1/************************************************************ 2 3Author: Eamon Walsh <ewalsh@tycho.nsa.gov> 4 5Permission to use, copy, modify, distribute, and sell this software and its 6documentation for any purpose is hereby granted without fee, provided that 7this permission notice appear in supporting documentation. This permission 8notice shall be included in all copies or substantial portions of the 9Software. 10 11THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 12IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 14AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN 15AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 16CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 17 18********************************************************/ 19 20#ifndef _XSELINUXINT_H 21#define _XSELINUXINT_H 22 23#include <selinux/selinux.h> 24#include <selinux/avc.h> 25 26#include "globals.h" 27#include "dixaccess.h" 28#include "dixstruct.h" 29#include "privates.h" 30#include "resource.h" 31#include "registry.h" 32#include "inputstr.h" 33#include "xselinux.h" 34 35/* 36 * Types 37 */ 38 39#define COMMAND_LEN 64 40 41/* subject state (clients and devices only) */ 42typedef struct { 43 security_id_t sid; 44 security_id_t dev_create_sid; 45 security_id_t win_create_sid; 46 security_id_t sel_create_sid; 47 security_id_t prp_create_sid; 48 security_id_t sel_use_sid; 49 security_id_t prp_use_sid; 50 struct avc_entry_ref aeref; 51 char command[COMMAND_LEN]; 52 int privileged; 53} SELinuxSubjectRec; 54 55/* object state */ 56typedef struct { 57 security_id_t sid; 58 int poly; 59} SELinuxObjectRec; 60 61/* 62 * Globals 63 */ 64 65extern DevPrivateKeyRec subjectKeyRec; 66#define subjectKey (&subjectKeyRec) 67extern DevPrivateKeyRec objectKeyRec; 68#define objectKey (&objectKeyRec) 69extern DevPrivateKeyRec dataKeyRec; 70#define dataKey (&dataKeyRec) 71 72/* 73 * Label functions 74 */ 75 76int 77SELinuxAtomToSID(Atom atom, int prop, SELinuxObjectRec **obj_rtn); 78 79int 80SELinuxSelectionToSID(Atom selection, SELinuxSubjectRec *subj, 81 security_id_t *sid_rtn, int *poly_rtn); 82 83int 84SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj, 85 security_id_t *sid_rtn, int *poly_rtn); 86 87int 88SELinuxEventToSID(unsigned type, security_id_t sid_of_window, 89 SELinuxObjectRec *sid_return); 90 91int 92SELinuxExtensionToSID(const char *name, security_id_t *sid_rtn); 93 94security_class_t 95SELinuxTypeToClass(RESTYPE type); 96 97security_context_t 98SELinuxDefaultClientLabel(void); 99 100void 101SELinuxLabelInit(void); 102 103void 104SELinuxLabelReset(void); 105 106/* 107 * Security module functions 108 */ 109 110void 111SELinuxFlaskInit(void); 112 113void 114SELinuxFlaskReset(void); 115 116 117/* 118 * Private Flask definitions 119 */ 120 121/* Security class constants */ 122#define SECCLASS_X_DRAWABLE 1 123#define SECCLASS_X_SCREEN 2 124#define SECCLASS_X_GC 3 125#define SECCLASS_X_FONT 4 126#define SECCLASS_X_COLORMAP 5 127#define SECCLASS_X_PROPERTY 6 128#define SECCLASS_X_SELECTION 7 129#define SECCLASS_X_CURSOR 8 