Replace XC-SECURITY code with XACE security hooks

author: Eamon Walsh <ewalsh@epoch.ncsc.mil> 2004-05-05 20:04:52 +0000
committer: Eamon Walsh <ewalsh@epoch.ncsc.mil> 2004-05-05 20:04:52 +0000
commit: 8526cd6395490b03b279f1962df777fb0e4a9878 (patch)
tree: bf9295d0b0fc0925f3ddc959d0fa32243db40897
parent: 6d066cb10990d951449b342b40dec1f1b1ae593c (diff)
17 files changed, 169 insertions, 223 deletions
diff --git a/dix/devices.c b/dix/devices.c
index d4e4be823..91a35ed74 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -65,9 +65,8 @@ SOFTWARE.
 #ifdef XKB
 #include "XKBsrv.h"
 #endif
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "security.h"
+#ifdef XACE
+#include "xace.h"
 #endif
 #ifdef LBX
 #include "lbxserve.h"
@@ -1003,8 +1002,8 @@ ProcSetModifierMapping(client)
 	}
     }
 
-#ifdef XCSECURITY
-    if (!SecurityCheckDeviceAccess(client, keybd, TRUE))
+#ifdef XACE
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, keybd, TRUE))
 	return BadAccess;
 #endif 
 
@@ -1125,9 +1124,8 @@ ProcChangeKeyboardMapping(client)
 	    client->errorValue = stuff->keySymsPerKeyCode;
 	    return BadValue;
     }
-#ifdef XCSECURITY
-    if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard,
-				   TRUE))
+#ifdef XACE
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
 	return BadAccess;
 #endif 
     keysyms.minKeyCode = stuff->firstKeyCode;
@@ -1284,8 +1282,8 @@ ProcChangeKeyboardControl (client)
     vmask = stuff->mask;
     if (client->req_len != (sizeof(xChangeKeyboardControlReq)>>2)+Ones(vmask))
 	return BadLength;
-#ifdef XCSECURITY
-    if (!SecurityCheckDeviceAccess(client, keybd, TRUE))
+#ifdef XACE
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, keybd, TRUE))
 	return BadAccess;
 #endif 
     vlist = (XID *)&stuff[1];		/* first word of values */
@@ -1681,8 +1679,8 @@ ProcQueryKeymap(client)
     rep.type = X_Reply;
     rep.sequenceNumber = client->sequence;
     rep.length = 2;
-#ifdef XCSECURITY
-    if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard, TRUE))
+#ifdef XACE
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
     {
 	bzero((char *)&rep.map[0], 32);
     }
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 9a31d5d5a..f4e479d79 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -1,4 +1,4 @@
-/* $XdotOrg: xc/programs/Xserver/dix/dispatch.c,v 1.2 2004/04/23 19:04:44 eich Exp $ */
+/* $XdotOrg: xc/programs/Xserver/dix/dispatch.c,v 1.1.4.8.2.1 2004/05/04 19:43:10 ewalsh Exp $ */
 /* $Xorg: dispatch.c,v 1.5 2001/02/09 02:04:40 xorgcvs Exp $ */
 /************************************************************
 
@@ -103,9 +103,8 @@ int ProcInitialConnection();
 #include "panoramiX.h"
 #include "panoramiXsrv.h"
 #endif
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "security.h"
+#ifdef XACE
+#include "xace.h"
 #endif
 #ifdef XAPPGROUP
 #include "Xagsrv.h"
@@ -1109,11 +1108,10 @@ ProcConvertSelection(client)
 	       CurrentSelections[i].selection != stuff->selection) i++;
 	if ((i < NumCurrentSelections) && 
 	    (CurrentSelections[i].window != None)
-#ifdef XCSECURITY
-	    && (!client->CheckAccess ||
-		(* client->CheckAccess)(client, CurrentSelections[i].window,
-					RT_WINDOW, SecurityReadAccess,
-					CurrentSelections[i].pWin))
+#ifdef XACE
+	    && XaceHook(XACE_RESOURCE_ACCESS, client,
+			CurrentSelections[i].window, RT_WINDOW,
+			SecurityReadAccess, CurrentSelections[i].pWin)
 #endif
 	    )
 	{        
@@ -2218,9 +2216,9 @@ DoGetImage(client, format, drawable, x, y, width, height, planemask, im_return)
 	WriteReplyToClient(client, sizeof (xGetImageReply), &xgi);
     }
 
