Adam Jackson
283a081572
selinux: Only activate if policy says to be an object manager
2009-03-27 15:56:15 -04:00
Adam Jackson
3992dd38ca
selinux: Add support for avc_acquire_netlink_fd()
...
Requires libselinux 2.0.79 or newer. Without this, libselinux will
check for policy updates on the netlink socket on basically every policy
lookup. Statistically speaking, they never happen, and the check
translates to at least one more syscall on basically every operation.
Instead, take control of the fd from the library, and check it in
WakeupHandler if it polls readable.
2009-03-16 13:24:48 -04:00
Keith Packard
f8dd80d13b
Replace dixLookupResource by dixLookupResourceBy{Type,Class}
...
dixLookupResource attempted to automatically detect whether the caller
wanted a lookup by-type or by-class, unfortunately, it guessed wrong for
RT_NONE. Instead of trying to make the guess better, this patch just reverts
the unification and creates separate functions for each operation.
2009-03-09 13:08:09 -07:00
Eamon Walsh
c7ebb4bef1
Fix 2 const warnings.
2009-03-03 14:02:36 -05:00
Eric Paris
c7cf926d25
This patch changes all places in the X code to use _raw functions. The
...
X server should never see, translate, or deal with a munged context.
Display managers which show contexts to the user should take care of
translating these to human readable form.
2009-03-03 13:15:39 -05:00
Adam Jackson
b030f858f2
selinux: Don't bother relabeling resources that are being destroyed
...
Makes window destroy about 40x faster in Xvfb.
2009-02-27 12:45:19 -05:00
Eamon Walsh
5d065a8890
xselinux: Use xace Xtrans wrappers instead of the now-inaccessible wrapees.
2008-12-18 14:01:10 -05:00
Eamon Walsh
ed597f19fd
xselinux: use "raw context" variants of getpeercon() and getcon().
2008-11-25 22:49:19 -05:00
Eamon Walsh
2538fc0d89
xselinux: don't pass a NULL key string to selabel_lookup().
2008-11-25 18:28:12 -05:00
Eamon Walsh
0f2fd0577f
xselinux: send more specific message types to libaudit.
2008-10-30 18:29:51 -04:00
Eamon Walsh
60ad8d5d05
Attempt getpeercon() on remote sockets as well as local ones.
2008-08-28 23:45:17 -04:00
Tomas Carnecky
ebea78cdba
Prepare for array-index based devPrivates.
...
TODO: static indices can be made just an int; some indices
can be combined.
2008-08-28 18:05:40 -04:00
Eamon Walsh
79dd600942
SELinux: Add an extension alias under the OS-agnostic "Flask" name.
2008-06-17 19:11:21 -04:00
Eamon Walsh
9f56fc5806
XSELinux: Add a request to get a client's context from a resource ID.
2008-03-31 17:35:10 -04:00
Eamon Walsh
b5f98fcea2
XSELinux: Add xorg.conf option for permissive/enforcing/disabled.
...
Patch by Joe Nall.
The option goes in the "extmod" subsection.
TODO: Make it easier for extension modules to handle their own options.
2008-03-28 14:14:23 -04:00
Eamon Walsh
3bbd77ff98
XSELinux: Do a check for whether background "None" is allowed.
2008-03-20 20:03:02 -04:00
Eamon Walsh
e323bb426c
XSELinux: Correctly handle some permission bits that are used more than once.
2008-03-20 19:42:09 -04:00
Eamon Walsh
d4101140f4
xselinux: Implement polyinstantiation support and related protocol.
2008-03-04 22:39:41 -05:00
Eamon Walsh
cc76ea6e3a
XACE: Add generic support for property and selection polyinstantiation.
2008-02-29 18:01:37 -05:00
Eamon Walsh
34bf308a9e
dix: Refactoring of selection code to allow for polyinstantiation.
...
Introduces dixLookupSelection() API.
Removes NumCurrentSelections from API.
2008-02-29 18:01:37 -05:00
Eamon Walsh
d04ea267a4
xselinux: Don't require device "read" permission for XQueryPointer.
...
These keyboard and pointer state polling calls are a real problem.
2008-02-28 21:53:16 -05:00
Eamon Walsh
3fb17a3e64
xselinux: Log messages to both libaudit and Xorg.0.log.
