5 files changed, 75 insertions, 25 deletions

diff --git a/Xext/xace.c b/Xext/xace.c
index 4d34dc3d9..3091ecd32 100644
--- a/Xext/xace.c
+++ b/Xext/xace.c
@@ -113,10 +113,25 @@ int XaceHook(int hook, ...)
 	    prv = &rec.status;
 	    break;
 	}
-	case XACE_MAP_ACCESS: {
-	    XaceMapAccessRec rec = {
+	case XACE_SEND_ACCESS: {
+	    XaceSendAccessRec rec = {
 		va_arg(ap, ClientPtr),
+		va_arg(ap, DeviceIntPtr),
 		va_arg(ap, WindowPtr),
+		va_arg(ap, xEventPtr),
+		va_arg(ap, int),
+		Success /* default allow */
+	    };
+	    calldata = &rec;
+	    prv = &rec.status;
+	    break;
+	}
+	case XACE_RECEIVE_ACCESS: {
+	    XaceReceiveAccessRec rec = {
+		va_arg(ap, ClientPtr),
+		va_arg(ap, WindowPtr),
+		va_arg(ap, xEventPtr),
+		va_arg(ap, int),
 		Success /* default allow */
 	    };
 	    calldata = &rec;
diff --git a/Xext/xace.h b/Xext/xace.h
index f1a6e9d8c..c1fc0714f 100644
--- a/Xext/xace.h
+++ b/Xext/xace.h
@@ -46,18 +46,19 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #define XACE_DEVICE_ACCESS		3
 #define XACE_PROPERTY_ACCESS		4
 #define XACE_DRAWABLE_ACCESS		5
-#define XACE_MAP_ACCESS			6
-#define XACE_CLIENT_ACCESS		7
-#define XACE_EXT_ACCESS			8
-#define XACE_SERVER_ACCESS		9
-#define XACE_SELECTION_ACCESS		10
-#define XACE_SCREEN_ACCESS		11
-#define XACE_SCREENSAVER_ACCESS		12
-#define XACE_AUTH_AVAIL			13
-#define XACE_KEY_AVAIL			14
-#define XACE_AUDIT_BEGIN		15
-#define XACE_AUDIT_END			16
-#define XACE_NUM_HOOKS			17
+#define XACE_SEND_ACCESS		6
+#define XACE_RECEIVE_ACCESS		7
+#define XACE_CLIENT_ACCESS		8
+#define XACE_EXT_ACCESS			9
+#define XACE_SERVER_ACCESS		10
+#define XACE_SELECTION_ACCESS		11
+#define XACE_SCREEN_ACCESS		12
+#define XACE_SCREENSAVER_ACCESS		13
+#define XACE_AUTH_AVAIL			14
+#define XACE_KEY_AVAIL			15
+#define XACE_AUDIT_BEGIN		16
+#define XACE_AUDIT_END			17
+#define XACE_NUM_HOOKS			18
 
 extern CallbackListPtr XaceHooks[XACE_NUM_HOOKS];
 
diff --git a/Xext/xacestr.h b/Xext/xacestr.h
index c98be3d32..15d39b72e 100644
--- a/Xext/xacestr.h
+++ b/Xext/xacestr.h
@@ -70,12 +70,24 @@ typedef struct {
     int status;
 } XaceDrawableAccessRec;
 
-/* XACE_MAP_ACCESS */
+/* XACE_SEND_ACCESS */
+typedef struct {
+    ClientPtr client;
+    DeviceIntPtr dev;
+    WindowPtr pWin;
+    xEventPtr events;
+    int count;
+    int status;
+} XaceSendAccessRec;
+
+/* XACE_RECEIVE_ACCESS */
 typedef struct {
     ClientPtr client;
     WindowPtr pWin;
+    xEventPtr events;
+    int count;
     int status;
-} XaceMapAccessRec;
+} XaceReceiveAccessRec;
 