-#ifdef XCSECURITY
-    if (client->trustLevel != XSecurityClientTrusted &&
-	pDraw->type == DRAWABLE_WINDOW)
+#ifdef XACE
+    if (pDraw->type == DRAWABLE_WINDOW &&
+	!XaceHook(XACE_DRAWABLE_ACCESS, client, pDraw))
     {
 	pVisibleRegion = NotClippedByChildren((WindowPtr)pDraw);
 	if (pVisibleRegion)
@@ -2248,9 +2246,9 @@ DoGetImage(client, format, drawable, x, y, width, height, planemask, im_return)
 				         format,
 				         planemask,
 				         (pointer) pBuf);
-#ifdef XCSECURITY
+#ifdef XACE
 	    if (pVisibleRegion)
-		SecurityCensorImage(client, pVisibleRegion, widthBytesLine,
+		XaceCensorImage(client, pVisibleRegion, widthBytesLine,
 			pDraw, x, y + linesDone, width, 
 			nlines, format, pBuf);
 #endif
@@ -2289,9 +2287,9 @@ DoGetImage(client, format, drawable, x, y, width, height, planemask, im_return)
 				                 format,
 				                 plane,
 				                 (pointer)pBuf);
-#ifdef XCSECURITY
+#ifdef XACE
 		    if (pVisibleRegion)
-			SecurityCensorImage(client, pVisibleRegion,
+			XaceCensorImage(client, pVisibleRegion,
 				widthBytesLine,
 				pDraw, x, y + linesDone, width, 
 				nlines, format, pBuf);
@@ -2317,7 +2315,7 @@ DoGetImage(client, format, drawable, x, y, width, height, planemask, im_return)
             }
 	}
     }
-#ifdef XCSECURITY
+#ifdef XACE
     if (pVisibleRegion)
 	REGION_DESTROY(pDraw->pScreen, pVisibleRegion);
 #endif
@@ -3354,11 +3352,10 @@ ProcListHosts(client)
     /* REQUEST(xListHostsReq); */
 
     REQUEST_SIZE_MATCH(xListHostsReq);
-#ifdef XCSECURITY
+#ifdef XACE
     /* untrusted clients can't list hosts */
-    if (client->trustLevel != XSecurityClientTrusted)
+    if (!XaceHook(XACE_HOSTLIST_ACCESS, client, SecurityReadAccess))
     {
-	SecurityAudit("client %d attempted to list hosts\n", client->index);
 	return BadAccess;
     }
 #endif
@@ -3743,10 +3740,8 @@ void InitClient(client, i, ospriv)
 #ifdef LBX
     client->readRequest = StandardReadRequestFromClient;
 #endif
-#ifdef XCSECURITY
-    client->trustLevel = XSecurityClientTrusted;
-    client->CheckAccess = NULL;
-    client->authId = 0;
+#ifdef XACE
+    XACE_STATE_INIT(client->securityState);
 #endif
 #ifdef XAPPGROUP
     client->appgroup = NULL;
diff --git a/dix/dixutils.c b/dix/dixutils.c
index 40f80d348..e3cd04d98 100644
--- a/dix/dixutils.c
+++ b/dix/dixutils.c
@@ -93,9 +93,8 @@ Author:  Adobe Systems Incorporated
 #include "scrnintstr.h"
 #define  XK_LATIN1
 #include "keysymdef.h"
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "security.h"
+#ifdef XACE
+#include "xace.h"
 #endif
 
 /*
@@ -173,7 +172,7 @@ CopyISOLatin1Lowered(dest, source, length)
     *dest = '\0';
 }
 
-#ifdef XCSECURITY
+#ifdef XACE
 
 /* SecurityLookupWindow and SecurityLookupDrawable:
  * Look up the window/drawable taking into account the client doing
@@ -181,6 +180,7 @@ CopyISOLatin1Lowered(dest, source, length)
  * if it exists and the client is allowed access, else return NULL.
  * Most Proc* functions should be calling these instead of
  * LookupWindow and LookupDrawable, which do no access checks.
+ * XACE note: need to see if client->lastDrawableID can still be used here.
  */
 
 WindowPtr
@@ -189,27 +189,10 @@ SecurityLookupWindow(rid, client, access_mode)
     ClientPtr client;
     Mask access_mode;
 {
-    WindowPtr	pWin;
-
     client->errorValue = rid;
     if(rid == INVALID)
 	return NULL;
-    if (client->trustLevel != XSecurityClientTrusted)
-	return (WindowPtr)SecurityLookupIDByType(client, rid, RT_WINDOW, access_mode);
-    if (client->lastDrawableID == rid)
-    {
-        if (client->lastDrawable->type == DRAWABLE_WINDOW)
-            return ((WindowPtr) client->lastDrawable);
-        return (WindowPtr) NULL;
-    }
-    pWin = (WindowPtr)SecurityLookupIDByType(client, rid, RT_WINDOW, access_mode);
-    if (pWin && pWin->drawable.type == DRAWABLE_WINDOW) {
-	client->lastDrawable = (DrawablePtr) pWin;
-	client->lastDrawableID = rid;
-	client->lastGCID = INVALID;
-	client->lastGC = (GCPtr)NULL;
-    }
-    return pWin;
+    return (WindowPtr)SecurityLookupIDByType(client, rid, RT_WINDOW, access_mode);
 }
 
 
@@ -223,11 +206,6 @@ SecurityLookupDrawable(rid, client, access_mode)
 
     if(rid == INVALID)
 	return (pointer) NULL;
-    if (client->trustLevel != XSecurityClientTrusted)
-	return (DrawablePtr)SecurityLookupIDByClass(client, rid, RC_DRAWABLE,
-						    access_mode);
-    if (client->lastDrawableID == rid)
-	return ((pointer) client->lastDrawable);
     pDraw = (DrawablePtr)SecurityLookupIDByClass(client, rid, RC_DRAWABLE,
 						 access_mode);
     if (pDraw && (pDraw->type != UNDRAWABLE_WINDOW))
@@ -255,7 +233,7 @@ LookupDrawable(rid, client)
     return SecurityLookupDrawable(rid, client, SecurityUnknownAccess);
 }
 
