XACE: Make the default window background state configurable per-window.

To recap: the original XC-SECURITY extension disallowed background "None" if
the window was untrusted.  XACE 1.0 preserved this check as a hook function.
XACE pre-2.0 removed the hook and first abolished background "None entirely,
then restored it as a global on/off switch in response to Bug #13683.
Now it's back to being per-window, via a flag instead of a hook function.

2 files changed, 7 insertions, 2 deletions

diff --git a/Xext/security.c b/Xext/security.c
index a3cde2cec..27ef38205 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -810,6 +810,11 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
     subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
     obj = dixLookupPrivate(&clients[cid]->devPrivates, stateKey);
 
+    /* disable background None for untrusted windows */
+    if ((requested & DixCreateAccess) && (rec->rtype == RT_WINDOW))
+	if (subj->haveState && subj->trustLevel != XSecurityClientTrusted)
+	    ((WindowPtr)rec->res)->forcedBG = TRUE;
+
     /* special checks for server-owned resources */
     if (cid == 0) {
 	if (rec->rtype & RC_DRAWABLE)
diff --git a/Xext/xace.h b/Xext/xace.h
index 2016ca322..1f07d9fd2 100644
--- a/Xext/xace.h
+++ b/Xext/xace.h
@@ -31,7 +31,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #include "property.h"
 
 /* Default window background */
-#define XaceBackgroundNoneState		None
+#define XaceBackgroundNoneState(w) ((w)->forcedBG ? BackgroundPixel : None)
 
 /* security hooks */
 /* Constants used to identify the available security hooks
@@ -100,7 +100,7 @@ extern void XaceCensorImage(
 #else /* XACE */
 
 /* Default window background */
-#define XaceBackgroundNoneState		None
+#define XaceBackgroundNoneState(w)		None
 
 /* Define calls away when XACE is not being built. */