2008-02-28 21:52:57 -05:00
Eamon Walsh
f616735f17
xselinux: Prefix a few remaining error messages with "SELinux".
2008-02-27 22:48:29 -05:00
Eamon Walsh
e40cc5305b
xselinux: Don't throw BadAccess if DixUnknownAccess is passed in to a hook.
...
The avc will still appear, however, so that the callsite can be fixed.
2008-02-27 22:48:28 -05:00
Eamon Walsh
3f0681fb0b
xselinux: Stub out selection protocol requests.
2008-02-26 23:14:29 -05:00
Eamon Walsh
4632ea2258
xselinux: Rip out the selection code in advance of polyinstantiation support.
...
This resolves an issue where BadWindow errors were being thrown.
2008-02-26 22:00:52 -05:00
Eamon Walsh
e99aadbc26
xselinux: Add use to permission map for devices.
2008-02-13 20:20:49 -05:00
Eamon Walsh
31934132a4
xselinux: Use the device name in debugging output.
2008-02-07 16:32:06 -05:00
Eamon Walsh
6dcb7d732b
xselinux: Split devPrivate state into subject and object records.
2008-02-07 16:00:52 -05:00
Eamon Walsh
2259b144f0
xselinux: Add getattr and setattr to the permission map for properties.
2008-02-07 14:35:02 -05:00
Eamon Walsh
5c30327275
XACE: Push the dix "structure" includes down to the security modules.
2008-02-05 21:06:05 -05:00
Eamon Walsh
bb1a577a68
XACE: Move the property access hook to its own function.
2008-02-05 20:07:08 -05:00
Eamon Walsh
46794d0c96
xselinux: Rename SelectionManager to more generic SecurityManager.
2008-01-24 19:49:13 -05:00
Eamon Walsh
6ffeecabb7
xselinux: Use a privileged bit in the state instead of passing an index
...
to the permission checking function.
2008-01-24 18:11:49 -05:00
Eamon Walsh
7ba8e97cba
xselinux: Implement "get context" protocol requests.
2008-01-24 19:09:58 -05:00
Eamon Walsh
f0bf9a5231
xselinux: Whitespace fixups.
2008-01-24 19:02:35 -05:00
Eamon Walsh
3b23dd9fd4
xselinux: Fix whitespace warnings.
2007-12-28 13:29:45 -05:00
Eamon Walsh
643c52be32
xselinux: Remove "X" prefix on remaining functions and strings.
...
Should be evident from the context.
2007-12-28 13:27:28 -05:00
Eamon Walsh
f4bc333fc1
xselinux: don't FatalError on an invalid class mapping, just disable support.
2007-12-28 13:27:28 -05:00
Eamon Walsh
f3780ece52
xselinux: Implement swapped protocol request logic.
2007-12-28 13:27:28 -05:00
Eamon Walsh
1393a97ea9
xselinux: Send AVC messages to audit system instead of log file/stderr.
2007-12-20 16:23:49 -05:00
Eamon Walsh
9a7ce57363
xselinux: Add new protocol for setting device create context.
2007-12-12 20:44:59 -05:00
Eamon Walsh
5fea1ed50f
registry: Remove registry code from SELinux extension.
...
Moving all the names into dix/registry.c
2007-11-20 18:39:48 -05:00
Eamon Walsh
f207e69d62
xselinux: adjust receive hook to use new synthetic_event class.
2007-11-14 12:23:29 -05:00
Eamon Walsh
45f884d79c
xselinux: add new synthetic_event security class, and fix registry code.
2007-11-09 15:00:15 -05:00
Eamon Walsh
c7e18beb3c
xselinux: Register SELinux extension protocol names.
2007-11-05 15:02:05 -05:00
Eamon Walsh
3b7af72fe3
xselinux: Add a SetDeviceContext request and stubs for more requests.
2007-10-26 20:32:47 -04:00
Eamon Walsh
7d14ca59c5
xselinux: Don't include the client in the receive hook audit messages.
2007-10-25 19:00:50 -04:00
Eamon Walsh
40de9fcf18
xselinux: Label the default device directly with the process context.
2007-10-25 12:35:01 -04:00
Eamon Walsh
4b05f19cb9
xselinux: Introduce a type transition when labeling events.
2007-10-24 19:59:58 -04:00