-#else /* not XCSECURITY */
+#else /* not XACE */
 
 WindowPtr
 LookupWindow(rid, client)
@@ -301,7 +279,7 @@ LookupDrawable(rid, client)
     return (pointer)NULL;
 }
 
-#endif /* XCSECURITY */
+#endif /* XACE */
 
 ClientPtr
 LookupClient(rid, client)
diff --git a/dix/events.c b/dix/events.c
index 4cf804f51..9aac25f72 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -1,4 +1,4 @@
-/* $XdotOrg: xc/programs/Xserver/dix/events.c,v 1.2 2004/04/23 19:04:44 eich Exp $ */
+/* $XdotOrg: xc/programs/Xserver/dix/events.c,v 1.1.4.9.2.1 2004/05/04 19:43:10 ewalsh Exp $ */
 /* $XFree86: xc/programs/Xserver/dix/events.c,v 3.51 2004/01/12 17:04:52 tsi Exp $ */
 /************************************************************
 
@@ -101,9 +101,8 @@ Equipment Corporation.
 extern Bool XkbFilterEvents(ClientPtr, int, xEvent *);
 #endif
 
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "security.h"
+#ifdef XACE
+#include "xace.h"
 #endif
 
 #include "XIproto.h"
@@ -2403,8 +2402,8 @@ CheckPassiveGrabsOnWindow(
 	     (grab->confineTo->realized && 
 				BorderSizeNotEmpty(grab->confineTo))))
 	{
-#ifdef XCSECURITY
-	    if (!SecurityCheckDeviceAccess(wClient(pWin), device, FALSE))
+#ifdef XACE
+	    if (!XaceHook(XACE_DEVICE_ACCESS, wClient(pWin), device, FALSE))
 		return FALSE;
 #endif
 #ifdef XKB
@@ -3164,10 +3163,10 @@ EnterLeaveEvent(
     {
 	xKeymapEvent ke;
 
-#ifdef XCSECURITY
+#ifdef XACE
 	ClientPtr client = grab ? rClient(grab)
 				: clients[CLIENT_ID(pWin->drawable.id)];
-	if (!SecurityCheckDeviceAccess(client, keybd, FALSE))
+	if (!XaceHook(XACE_DEVICE_ACCESS, client, keybd, FALSE))
 	{
 	    bzero((char *)&ke.map[0], 31);
 	}
@@ -3259,9 +3258,9 @@ FocusEvent(DeviceIntPtr dev, int type, int mode, int detail, register WindowPtr
 	((pWin->eventMask | wOtherEventMasks(pWin)) & KeymapStateMask))
     {
 	xKeymapEvent ke;
-#ifdef XCSECURITY
+#ifdef XACE
 	ClientPtr client = clients[CLIENT_ID(pWin->drawable.id)];
-	if (!SecurityCheckDeviceAccess(client, dev, FALSE))
+	if (!XaceHook(XACE_DEVICE_ACCESS, client, dev, FALSE))
 	{
 	    bzero((char *)&ke.map[0], 31);
 	}
@@ -3533,8 +3532,8 @@ ProcSetInputFocus(client)
     REQUEST(xSetInputFocusReq);
 
     REQUEST_SIZE_MATCH(xSetInputFocusReq);
-#ifdef XCSECURITY
-    if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard, TRUE))
+#ifdef XACE
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
 	return Success;
 #endif
     return SetInputFocus(client, inputInfo.keyboard, stuff->focus,
@@ -3811,8 +3810,8 @@ ProcGrabKeyboard(client)
     int result;
 
     REQUEST_SIZE_MATCH(xGrabKeyboardReq);
-#ifdef XCSECURITY
-    if (!SecurityCheckDeviceAccess(client, inputInfo.keyboard, TRUE))
+#ifdef XACE
+    if (!XaceHook(XACE_DEVICE_ACCESS, client, inputInfo.keyboard, TRUE))
     {
 	result = Success;
 	rep.status = AlreadyGrabbed;
diff --git a/dix/extension.c b/dix/extension.c
index 3fcf31b8e..fadc139d9 100644
--- a/dix/extension.c
+++ b/dix/extension.c
@@ -57,9 +57,8 @@ SOFTWARE.
 #include "gcstruct.h"
 #include "scrnintstr.h"
 #include "dispatch.h"
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "security.h"
+#ifdef XACE
+#include "xace.h"
 #endif
 #ifdef LBX
 #include "lbxserve.h"
@@ -146,8 +145,8 @@ AddExtension(char *name, int NumEvents, int NumErrors,
         ext->errorBase = 0;
         ext->errorLast = 0;
     }
-#ifdef XCSECURITY
-    ext->secure = FALSE;
+#ifdef XACE
+    XACE_STATE_INIT(ext->securityState);
 #endif
 
 #ifdef LBX
@@ -218,28 +217,29 @@ CheckExtension(const char *extname)
 	return NULL;
 }
 