 /* XACE_CLIENT_ACCESS */
 typedef struct {
diff --git a/dix/events.c b/dix/events.c
index deae4e340..42c3ba195 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -1753,8 +1753,10 @@ DeliverEventsToWindow(WindowPtr pWin, xEvent *pEvents, int count,
 	if (filter != CantBeFiltered &&
 	    !((wOtherEventMasks(pWin)|pWin->eventMask) & filter))
 	    return 0;
-	if ( (attempt = TryClientEvents(wClient(pWin), pEvents, count,
-				      pWin->eventMask, filter, grab)) )
+	if (XaceHook(XACE_RECEIVE_ACCESS, wClient(pWin), pWin, pEvents, count))
+	    nondeliveries--;
+	else if ( (attempt = TryClientEvents(wClient(pWin), pEvents, count,
+					     pWin->eventMask, filter, grab)) )
 	{
 	    if (attempt > 0)
 	    {
@@ -1781,7 +1783,10 @@ DeliverEventsToWindow(WindowPtr pWin, xEvent *pEvents, int count,
 	    other = (InputClients *)wOtherClients(pWin);
 	for (; other; other = other->next)
 	{
-	    if ( (attempt = TryClientEvents(rClient(other), pEvents, count,
+	    if (XaceHook(XACE_RECEIVE_ACCESS, rClient(other), pWin, pEvents,
+			 count))
+		nondeliveries--;
+	    else if ( (attempt = TryClientEvents(rClient(other), pEvents, count,
 					  other->mask[mskidx], filter, grab)) )
 	    {
 		if (attempt > 0)
@@ -1878,6 +1883,8 @@ MaybeDeliverEventsToClient(WindowPtr pWin, xEvent *pEvents,
 	    return XineramaTryClientEventsResult(
 			wClient(pWin), NullGrab, pWin->eventMask, filter);
 #endif
+	if (XaceHook(XACE_RECEIVE_ACCESS, wClient(pWin), pWin, pEvents, count))
+	    return 0;
 	return TryClientEvents(wClient(pWin), pEvents, count,
 			       pWin->eventMask, filter, NullGrab);
     }
@@ -1892,6 +1899,9 @@ MaybeDeliverEventsToClient(WindowPtr pWin, xEvent *pEvents,
 	      return XineramaTryClientEventsResult(
 			rClient(other), NullGrab, other->mask, filter);
 #endif
+	    if (XaceHook(XACE_RECEIVE_ACCESS, rClient(other), pWin, pEvents,
+			 count))
+		return 0;
 	    return TryClientEvents(rClient(other), pEvents, count,
 				   other->mask, filter, NullGrab);
 	}
@@ -1986,6 +1996,9 @@ DeliverDeviceEvents(WindowPtr pWin, xEvent *xE, GrabPtr grab,
     Mask filter = filters[type];
     int deliveries = 0;
 
+    if (XaceHook(XACE_SEND_ACCESS, NULL, dev, pWin, xE, count))
+	return 0;
+
     if (type & EXTENSION_EVENT_BASE)
     {
 	OtherInputMasks *inputMasks;
@@ -2829,6 +2842,8 @@ DeliverFocusedEvent(DeviceIntPtr keybd, xEvent *xE, WindowPtr window, int count)
 	    return;
     }
     /* just deliver it to the focus window */
+    if (XaceHook(XACE_SEND_ACCESS, NULL, keybd, focus, xE, count))
+	return;
     FixUpEventFromWindow(xE, focus, None, FALSE);
     if (xE->u.u.type & EXTENSION_EVENT_BASE)
 	mskidx = keybd->id;
@@ -2877,9 +2892,12 @@ DeliverGrabbedEvent(xEvent *xE, DeviceIntPtr thisDev,
     if (!deliveries)
     {
 	FixUpEventFromWindow(xE, grab->window, None, TRUE);
-	deliveries = TryClientEvents(rClient(grab), xE, count,
-				     (Mask)grab->eventMask,
-				     filters[xE->u.u.type], grab);
+	if (!XaceHook(XACE_SEND_ACCESS, thisDev, grab->window, xE, count) &&
+	    !XaceHook(XACE_RECEIVE_ACCESS, rClient(grab), grab->window, xE,
+		      count))
+	    deliveries = TryClientEvents(rClient(grab), xE, count,
+					 (Mask)grab->eventMask,
+					 filters[xE->u.u.type], grab);
 	if (deliveries && (xE->u.u.type == MotionNotify
 #ifdef XINPUT
 			   || xE->u.u.type == DeviceMotionNotify
@@ -4530,6 +4548,9 @@ ProcSendEvent(ClientPtr client)
     {
 	for (;pWin; pWin = pWin->parent)
 	{
+	    if (XaceHook(XACE_SEND_ACCESS, client, NULL, pWin,
+			 &stuff->event, 1))
+		return Success;
 	    if (DeliverEventsToWindow(pWin, &stuff->event, 1, stuff->eventMask,
 				      NullGrab, 0))
 		return Success;
@@ -4540,7 +4561,7 @@ ProcSendEvent(ClientPtr client)
 		break;
 	}
     }
-    else
+    else if (!XaceHook(XACE_SEND_ACCESS, client, NULL, pWin, &stuff->event, 1))
 	(void)DeliverEventsToWindow(pWin, &stuff->event, 1, stuff->eventMask,
 				    NullGrab, 0);
     return Success;
diff --git a/dix/window.c b/dix/window.c
index 1a598faca..b6bbdd4cb 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -2744,8 +2744,9 @@ MapWindow(WindowPtr pWin, ClientPtr client)
 	return(Success);
 
     /*  general check for permission to map window */
-    if (XaceHook(XACE_MAP_ACCESS, client, pWin) != Success)
-	 return Success;
+    if (XaceHook(XACE_RESOURCE_ACCESS, client, pWin->drawable.id, RT_WINDOW,
+		 DixShowAccess, pWin) != Success)
+	return Success;
 
     pScreen = pWin->drawable.pScreen;
     if ( (pParent = pWin->parent) )