130#define SECCLASS_X_CLIENT 9 131#define SECCLASS_X_POINTER 10 132#define SECCLASS_X_KEYBOARD 11 133#define SECCLASS_X_SERVER 12 134#define SECCLASS_X_EXTENSION 13 135#define SECCLASS_X_EVENT 14 136#define SECCLASS_X_FAKEEVENT 15 137#define SECCLASS_X_RESOURCE 16 138 139#ifdef _XSELINUX_NEED_FLASK_MAP 140/* Mapping from DixAccess bits to Flask permissions */ 141static struct security_class_mapping map[] = { 142 { "x_drawable", 143 { "read", /* DixReadAccess */ 144 "write", /* DixWriteAccess */ 145 "destroy", /* DixDestroyAccess */ 146 "create", /* DixCreateAccess */ 147 "getattr", /* DixGetAttrAccess */ 148 "setattr", /* DixSetAttrAccess */ 149 "list_property", /* DixListPropAccess */ 150 "get_property", /* DixGetPropAccess */ 151 "set_property", /* DixSetPropAccess */ 152 "", /* DixGetFocusAccess */ 153 "", /* DixSetFocusAccess */ 154 "list_child", /* DixListAccess */ 155 "add_child", /* DixAddAccess */ 156 "remove_child", /* DixRemoveAccess */ 157 "hide", /* DixHideAccess */ 158 "show", /* DixShowAccess */ 159 "blend", /* DixBlendAccess */ 160 "override", /* DixGrabAccess */ 161 "", /* DixFreezeAccess */ 162 "", /* DixForceAccess */ 163 "", /* DixInstallAccess */ 164 "", /* DixUninstallAccess */ 165 "send", /* DixSendAccess */ 166 "receive", /* DixReceiveAccess */ 167 "", /* DixUseAccess */ 168 "manage", /* DixManageAccess */ 169 NULL }}, 170 { "x_screen", 171 { "", /* DixReadAccess */ 172 "", /* DixWriteAccess */ 173 "", /* DixDestroyAccess */ 174 "", /* DixCreateAccess */ 175 "getattr", /* DixGetAttrAccess */ 176 "setattr", /* DixSetAttrAccess */ 177 "saver_getattr", /* DixListPropAccess */ 178 "saver_setattr", /* DixGetPropAccess */ 179 "", /* DixSetPropAccess */ 180 "", /* DixGetFocusAccess */ 181 "", /* DixSetFocusAccess */ 182 "", /* DixListAccess */ 183 "", /* DixAddAccess */ 184 "", /* DixRemoveAccess */ 185 "hide_cursor", /* DixHideAccess */ 186 "show_cursor", /* DixShowAccess */ 187 "saver_hide", /* DixBlendAccess */ 188 "saver_show", /* DixGrabAccess */ 189 NULL }}, 190 { "x_gc", 191 { "", /* DixReadAccess */ 192 "", /* DixWriteAccess */ 193 "destroy", /* DixDestroyAccess */ 194 "create", /* DixCreateAccess */ 195 "getattr", /* DixGetAttrAccess */ 196 "setattr", /* DixSetAttrAccess */ 197 "", /* DixListPropAccess */ 198 "", /* DixGetPropAccess */ 199 "", /* DixSetPropAccess */ 200 "", /* DixGetFocusAccess */ 201 "", /* DixSetFocusAccess */ 202 "", /* DixListAccess */ 203 "", /* DixAddAccess */ 204 "", /* DixRemoveAccess */ 205 "", /* DixHideAccess */ 206 "", /* DixShowAccess */ 207 "", /* DixBlendAccess */ 208 "", /* DixGrabAccess */ 209 "", /* DixFreezeAccess */ 210 "", /* DixForceAccess */ 211 "", /* DixInstallAccess */ 212 "", /* DixUninstallAccess */ 213 "", /* DixSendAccess */ 214 "", /* DixReceiveAccess */ 215 "use", /* DixUseAccess */ 216 NULL }}, 217 { "x_font", 218 { "", /* DixReadAccess */ 219 "", /* DixWriteAccess */ 220 "destroy", /* DixDestroyAccess */ 221 "create", /* DixCreateAccess */ 222 "getattr", /* DixGetAttrAccess */ 223 "", /* DixSetAttrAccess */ 224 "", /* DixListPropAccess */ 