+/*
+ * Added as part of Xace.
+ */
+ExtensionEntry *
+GetExtensionEntry(int major)
+{    
+    if (major < EXTENSION_BASE)
+	return NULL;
+    major -= EXTENSION_BASE;
+    if (major >= NumExtensions)
+	return NULL;
+    return extensions[major];
+}
+
 void
 DeclareExtensionSecurity(extname, secure)
     char *extname;
     Bool secure;
 {
-#ifdef XCSECURITY
+#ifdef XACE
     int i = FindExtension(extname, strlen(extname));
     if (i >= 0)
-    {
-	int majorop = extensions[i]->base;
-	extensions[i]->secure = secure;
-	if (secure)
-	{
-	    UntrustedProcVector[majorop] = ProcVector[majorop];
-	    SwappedUntrustedProcVector[majorop] = SwappedProcVector[majorop];
-	}
-	else
-	{
-	    UntrustedProcVector[majorop]	= ProcBadRequest;
-	    SwappedUntrustedProcVector[majorop] = ProcBadRequest;
-	}
-    }
+	XaceHook(XACE_DECLARE_EXT_SECURE, extensions[i], secure);
 #endif
 #ifdef LBX
     LbxDeclareExtensionSecurity(extname, secure);
@@ -327,10 +327,9 @@ ProcQueryExtension(client)
     {
 	i = FindExtension((char *)&stuff[1], stuff->nbytes);
         if (i < 0
-#ifdef XCSECURITY
-	    /* don't show insecure extensions to untrusted clients */
-	    || (client->trustLevel == XSecurityClientUntrusted &&
-		!extensions[i]->secure)
+#ifdef XACE
+	    /* call callbacks to find out whether to show extension */
+	    || !XaceHook(XACE_EXT_ACCESS, client, extensions[i])
 #endif
 	    )
             reply.present = xFalse;
@@ -368,10 +367,9 @@ ProcListExtensions(client)
 
         for (i=0;  i<NumExtensions; i++)
 	{
-#ifdef XCSECURITY
-	    /* don't show insecure extensions to untrusted clients */
-	    if (client->trustLevel == XSecurityClientUntrusted &&
-		!extensions[i]->secure)
+#ifdef XACE
+	    /* call callbacks to find out whether to show extension */
+	    if (!XaceHook(XACE_EXT_ACCESS, client, extensions[i]))
 		continue;
 #endif
 	    total_length += strlen(extensions[i]->name) + 1;
@@ -386,9 +384,8 @@ ProcListExtensions(client)
         for (i=0;  i<NumExtensions; i++)
         {
 	    int len;
-#ifdef XCSECURITY
-	    if (client->trustLevel == XSecurityClientUntrusted &&
-		!extensions[i]->secure)
+#ifdef XACE
+	    if (!XaceHook(XACE_EXT_ACCESS, client, extensions[i]))
 		continue;
 #endif
             *bufptr++ = len = strlen(extensions[i]->name);
diff --git a/dix/property.c b/dix/property.c
index f3d0edc9e..4febce477 100644
--- a/dix/property.c
+++ b/dix/property.c
@@ -56,9 +56,8 @@ SOFTWARE.
 #include "dixstruct.h"
 #include "dispatch.h"
 #include "swaprep.h"
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "security.h"
+#ifdef XACE
+#include "xace.h"
 #endif
 #ifdef LBX
 #include "lbxserve.h"
@@ -132,12 +131,12 @@ ProcRotateProperties(client)
 	return(BadAlloc);
     for (i = 0; i < stuff->nAtoms; i++)
     {
-#ifdef XCSECURITY
-	char action = SecurityCheckPropertyAccess(client, pWin, atoms[i],
+#ifdef XACE
+	char action = XaceHook(XACE_PROPERTY_ACCESS, client, pWin, atoms[i],
 				SecurityReadAccess|SecurityWriteAccess);
 #endif
         if (!ValidAtom(atoms[i])
-#ifdef XCSECURITY
+#ifdef XACE
 	    || (SecurityErrorOperation == action)
 #endif
 	   )
@@ -146,7 +145,7 @@ ProcRotateProperties(client)
 	    client->errorValue = atoms[i];
             return BadAtom;
         }
-#ifdef XCSECURITY
+#ifdef XACE
 	if (SecurityIgnoreOperation == action)
         {
             DEALLOCATE_LOCAL(props);
@@ -248,8 +247,8 @@ ProcChangeProperty(client)
 	return(BadAtom);
     }
 
-#ifdef XCSECURITY
-    switch (SecurityCheckPropertyAccess(client, pWin, stuff->property,
+#ifdef XACE
+    switch (XaceHook(XACE_PROPERTY_ACCESS, client, pWin, stuff->property,
 					SecurityWriteAccess))
     {
 	case SecurityErrorOperation:
@@ -543,13 +542,13 @@ ProcGetProperty(client)
     if (!pProp) 
 	return NullPropertyReply(client, None, 0, &reply);
 
-#ifdef XCSECURITY
+#ifdef XACE
     {
 	Mask access_mode = SecurityReadAccess;
 
 	if (stuff->delete)
 	    access_mode |= SecurityDestroyAccess;
-	switch(SecurityCheckPropertyAccess(client, pWin, stuff->property,
+	switch(XaceHook(XACE_PROPERTY_ACCESS, client, pWin, stuff->property,
 					   access_mode))
 	{
 	    case SecurityErrorOperation:
@@ -718,8 +717,8 @@ ProcDeleteProperty(client)
 	return (BadAtom);
     }
 
