From c26bccf4173a037aa403c511dd08fd63cbbed87a Mon Sep 17 00:00:00 2001 From: Eamon Walsh Date: Fri, 28 Mar 2008 14:01:34 -0400 Subject: [PATCH] XSELinux: Add xorg.conf option for permissive/enforcing/disabled. Patch by Joe Nall. The option goes in the "extmod" subsection. TODO: Make it easier for extension modules to handle their own options. (cherry picked from commit b5f98fcea2024c67e598947782913982072cf4fb) --- Xext/xselinux.c | 31 ++++++++++++++++++++++++----- hw/xfree86/dixmods/extmod/modinit.c | 23 ++++++++++++++++++++- hw/xfree86/loader/dixsym.c | 3 +++ include/globals.h | 10 ++++++++++ mi/miinitext.c | 8 +++++++- os/utils.c | 4 ++++ 6 files changed, 72 insertions(+), 7 deletions(-) diff --git a/Xext/xselinux.c b/Xext/xselinux.c index 17ce7af10..2e059a4c3 100644 --- a/Xext/xselinux.c +++ b/Xext/xselinux.c @@ -37,6 +37,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #include #include +#include "globals.h" #include "resource.h" #include "privates.h" #include "registry.h" @@ -1891,16 +1892,36 @@ void SELinuxExtensionInit(INITARGS) { ExtensionEntry *extEntry; - struct selinux_opt options[] = { { SELABEL_OPT_VALIDATE, (char *)1 } }; + struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 }; + struct selinux_opt avc_option = { AVC_OPT_SETENFORCE, (char *)0 }; security_context_t con; int ret = TRUE; - /* Setup SELinux stuff */ + /* Check SELinux mode on system */ if (!is_selinux_enabled()) { - ErrorF("SELinux: SELinux not enabled, disabling SELinux support.\n"); + ErrorF("SELinux: Disabled on system, not enabling in X server\n"); return; } + /* Check SELinux mode in configuration file */ + switch(selinuxEnforcingState) { + case SELINUX_MODE_DISABLED: + LogMessage(X_INFO, "SELinux: Disabled in configuration file\n"); + return; + case SELINUX_MODE_ENFORCING: + LogMessage(X_INFO, "SELinux: Configured in enforcing mode\n"); + avc_option.value = (char *)1; + break; + case SELINUX_MODE_PERMISSIVE: + LogMessage(X_INFO, "SELinux: Configured in permissive mode\n"); + avc_option.value = (char *)0; + break; + default: + avc_option.type = AVC_OPT_UNUSED; + break; + } + + /* Set up SELinux stuff */ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback)SELinuxLog); selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback)SELinuxAudit); @@ -1912,11 +1933,11 @@ SELinuxExtensionInit(INITARGS) FatalError("SELinux: Failed to set up security class mapping\n"); } - if (avc_open(NULL, 0) < 0) + if (avc_open(&avc_option, 1) < 0) FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n"); avc_active = 1; - label_hnd = selabel_open(SELABEL_CTX_X, options, 1); + label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1); if (!label_hnd) FatalError("SELinux: Failed to open x_contexts mapping in policy\n"); diff --git a/hw/xfree86/dixmods/extmod/modinit.c b/hw/xfree86/dixmods/extmod/modinit.c index d0d892aaf..8c8a4ceeb 100644 --- a/hw/xfree86/dixmods/extmod/modinit.c +++ b/hw/xfree86/dixmods/extmod/modinit.c @@ -42,7 +42,7 @@ static ExtensionModule