diff options
| author | Eamon Walsh <ewalsh@tycho.nsa.gov> | 2008-02-13 20:16:56 -0500 |
|---|---|---|
| committer | Eamon Walsh <ewalsh@moss-charon.epoch.ncsc.mil> | 2008-02-13 20:20:49 -0500 |
| commit | 4573cb2ce4b859744118d9a33de3599f033cdd2b (patch) | |
| tree | d9a17ab97c5dc29affc0b79d880774e27e604c8e /Xext/security.c | |
| parent | e99aadbc2635e87543fc9980d8156c3ede83544f (diff) | |
security: Revise set of permissions granted to untrusted clients.
Bug #14480: untrusted access broken on 7.3.
Diffstat (limited to 'Xext/security.c')
| -rw-r--r-- | Xext/security.c | 44 |
1 files changed, 31 insertions, 13 deletions
diff --git a/Xext/security.c b/Xext/security.c index 069655964..a3cde2cec 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -70,10 +70,19 @@ static char *SecurityUntrustedExtensions[] = { NULL }; -/* Access modes that untrusted clients can do to trusted stuff */ -static const Mask SecurityAllowedMask = - DixGetAttrAccess | DixListPropAccess | DixGetPropAccess | - DixGetFocusAccess | DixListAccess | DixReceiveAccess; +/* + * Access modes that untrusted clients are allowed on trusted objects. + */ +static const Mask SecurityResourceMask = + DixGetAttrAccess | DixReceiveAccess | DixListPropAccess | + DixGetPropAccess | DixListAccess; +static const Mask SecurityRootWindowExtraMask = + DixReceiveAccess | DixSendAccess | DixAddAccess | DixRemoveAccess; +static const Mask SecurityDeviceMask = + DixGetAttrAccess | DixReceiveAccess | DixGetFocusAccess | + DixGrabAccess | DixSetAttrAccess | DixUseAccess; +static const Mask SecurityServerMask = DixGetAttrAccess | DixGrabAccess; +static const Mask SecurityClientMask = DixGetAttrAccess; /* SecurityAudit @@ -751,11 +760,15 @@ SecurityDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata) XaceDeviceAccessRec *rec = calldata; SecurityStateRec *subj, *obj; Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask; + Mask allowed = SecurityDeviceMask; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&serverClient->devPrivates, stateKey); + if (rec->dev != inputInfo.keyboard) + /* this extension only supports the core keyboard */ + allowed = requested; + if (SecurityDoCheck(subj, obj, requested, allowed) != Success) { SecurityAudit("Security denied client %d keyboard access on request " "%s\n", rec->client->index, @@ -792,7 +805,7 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata) SecurityStateRec *subj, *obj; int cid = CLIENT_ID(rec->id); Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask; + Mask allowed = SecurityResourceMask; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&clients[cid]->devPrivates, stateKey); @@ -801,11 +814,15 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata) if (cid == 0) { if (rec->rtype & RC_DRAWABLE) /* additional operations allowed on root windows */ - allowed |= DixReadAccess|DixSendAccess; + allowed |= SecurityRootWindowExtraMask; else if (rec->rtype == RT_COLORMAP) /* allow access to default colormaps */ allowed = requested; + + else + /* allow read access to other server-owned resources */ + allowed |= DixReadAccess; } if (SecurityDoCheck(subj, obj, requested, allowed) == Success) @@ -816,9 +833,10 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata) return; #endif - SecurityAudit("Security: denied client %d access to resource 0x%x " - "of client %d on request %s\n", rec->client->index, rec->id, - cid, SecurityLookupRequestName(rec->client)); + SecurityAudit("Security: denied client %d access %x to resource 0x%x " + "of client %d on request %s\n", rec->client->index, + requested, rec->id, cid, + SecurityLookupRequestName(rec->client)); rec->status = BadAccess; /* deny access */ } @@ -850,7 +868,7 @@ SecurityServer(CallbackListPtr *pcbl, pointer unused, pointer calldata) XaceServerAccessRec *rec = calldata; SecurityStateRec *subj, *obj; Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask; + Mask allowed = SecurityServerMask; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&serverClient->devPrivates, stateKey); @@ -869,7 +887,7 @@ SecurityClient(CallbackListPtr *pcbl, pointer unused, pointer calldata) XaceClientAccessRec *rec = calldata; SecurityStateRec *subj, *obj; Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask; + Mask allowed = SecurityClientMask; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&rec->target->devPrivates, stateKey); @@ -889,7 +907,7 @@ SecurityProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata) SecurityStateRec *subj, *obj; ATOM name = rec->pProp->propertyName; Mask requested = rec->access_mode; - Mask allowed = SecurityAllowedMask | DixReadAccess; + Mask allowed = SecurityResourceMask | DixReadAccess; subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); obj = dixLookupPrivate(&wClient(rec->pWin)->devPrivates, stateKey); |