-#ifdef XCSECURITY
-    switch(SecurityCheckPropertyAccess(client, pWin, stuff->property,
+#ifdef XACE
+    switch(XaceHook(XACE_PROPERTY_ACCESS, client, pWin, stuff->property,
 				       SecurityDestroyAccess))
     {
 	case SecurityErrorOperation:
diff --git a/dix/resource.c b/dix/resource.c
index e394fdd57..1ac75688f 100644
--- a/dix/resource.c
+++ b/dix/resource.c
@@ -74,7 +74,7 @@ Equipment Corporation.
 ******************************************************************/
 
 /* $Xorg: resource.c,v 1.5 2001/02/09 02:04:40 xorgcvs Exp $ */
-/* $XdotOrg: xc/programs/Xserver/dix/resource.c,v 1.3 2004/04/25 22:42:09 gisburn Exp $ */
+/* $XdotOrg: xc/programs/Xserver/dix/resource.c,v 1.1.4.6.4.1 2004/05/04 19:43:10 ewalsh Exp $ */
 /* $TOG: resource.c /main/41 1998/02/09 14:20:31 kaleb $ */
 
 /*	Routines to manage various kinds of resources:
@@ -119,6 +119,9 @@ Equipment Corporation.
 #include "panoramiX.h"
 #include "panoramiXsrv.h"
 #endif
+#ifdef XACE
+#include "xace.h"
+#endif
 #include <assert.h>
 
 static void RebuildTable(
@@ -840,7 +843,7 @@ LegalNewID(id, client)
 	     !LookupIDByClass(id, RC_ANY)));
 }
 
-#ifdef XCSECURITY
+#ifdef XACE
 
 /* SecurityLookupIDByType and SecurityLookupIDByClass:
  * These are the heart of the resource ID security system.  They take
@@ -877,8 +880,9 @@ SecurityLookupIDByType(client, id, rtype, mode)
 		break;
 	    }
     }
-    if (retval && client && client->CheckAccess)
-	retval = (* client->CheckAccess)(client, id, rtype, mode, retval);
+    if (retval && client && 
+	!XaceHook(XACE_RESOURCE_ACCESS, client, id, rtype, mode, retval))
+	retval = NULL;
     return retval;
 }
 
@@ -910,8 +914,9 @@ SecurityLookupIDByClass(client, id, classes, mode)
 		break;
 	    }
     }
-    if (retval && client && client->CheckAccess)
-	retval = (* client->CheckAccess)(client, id, res->type, mode, retval);
+    if (retval && client &&
+	!XaceHook(XACE_RESOURCE_ACCESS, client, id, res->type, mode, retval))
+	retval = NULL;
     return retval;
 }
 
@@ -937,7 +942,7 @@ LookupIDByClass(id, classes)
 				   SecurityUnknownAccess);
 }
 
-#else /* not XCSECURITY */
+#else /* not XACE */
 
 /*
  *  LookupIDByType returns the object with the given id and type, else NULL.
@@ -986,4 +991,4 @@ LookupIDByClass(id, classes)
     return (pointer)NULL;
 }
 
-#endif /* XCSECURITY */
+#endif /* XACE */
diff --git a/dix/window.c b/dix/window.c
index e74372015..8c3cb57a2 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -1,4 +1,4 @@
-/* $XdotOrg: xc/programs/Xserver/dix/window.c,v 1.2 2004/04/23 19:04:44 eich Exp $ */
+/* $XdotOrg: xc/programs/Xserver/dix/window.c,v 1.1.4.8.2.1 2004/05/04 19:43:10 ewalsh Exp $ */
 /* $Xorg: window.c,v 1.4 2001/02/09 02:04:41 xorgcvs Exp $ */
 /*
 
@@ -103,9 +103,8 @@ Equipment Corporation.
 #ifdef XAPPGROUP
 #include "Xagsrv.h"
 #endif
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "security.h"
+#ifdef XACE
+#include "xace.h"
 #endif
 
 /******
@@ -706,11 +705,11 @@ CreateWindow(wid, pParent, x, y, w, h, bw, class, vmask, vlist,
     }
 
     pWin->borderWidth = bw;
-#ifdef XCSECURITY
+#ifdef XACE
     /*  can't let untrusted clients have background None windows;
      *  they make it too easy to steal window contents
      */
-    if (client->trustLevel != XSecurityClientTrusted)
+    if (!XaceHook(XACE_BACKGRND_ACCESS, client, pWin))
     {
 	pWin->backgroundState = BackgroundPixel;
 	pWin->background.pixel = 0;
@@ -1008,9 +1007,9 @@ ChangeWindowAttributes(pWin, vmask, vlist, client)
 		borderRelative = TRUE;
 	    if (pixID == None)
 	    {
-#ifdef XCSECURITY
+#ifdef XACE
 		/*  can't let untrusted clients have background None windows */
-		if (client->trustLevel == XSecurityClientTrusted)
+		if (XaceHook(XACE_BACKGRND_ACCESS, client, pWin))
 		{
 #endif
 		if (pWin->backgroundState == BackgroundPixmap)
@@ -1019,7 +1018,7 @@ ChangeWindowAttributes(pWin, vmask, vlist, client)
 		    MakeRootTile(pWin);
 		else
 		    pWin->backgroundState = None;
-#ifdef XCSECURITY
+#ifdef XACE
 		}
 		else
 		{ /* didn't change the background to None, so don't tell ddx */
@@ -2697,13 +2696,9 @@ MapWindow(pWin, client)
     if (pWin->mapped)
 	return(Success);
 
