Experimental window property holding security context.
This commit is contained in:
parent
7f16c38ae2
commit
3714d91499
|
@ -35,6 +35,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <X11/X.h>
|
#include <X11/X.h>
|
||||||
|
#include <X11/Xatom.h>
|
||||||
#include <X11/Xproto.h>
|
#include <X11/Xproto.h>
|
||||||
#include <X11/Xfuncproto.h>
|
#include <X11/Xfuncproto.h>
|
||||||
#include "dixstruct.h"
|
#include "dixstruct.h"
|
||||||
|
@ -120,6 +121,10 @@ static char **extensionTypes = NULL;
|
||||||
static int extensionTypesCount = 0;
|
static int extensionTypesCount = 0;
|
||||||
static char *XSELinuxExtensionTypeDefault = NULL;
|
static char *XSELinuxExtensionTypeDefault = NULL;
|
||||||
|
|
||||||
|
/* Atoms for SELinux window labeling properties */
|
||||||
|
Atom atom_ctx;
|
||||||
|
Atom atom_client_ctx;
|
||||||
|
|
||||||
/* security context for non-local clients */
|
/* security context for non-local clients */
|
||||||
static char *XSELinuxNonlocalContextDefault = NULL;
|
static char *XSELinuxNonlocalContextDefault = NULL;
|
||||||
|
|
||||||
|
@ -1196,6 +1201,28 @@ CALLBACK(XSELinuxClientState)
|
||||||
}
|
}
|
||||||
} /* XSELinuxClientState */
|
} /* XSELinuxClientState */
|
||||||
|
|
||||||
|
/* Labeling callbacks */
|
||||||
|
CALLBACK(XSELinuxWindowInit)
|
||||||
|
{
|
||||||
|
XaceWindowRec *rec = (XaceWindowRec*)calldata;
|
||||||
|
security_context_t ctx;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
if (HAVESTATE(rec->client)) {
|
||||||
|
rc = avc_sid_to_context(SID(rec->client), &ctx);
|
||||||
|
if (rc < 0)
|
||||||
|
FatalError("Failed to get security context!\n");
|
||||||
|
rc = ChangeWindowProperty(rec->pWin, atom_client_ctx, XA_STRING, 8,
|
||||||
|
PropModeReplace, strlen(ctx), ctx, FALSE);
|
||||||
|
freecon(ctx);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
rc = ChangeWindowProperty(rec->pWin, atom_client_ctx, XA_STRING, 8,
|
||||||
|
PropModeReplace, 10, "UNLABELED!", FALSE);
|
||||||
|
if (rc != Success)
|
||||||
|
FatalError("Failed to set context property on window!\n");
|
||||||
|
} /* XSELinuxWindowInit */
|
||||||
|
|
||||||
static char *XSELinuxKeywords[] = {
|
static char *XSELinuxKeywords[] = {
|
||||||
#define XSELinuxKeywordComment 0
|
#define XSELinuxKeywordComment 0
|
||||||
"#",
|
"#",
|
||||||
|
@ -1844,6 +1871,14 @@ XSELinuxExtensionInit(INITARGS)
|
||||||
if (!AddCallback(&ClientStateCallback, XSELinuxClientState, NULL))
|
if (!AddCallback(&ClientStateCallback, XSELinuxClientState, NULL))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
|
/* Create atoms for doing window labeling */
|
||||||
|
atom_ctx = MakeAtom("_SELINUX_CONTEXT", 16, 1);
|
||||||
|
if (atom_ctx == BAD_RESOURCE)
|
||||||
|
return;
|
||||||
|
atom_client_ctx = MakeAtom("_SELINUX_CLIENT_CONTEXT", 23, 1);
|
||||||
|
if (atom_client_ctx == BAD_RESOURCE)
|
||||||
|
return;
|
||||||
|
|
||||||
/* Load the config file. If this fails, shut down the server,
|
/* Load the config file. If this fails, shut down the server,
|
||||||
* since an unknown security status is worse than no security.
|
* since an unknown security status is worse than no security.
|
||||||
*
|
*
|
||||||
|
@ -1873,6 +1908,7 @@ XSELinuxExtensionInit(INITARGS)
|
||||||
XaceRegisterCallback(XACE_BACKGRND_ACCESS, XSELinuxBackgrnd, NULL);
|
XaceRegisterCallback(XACE_BACKGRND_ACCESS, XSELinuxBackgrnd, NULL);
|
||||||
XaceRegisterCallback(XACE_DRAWABLE_ACCESS, XSELinuxDrawable, NULL);
|
XaceRegisterCallback(XACE_DRAWABLE_ACCESS, XSELinuxDrawable, NULL);
|
||||||
XaceRegisterCallback(XACE_PROPERTY_ACCESS, XSELinuxProperty, NULL);
|
XaceRegisterCallback(XACE_PROPERTY_ACCESS, XSELinuxProperty, NULL);
|
||||||
|
XaceRegisterCallback(XACE_WINDOW_INIT, XSELinuxWindowInit, NULL);
|
||||||
/* XaceRegisterCallback(XACE_DECLARE_EXT_SECURE, XSELinuxDeclare, NULL);
|
/* XaceRegisterCallback(XACE_DECLARE_EXT_SECURE, XSELinuxDeclare, NULL);
|
||||||
XaceRegisterCallback(XACE_DEVICE_ACCESS, XSELinuxDevice, NULL); */
|
XaceRegisterCallback(XACE_DEVICE_ACCESS, XSELinuxDevice, NULL); */
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user