion, widthBytesLine, pDraw, x, y, w, h, - format, pBuf) - ClientPtr client; - RegionPtr pVisibleRegion; - long widthBytesLine; - DrawablePtr pDraw; - int x, y, w, h; - unsigned int format; - char * pBuf; +CALLBACK(SecurityCheckDrawableAccess) { - RegionRec imageRegion; /* region representing x,y,w,h */ - RegionRec censorRegion; /* region to obliterate */ - BoxRec imageBox; - int nRects; - - imageBox.x1 = x; - imageBox.y1 = y; - imageBox.x2 = x + w; - imageBox.y2 = y + h; - REGION_INIT(pScreen, &imageRegion, &imageBox, 1); - REGION_NULL(pScreen, &censorRegion); - - /* censorRegion = imageRegion - visibleRegion */ - REGION_SUBTRACT(pScreen, &censorRegion, &imageRegion, pVisibleRegion); - nRects = REGION_NUM_RECTS(&censorRegion); - if (nRects > 0) - { /* we have something to censor */ - GCPtr pScratchGC = NULL; - PixmapPtr pPix = NULL; - xRectangle *pRects = NULL; - Bool failed = FALSE; - int depth = 1; - int bitsPerPixel = 1; - int i; - BoxPtr pBox; - - /* convert region to list-of-rectangles for PolyFillRect */ - - pRects = (xRectangle *)ALLOCATE_LOCAL(nRects * sizeof(xRectangle *)); - if (!pRects) - { - failed = TRUE; - goto failSafe; - } - for (pBox = REGION_RECTS(&censorRegion), i = 0; - i < nRects; - i++, pBox++) - { - pRects[i].x = pBox->x1; - pRects[i].y = pBox->y1 - imageBox.y1; - pRects[i].width = pBox->x2 - pBox->x1; - pRects[i].height = pBox->y2 - pBox->y1; - } + XaceDrawableAccessRec *rec = (XaceDrawableAccessRec*)calldata; - /* use pBuf as a fake pixmap */ + if (TRUSTLEVEL(rec->client) != XSecurityClientTrusted) + rec->rval = FALSE; +} - if (format == ZPixmap) - { - depth = pDraw->depth; - bitsPerPixel = pDraw->bitsPerPixel; - } +CALLBACK(SecurityCheckMapAccess) +{ + XaceMapAccessRec *rec = (XaceMapAccessRec*)calldata; + WindowPtr pWin = rec->pWin; - pPix = GetScratchPixmapHeader(pDraw->pScreen, w, h, - depth, bitsPerPixel, - widthBytesLine, (pointer)pBuf); - if (!pPix) - { - failed = TRUE; - goto failSafe; - } + if (STATEPTR(rec->client) && + (TRUSTLEVEL(rec->client) != XSecurityClientTrusted) && + (pWin->drawable.class == InputOnly) && + (TRUSTLEVEL(wClient(pWin->parent)) == XSecurityClientTrusted)) - pScratchGC = GetScratchGC(depth, pPix->drawable.pScreen); - if (!pScratchGC) - { - failed = TRUE; - goto failSafe; - } + rec->rval = FALSE; +} - ValidateGC(&pPix->drawable, pScratchGC); - (* pScratchGC->ops->PolyFillRect)(&pPix->drawable, - pScratchGC, nRects, pRects); +CALLBACK(SecurityCheckBackgrndAccess) +{ + XaceMapAccessRec *rec = (XaceMapAccessRec*)calldata; - failSafe: - if (failed) - { - /* Censoring was not completed above. To be safe, wipe out - * all the image data so that nothing trusted gets out. - */ - bzero(pBuf, (int)(widthBytesLine * h)); - } - if (pRects) DEALLOCATE_LOCAL(pRects); - if (pScratchGC) FreeScratchGC(pScratchGC); - if (pPix) FreeScratchPixmapHeader(pPix); + if (TRUSTLEVEL(rec->client) != XSecurityClientTrusted) + rec->rval = FALSE; +} + +CALLBACK(SecurityCheckExtAccess) +{ + XaceExtAccessRec *rec = (XaceExtAccessRec*)calldata; + + if ((TRUSTLEVEL(rec->client) != XSecurityClientTrusted) && + !STATEVAL(rec->ext)) + + rec->rval = FALSE; +} + +CALLBACK(SecurityCheckHostlistAccess) +{ + XaceHostlistAccessRec *rec = (XaceHostlistAccessRec*)calldata; + + if (TRUSTLEVEL(rec->client) != XSecurityClientTrusted) + { + rec->rval = FALSE; + if (rec->access_mode == SecurityWriteAccess) + SecurityAudit("client %d attempted to change host access\n", + rec->client->index); + else + SecurityAudit("client %d attempted to list hosts\n", + rec->client->index); } - REGION_UNINIT(pScreen, &imageRegion); - REGION_UNINIT(pScreen, &censorRegion); -} /* SecurityCensorImage */ +} + +CALLBACK(SecurityDeclareExtSecure) +{ + XaceDeclareExtSecureRec *rec = (XaceDeclareExtSecureRec*)calldata; + + /* security state for extensions is simply a boolean trust value */ + STATEVAL(rec->ext) = rec->secure; +} /**********************************************************************/ @@ -1734,21 +1691,21 @@ SecurityMatchString( #endif -char -SecurityCheckPropertyAccess(client, pWin, propertyName, access_mode) - ClientPtr client; - WindowPtr pWin; - ATOM propertyName; - Mask access_mode; -{ +CALLBACK(SecurityCheckPropertyAccess) +{ + XacePropertyAccessRec *rec = (XacePropertyAccessRec*)calldata; + ClientPtr client = rec->client; + WindowPtr pWin = rec->pWin; + ATOM propertyName = rec->propertyName; + Mask access_mode = rec->access_mode; PropertyAccessPtr pacl; char action = SecurityDefaultAction; /* if client trusted or window untrusted, allow operation */ - if ( (client->trustLevel == XSecurityClientTrusted) || - (wClient(pWin)->trustLevel != XSecurityClientTrusted) ) - return SecurityAllowOperation; + if ( (TRUSTLEVEL(client) == XSecurityClientTrusted) || + (TRUSTLEVEL(wClient(pWin)) != XSecurityClientTrusted) ) + return; #ifdef PROPDEBUG /* For testing, it's more convenient if the property rules file gets @@ -1861,7 +1818,9 @@ SecurityCheckPropertyAccess(client, pWin, propertyName, access_mode) client->index, reqtype, pWin->drawable.id, NameForAtom(propertyName), propertyName, cid, actionstr); } - return action; + /* return codes increase with strictness */ + if (action > rec->rval) + rec->rval = action; } /* SecurityCheckPropertyAccess */ @@ -1901,6 +1860,46 @@ XSecurityOptions(argc, argv, i) } /* XSecurityOptions */ +/* SecurityExtensionSetup + * + * Arguments: none. + * + * Returns: nothing. + * + * Side Effects: + * Sets up the Security extension if possible. + * This function contains things that need to be done + * before any other extension init functions get called. + */ + +void +SecurityExtensionSetup(INITARGS) +{ + /* Allocate the client private index */ + securityClientPrivateIndex = AllocateClientPrivateIndex(); + if (!AllocateClientPrivate(securityClientPrivateIndex, + sizeof (SecurityClientStateRec))) + FatalError("SecurityExtensionSetup: Can't allocate client private.\n"); + + /* Allocate the extension private index */ + securityExtnsnPrivateIndex = AllocateExtensionPrivateIndex(); + if (!AllocateExtensionPrivate(securityExtnsnPrivateIndex, 0)) + FatalError("SecurityExtensionSetup: Can't allocate extnsn private.\n"); + + /* register callbacks */ +#define XaceRC XaceRegisterCallback + XaceRC(XACE_RESOURCE_ACCESS, SecurityCheckResourceIDAccess, NULL); + XaceRC(XACE_DEVICE_ACCESS, SecurityCheckDeviceAccess, NULL); + XaceRC(XACE_PROPERTY_ACCESS, SecurityCheckPropertyAccess, NULL); + XaceRC(XACE_DRAWABLE_ACCESS, SecurityCheckDrawableAccess, NULL); + XaceRC(XACE_MAP_ACCESS, SecurityCheckMapAccess, NULL); + XaceRC(XACE_BACKGRND_ACCESS, SecurityCheckBackgrndAccess, NULL); + XaceRC(XACE_EXT_DISPATCH, SecurityCheckExtAccess, NULL); + XaceRC(XACE_EXT_ACCESS, SecurityCheckExtAccess, NULL); + XaceRC(XACE_HOSTLIST_ACCESS, SecurityCheckHostlistAccess, NULL); + XaceRC(XACE_DECLARE_EXT_SECURE, SecurityDeclareExtSecure, NULL); +} /* SecurityExtensionSetup */ + /* SecurityExtensionInit * @@ -1916,7 +1915,6 @@ void SecurityExtensionInit(INITARGS) { ExtensionEntry *extEntry; - int i; SecurityAuthorizationResType = CreateNewResourceType(SecurityDeleteAuthorization); @@ -1943,25 +1941,6 @@ SecurityExtensionInit(INITARGS) EventSwapVector[SecurityEventBase + XSecurityAuthorizationRevoked] = (EventSwapPtr)SwapSecurityAuthorizationRevokedEvent; - /* initialize untrusted proc vectors */ - - for (i = 0; i < 128; i++) - { - UntrustedProcVector[i] = ProcVector[i]; - SwappedUntrustedProcVector[i] = SwappedProcVector[i]; - } - - /* make sure insecure extensions are not allowed */ - - for (i = 128; i < 256; i++) - { - if (!UntrustedProcVector[i]) - { - UntrustedProcVector[i] = ProcBadRequest; - SwappedUntrustedProcVector[i] = ProcBadRequest; - } - } - SecurityLoadPropertyAccessList(); } /* SecurityExtensionInit */ |