summaryrefslogtreecommitdiff
path: root/Xext
diff options
context:
space:
mode:
authorEamon Walsh <ewalsh@tycho.nsa.gov>2007-10-17 19:27:16 -0400
committerEamon Walsh <ewalsh@moss-charon.epoch.ncsc.mil>2007-10-17 19:27:16 -0400
commitaa340b2c7cbe9ddab53cff08c8ba165558209187 (patch)
tree8e8e3f024209ea8102fec676d3535ba6484fcec1 /Xext
parent503f918f55d0cb29585d83b022bbb8dc29f446c5 (diff)
xselinux: add hook for device acceses.
Diffstat (limited to 'Xext')
-rw-r--r--Xext/xselinux.c32
1 files changed, 31 insertions, 1 deletions
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index fc91ae384..8bafa1fec 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -292,6 +292,36 @@ SELinuxLog(int type, const char *fmt, ...)
*/
static void
+SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
+{
+ XaceDeviceAccessRec *rec = calldata;
+ SELinuxStateRec *subj, *obj;
+ SELinuxAuditRec auditdata = { NULL, NULL, 0, 0, 0, NULL };
+ int rc;
+
+ subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
+ obj = dixLookupPrivate(&rec->dev->devPrivates, stateKey);
+
+ /* If this is a new object that needs labeling, do it now */
+ if (rec->access_mode & DixCreateAccess) {
+ sidput(obj->sid);
+
+ /* Perform a transition to obtain the final SID */
+ if (avc_compute_create(subj->sid, subj->sid, SECCLASS_X_DEVICE,
+ &obj->sid) < 0) {
+ ErrorF("XSELinux: a compute_create call failed!\n");
+ rec->status = BadValue;
+ return;
+ }
+ }
+
+ rc = SELinuxDoCheck(rec->client, obj, SECCLASS_X_DEVICE,
+ rec->access_mode, &auditdata);
+ if (rc != Success)
+ rec->status = rc;
+}
+
+static void
SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
XaceExtAccessRec *rec = calldata;
@@ -755,7 +785,7 @@ XSELinuxExtensionInit(INITARGS)
ret &= XaceRegisterCallback(XACE_EXT_DISPATCH, SELinuxExtension, 0);
ret &= XaceRegisterCallback(XACE_RESOURCE_ACCESS, SELinuxResource, 0);
-// ret &= XaceRegisterCallback(XACE_DEVICE_ACCESS, SELinuxDevice, 0);
+ ret &= XaceRegisterCallback(XACE_DEVICE_ACCESS, SELinuxDevice, 0);
ret &= XaceRegisterCallback(XACE_PROPERTY_ACCESS, SELinuxProperty, 0);
// ret &= XaceRegisterCallback(XACE_SEND_ACCESS, SELinuxSend, 0);
// ret &= XaceRegisterCallback(XACE_RECEIVE_ACCESS, SELinuxReceive, 0);
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-18 07:58:34 +0000