-#ifdef XCSECURITY
-    /*  don't let an untrusted client map a child-of-trusted-window, InputOnly
-     *  window; too easy to steal device input
-     */
-    if ( (client->trustLevel != XSecurityClientTrusted) &&
-	 (pWin->drawable.class == InputOnly) &&
-	 (wClient(pWin->parent)->trustLevel == XSecurityClientTrusted) )
+#ifdef XACE
+    /*  general check for permission to map window */
+    if (!XaceHook(XACE_MAP_ACCESS, client, pWin))
 	 return Success;
 #endif	
 
diff --git a/include/dix.h b/include/dix.h
index 0ca157ad4..bc815753d 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -89,12 +89,9 @@ SOFTWARE.
     ((client->lastDrawableID == did) ? \
      client->lastDrawable : (DrawablePtr)LookupDrawable(did, client))
 
-#ifdef XCSECURITY
+#ifdef XACE
 
 #define SECURITY_VERIFY_DRAWABLE(pDraw, did, client, mode)\
-    if (client->lastDrawableID == did && !client->trustLevel)\
-	pDraw = client->lastDrawable;\
-    else \
     {\
 	pDraw = (DrawablePtr) SecurityLookupIDByClass(client, did, \
 						      RC_DRAWABLE, mode);\
@@ -108,9 +105,6 @@ SOFTWARE.
     }
 
 #define SECURITY_VERIFY_GEOMETRABLE(pDraw, did, client, mode)\
-    if (client->lastDrawableID == did && !client->trustLevel)\
-	pDraw = client->lastDrawable;\
-    else \
     {\
 	pDraw = (DrawablePtr) SecurityLookupIDByClass(client, did, \
 						      RC_DRAWABLE, mode);\
@@ -122,9 +116,6 @@ SOFTWARE.
     }
 
 #define SECURITY_VERIFY_GC(pGC, rid, client, mode)\
-    if (client->lastGCID == rid && !client->trustLevel)\
-        pGC = client->lastGC;\
-    else\
 	pGC = (GC *) SecurityLookupIDByType(client, rid, RT_GC, mode);\
     if (!pGC)\
     {\
@@ -141,7 +132,7 @@ SOFTWARE.
 #define VERIFY_GC(pGC, rid, client)\
 	SECURITY_VERIFY_GC(pGC, rid, client, SecurityUnknownAccess)
 
-#else /* not XCSECURITY */
+#else /* not XACE */
 
 #define VERIFY_DRAWABLE(pDraw, did, client)\
     if (client->lastDrawableID == did)\
@@ -191,7 +182,7 @@ SOFTWARE.
 #define SECURITY_VERIFY_GC(pGC, rid, client, mode)\
 	VERIFY_GC(pGC, rid, client)
 
-#endif /* XCSECURITY */
+#endif /* XACE */
 
 /*
  * We think that most hardware implementations of DBE will want
@@ -379,7 +370,7 @@ extern void CopyISOLatin1Lowered(
     unsigned char * /*source*/,
     int /*length*/);
 
-#ifdef XCSECURITY
+#ifdef XACE
 
 extern WindowPtr SecurityLookupWindow(
     XID /*rid*/,
@@ -415,7 +406,7 @@ extern pointer LookupDrawable(
 #define SecurityLookupDrawable(rid, client, access_mode) \
 	LookupDrawable(rid, client)
 
-#endif /* XCSECURITY */
+#endif /* XACE */
 
 extern ClientPtr LookupClient(
     XID /*rid*/,
diff --git a/include/dixstruct.h b/include/dixstruct.h
index 9c39a8aec..f1bfc0ae8 100644
--- a/include/dixstruct.h
+++ b/include/dixstruct.h
@@ -111,15 +111,8 @@ typedef struct _Client {
     int		(*readRequest)(ClientPtr /*client*/);
 #endif
     unsigned long replyBytesRemaining;
-#ifdef XCSECURITY
-    XID		authId;
-    unsigned int trustLevel;
-    pointer (* CheckAccess)(
-	    ClientPtr /*pClient*/,
-	    XID /*id*/,
-	    RESTYPE /*classes*/,
-	    Mask /*access_mode*/,
-	    pointer /*resourceval*/);
+#ifdef XACE
+    pointer securityState[4];   /* 4 slots for use */
 #endif
 #ifdef XAPPGROUP
     struct _AppGroupRec*	appgroup;
diff --git a/include/extnsionst.h b/include/extnsionst.h
index daf37bf43..8532b69b7 100644
--- a/include/extnsionst.h
+++ b/include/extnsionst.h
@@ -71,7 +71,7 @@ typedef struct _ExtensionEntry {
     unsigned short (* MinorOpcode)(	/* called for errors */
 	ClientPtr /* client */);
 #ifdef XCSECURITY
-    Bool secure;		/* extension visible to untrusted clients? */
+    pointer securityState[4];		/* 4 slots for use */
 #endif
 } ExtensionEntry;
 