extensionModules[] = { { SELinuxExtensionInit, SELINUX_EXTENSION_NAME, - NULL, + &noSELinuxExtension, NULL, NULL }, @@ -258,6 +258,27 @@ extmodSetup(pointer module, pointer opts, int *errmaj, int *errmin) } } } + +#ifdef XSELINUX + if (! strcmp(SELINUX_EXTENSION_NAME, extensionModules[i].name)) { + pointer o; + selinuxEnforcingState = SELINUX_MODE_DEFAULT; + + if ((o = xf86FindOption(opts, "SELinux mode disabled"))) { + xf86MarkOptionUsed(o); + selinuxEnforcingState = SELINUX_MODE_DISABLED; + } + if ((o = xf86FindOption(opts, "SELinux mode permissive"))) { + xf86MarkOptionUsed(o); + selinuxEnforcingState = SELINUX_MODE_PERMISSIVE; + } + if ((o = xf86FindOption(opts, "SELinux mode enforcing"))) { + xf86MarkOptionUsed(o); + selinuxEnforcingState = SELINUX_MODE_ENFORCING; + } + } +#endif + LoadExtension(&extensionModules[i], FALSE); } /* Need a non-NULL return */ diff --git a/hw/xfree86/loader/dixsym.c b/hw/xfree86/loader/dixsym.c index d035c762f..d6d22c4b9 100644 --- a/hw/xfree86/loader/dixsym.c +++ b/hw/xfree86/loader/dixsym.c @@ -440,6 +440,9 @@ _X_HIDDEN void *dixLookupTab[] = { #ifdef XIDLE SYMVAR(noXIdleExtension) #endif +#ifdef XSELINUX + SYMVAR(noSELinuxExtension) +#endif #ifdef XV SYMVAR(noXvExtension) #endif diff --git a/include/globals.h b/include/globals.h index b230dfc37..2ca9531d9 100644 --- a/include/globals.h +++ b/include/globals.h @@ -175,6 +175,16 @@ extern Bool noXInputExtension; extern Bool noXIdleExtension; #endif +#ifdef XSELINUX +extern Bool noSELinuxExtension; + +#define SELINUX_MODE_DEFAULT 0 +#define SELINUX_MODE_DISABLED 1 +#define SELINUX_MODE_PERMISSIVE 2 +#define SELINUX_MODE_ENFORCING 3 +extern int selinuxEnforcingState; +#endif + #ifdef XV extern Bool noXvExtension; #endif diff --git a/mi/miinitext.c b/mi/miinitext.c index 3c55eebb3..cc4c15c9d 100644 --- a/mi/miinitext.c +++ b/mi/miinitext.c @@ -215,6 +215,9 @@ extern Bool noXInputExtension; #ifdef XIDLE extern Bool noXIdleExtension; #endif +#ifdef XSELINUX +extern Bool noSELinuxExtension; +#endif #ifdef XV extern Bool noXvExtension; #endif @@ -487,6 +490,9 @@ static ExtensionToggle ExtensionToggleList[] = #endif #ifdef XKB { "XKEYBOARD", &noXkbExtension }, +#endif +#ifdef XSELINUX + { "SELinux", &noSELinuxExtension }, #endif { "XTEST", &noTestExtensions }, #ifdef XV @@ -597,7 +603,7 @@ InitExtensions(argc, argv) if (!noSecurityExtension) SecurityExtensionInit(); #endif #ifdef XSELINUX - SELinuxExtensionInit(); + if (!noSELinuxExtension) SELinuxExtensionInit(); #endif #ifdef XPRINT XpExtensionInit(); /* server-specific extension, cannot be disabled */ diff --git a/os/utils.c b/os/utils.c index 4041028a3..57293ab6f 100644 --- a/os/utils.c +++ b/os/utils.c @@ -232,6 +232,10 @@ _X_EXPORT Bool noXInputExtension = FALSE; #ifdef XIDLE _X_EXPORT Bool noXIdleExtension = FALSE; #endif +#ifdef XSELINUX +_X_EXPORT Bool noSELinuxExtension = FALSE; +_X_EXPORT int selinuxEnforcingState = SELINUX_MODE_DEFAULT; +#endif #ifdef XV _X_EXPORT Bool noXvExtension = FALSE; #endif