@@ -129,6 +129,7 @@ extern Bool AddExtensionAlias(
     ExtensionEntry * /*extension*/);
 
 extern ExtensionEntry *CheckExtension(const char *extname);
+extern ExtensionEntry *GetExtensionEntry(int major);
 
 extern ExtensionLookupProc LookupProc(
     char* /*name*/,
diff --git a/include/resource.h b/include/resource.h
index 49c189869..c08998c9f 100644
--- a/include/resource.h
+++ b/include/resource.h
@@ -227,7 +227,7 @@ extern pointer LookupClientResourceComplex(
 #define SecurityWriteAccess	(1<<1)	/* changing the object */
 #define SecurityDestroyAccess	(1<<2)	/* destroying the object */
 
-#ifdef XCSECURITY
+#ifdef XACE
 
 extern pointer SecurityLookupIDByType(
     ClientPtr /*client*/,
@@ -241,7 +241,7 @@ extern pointer SecurityLookupIDByClass(
     RESTYPE /*classes*/,
     Mask /*access_mode*/);
 
-#else /* not XCSECURITY */
+#else /* not XACE */
 
 #define SecurityLookupIDByType(client, id, rtype, access_mode) \
         LookupIDByType(id, rtype)
@@ -249,7 +249,7 @@ extern pointer SecurityLookupIDByClass(
 #define SecurityLookupIDByClass(client, id, classes, access_mode) \
         LookupIDByClass(id, classes)
 
-#endif /* XCSECURITY */
+#endif /* XACE */
 
 extern void GetXIDRange(
     int /*client*/,
diff --git a/lbx/lbxexts.c b/lbx/lbxexts.c
index 7ae70ebde..5b2ab4e58 100644
--- a/lbx/lbxexts.c
+++ b/lbx/lbxexts.c
@@ -32,27 +32,10 @@
 #define _XLBX_SERVER_
 #include "lbxstr.h"
 #include "lbxserve.h"
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "extensions/security.h"
+#ifdef XACE
+#include "xace.h"
 #endif
 
-typedef struct _lbxext {
-    char       *name;
-    char      **aliases;
-    int         num_aliases;
-    int         idx;
-    int         opcode;
-    int         ev_base;
-    int         err_base;
-    int         num_reqs;
-    CARD8      *rep_mask;
-    CARD8      *ev_mask;
-#ifdef XCSECURITY
-    Bool	secure;
-#endif
-}           LbxExtensionEntry;
-
 static LbxExtensionEntry **lbx_extensions = NULL;
 static int  num_exts = 0;
 
@@ -97,8 +80,8 @@ LbxAddExtension(char       *name,
     ext->ev_mask = NULL;
     ext->rep_mask = NULL;
     ext->num_reqs = 0;
-#ifdef XCSECURITY
-    ext->secure = FALSE;
+#ifdef XACE
+    XACE_STATE_INIT(ext->securityState);
 #endif
 
     return TRUE;
@@ -149,10 +132,10 @@ void
 LbxDeclareExtensionSecurity(char *extname,
 			    Bool secure)
 {
-#ifdef XCSECURITY
+#ifdef XACE
     int i = LbxFindExtension(extname, strlen(extname));
     if (i >= 0)
-	lbx_extensions[i]->secure = secure;
+	XaceHook(XACE_DECLARE_LBX_EXT_SECURE, lbx_extensions[i], secure);
 #endif
 }
 
@@ -203,10 +186,9 @@ LbxQueryExtension(ClientPtr   client,
     i = LbxFindExtension(ename, nlen);
 
     if (i < 0
-#ifdef XCSECURITY
+#ifdef XACE
 	    /* don't show insecure extensions to untrusted clients */
-	    || (client->trustLevel == XSecurityClientUntrusted &&
-		!lbx_extensions[i]->secure)
+	    || !XaceHook(XACE_LBX_EXT_ACCESS, client, lbx_extensions[i])
 #endif
 	)
 	rep.present = FALSE;
diff --git a/lbx/lbxprop.c b/lbx/lbxprop.c
index 9082250d6..911f7673c 100644
--- a/lbx/lbxprop.c
+++ b/lbx/lbxprop.c
@@ -69,9 +69,8 @@ in this Software without prior written authorization from The Open Group.
 #include "lbxserve.h"
 #include "lbxtags.h"
 #include "Xfuncproto.h"
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "extensions/security.h"
+#ifdef XACE
+#include "extensions/xace.h"
 #endif
 #include "swaprep.h"
 
@@ -334,8 +333,8 @@ LbxChangeProperty(ClientPtr client)
 	swaps(&rep.sequenceNumber, n);
     }
 
-#ifdef XCSECURITY
-    switch (SecurityCheckPropertyAccess(client, pWin, stuff->property,
+#ifdef XACE
+    switch (XaceHook(XACE_PROPERTY_ACCESS, client, pWin, stuff->property,
 					SecurityWriteAccess))
     {
 	case SecurityErrorOperation:
diff --git a/lbx/lbxserve.h b/lbx/lbxserve.h
index eeff64804..969dbf9ee 100644
--- a/lbx/lbxserve.h
+++ b/lbx/lbxserve.h
@@ -119,6 +119,22 @@ typedef struct _LbxProxy {
     lbxMotionCache motionCache;
 }           LbxProxyRec;
 
+typedef struct _lbxext {
+    char       *name;
+    char      **aliases;
+    int         num_aliases;
+    int         idx;
+    int         opcode;
+    int         ev_base;
+    int         err_base;
+    int         num_reqs;
+    CARD8      *rep_mask;
+    CARD8      *ev_mask;
+#ifdef XACE
+    pointer    securityState[4];
+#endif
+}           LbxExtensionEntry;
+
 /* This array is indexed by server client index, not lbx proxy index */
 
 extern LbxClientPtr lbxClients[MAXCLIENTS];
diff --git a/os/access.c b/os/access.c
index 9662ab624..bf28e6c13 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1,5 +1,5 @@
 /* $Xorg: access.c,v 1.5 2001/02/09 02:05:23 xorgcvs Exp $ */
-/* $XdotOrg: xc/programs/Xserver/os/access.c,v 1.2 2004/04/23 19:54:28 eich Exp $ */
+/* $XdotOrg: xc/programs/Xserver/os/access.c,v 1.1.4.4.4.1 2004/05/04 19:44:01 ewalsh Exp $ */
 /***********************************************************
 
 Copyright 1987, 1998  The Open Group
@@ -192,9 +192,8 @@ SOFTWARE.
 #include "dixstruct.h"
 #include "osdep.h"
 
-#ifdef XCSECURITY
-#define _SECURITY_SERVER
-#include "extensions/security.h"
+#ifdef XACE
+#include "xace.h"
 #endif
 
 #ifndef PATH_MAX
@@ -1321,15 +1320,6 @@ Bool LocalClient(ClientPtr client)
     pointer		addr;
     register HOST	*host;
 
-#ifdef XCSECURITY
-    /* untrusted clients can't change host access */
-    if (client->trustLevel != XSecurityClientTrusted)
-    {
-	SecurityAudit("client %d attempted to change host access\n",
-		      client->index);
-	return FALSE;
-    }
-#endif
 #ifdef LBX
     if (!((OsCommPtr)client->osPrivate)->trans_conn)
 	return FALSE;
@@ -1431,6 +1421,11 @@ AuthorizedClient(ClientPtr client)
 {
     if (!client || defeatAccessControl)
 	return TRUE;
+#ifdef XACE
+    /* untrusted clients can't change host access */
+    if (!XaceHook(XACE_HOSTLIST_ACCESS, client, SecurityWriteAccess))
+	return FALSE;
+#endif
     return LocalClient(client);
 }
 
diff --git a/os/connection.c b/os/connection.c
index 930d38528..01f538c73 100644
--- a/os/connection.c
+++ b/os/connection.c
@@ -149,6 +149,9 @@ extern __const__ int _nfiles;
 #ifdef XAPPGROUP
 #include "extensions/Xagsrv.h"
 #endif
+#ifdef XACE
+#include "xace.h"
+#endif
 #ifdef XCSECURITY
 #define _SECURITY_SERVER
 #include "extensions/security.h"
@@ -632,8 +635,9 @@ ClientAuthorized(ClientPtr client,
     if (! priv->trans_conn) {
 	if (auth_id == (XID) ~0L && !GetAccessControl())
 	    auth_id = ((OsCommPtr)lbxpc->osPrivate)->auth_id;
-#ifdef XCSECURITY
-	else if (auth_id != (XID) ~0L && !SecuritySameLevel(lbxpc, auth_id)) {
+#ifdef XACE
+	else if (auth_id != (XID) ~0L &&
+		 !XaceHook(XACE_LBX_PROXY_ACCESS, lbxpc, auth_id)) {
 	    auth_id = (XID) ~0L;
 	    reason = "Client trust level differs from that of LBX Proxy";
 	}
@@ -709,9 +713,8 @@ ClientAuthorized(ClientPtr client,
     /* indicate to Xdmcp protocol that we've opened new client */
     XdmcpOpenDisplay(priv->fd);
 #endif /* XDMCP */
-#ifdef XAPPGROUP
-    if (ClientStateCallback)
-        XagCallClientStateChange (client);
+#ifdef XACE
+    XaceHook(XACE_AUTH_AVAIL, client, auth_id);
 #endif
     /* At this point, if the client is authorized to change the access control
      * list, we should getpeername() information, and add the client to
author	Eamon Walsh <ewalsh@epoch.ncsc.mil>	2004-05-05 20:04:52 +0000
committer	Eamon Walsh <ewalsh@epoch.ncsc.mil>	2004-05-05 20:04:52 +0000
commit	8526cd6395490b03b279f1962df777fb0e4a9878 (patch)
tree	bf9295d0b0fc0925f3ddc959d0fa32243db40897
parent	6d066cb10990d951449b342b40dec1f1b1ae593c (diff)