225 "", /* DixGetPropAccess */ 226 "", /* DixSetPropAccess */ 227 "", /* DixGetFocusAccess */ 228 "", /* DixSetFocusAccess */ 229 "", /* DixListAccess */ 230 "add_glyph", /* DixAddAccess */ 231 "remove_glyph", /* DixRemoveAccess */ 232 "", /* DixHideAccess */ 233 "", /* DixShowAccess */ 234 "", /* DixBlendAccess */ 235 "", /* DixGrabAccess */ 236 "", /* DixFreezeAccess */ 237 "", /* DixForceAccess */ 238 "", /* DixInstallAccess */ 239 "", /* DixUninstallAccess */ 240 "", /* DixSendAccess */ 241 "", /* DixReceiveAccess */ 242 "use", /* DixUseAccess */ 243 NULL }}, 244 { "x_colormap", 245 { "read", /* DixReadAccess */ 246 "write", /* DixWriteAccess */ 247 "destroy", /* DixDestroyAccess */ 248 "create", /* DixCreateAccess */ 249 "getattr", /* DixGetAttrAccess */ 250 "", /* DixSetAttrAccess */ 251 "", /* DixListPropAccess */ 252 "", /* DixGetPropAccess */ 253 "", /* DixSetPropAccess */ 254 "", /* DixGetFocusAccess */ 255 "", /* DixSetFocusAccess */ 256 "", /* DixListAccess */ 257 "add_color", /* DixAddAccess */ 258 "remove_color", /* DixRemoveAccess */ 259 "", /* DixHideAccess */ 260 "", /* DixShowAccess */ 261 "", /* DixBlendAccess */ 262 "", /* DixGrabAccess */ 263 "", /* DixFreezeAccess */ 264 "", /* DixForceAccess */ 265 "install", /* DixInstallAccess */ 266 "uninstall", /* DixUninstallAccess */ 267 "", /* DixSendAccess */ 268 "", /* DixReceiveAccess */ 269 "use", /* DixUseAccess */ 270 NULL }}, 271 { "x_property", 272 { "read", /* DixReadAccess */ 273 "write", /* DixWriteAccess */ 274 "destroy", /* DixDestroyAccess */ 275 "create", /* DixCreateAccess */ 276 "getattr", /* DixGetAttrAccess */ 277 "setattr", /* DixSetAttrAccess */ 278 "", /* DixListPropAccess */ 279 "", /* DixGetPropAccess */ 280 "", /* DixSetPropAccess */ 281 "", /* DixGetFocusAccess */ 282 "", /* DixSetFocusAccess */ 283 "", /* DixListAccess */ 284 "", /* DixAddAccess */ 285 "", /* DixRemoveAccess */ 286 "", /* DixHideAccess */ 287 "", /* DixShowAccess */ 288 "write", /* DixBlendAccess */ 289 NULL }}, 290 { "x_selection", 291 { "read", /* DixReadAccess */ 292 "", /* DixWriteAccess */ 293 "", /* DixDestroyAccess */ 294 "setattr", /* DixCreateAccess */ 295 "getattr", /* DixGetAttrAccess */ 296 "setattr", /* DixSetAttrAccess */ 297 NULL }}, 298 { "x_cursor", 299 { "read", /* DixReadAccess */ 300 "write", /* DixWriteAccess */ 301 "destroy", /* DixDestroyAccess */ 302 "create", /* DixCreateAccess */ 303 "getattr", /* DixGetAttrAccess */ 304 "setattr", /* DixSetAttrAccess */ 305 "", /* DixListPropAccess */ 306 "", /* DixGetPropAccess */ 307 "", /* DixSetPropAccess */ 308 "", /* DixGetFocusAccess */ 309 "", /* DixSetFocusAccess */ 310 "", /* DixListAccess */ 311 "", /* DixAddAccess */ 312 "", /* DixRemoveAccess */ 313 "", /* DixHideAccess */ 314 "", /* DixShowAccess */ 315 "", /* DixBlendAccess */ 316 "", /* DixGrabAccess */ 317 "", /* DixFreezeAccess */ 318 "", /* DixForceAccess */ 319 "", /* DixInstallAccess */ 320 "", /* DixUninstallAccess */ 321 "", /* DixSendAccess */ 322 "", /* DixReceiveAccess */ 323 "use", /* DixUseAccess */ 324 NULL }}, 325 { "x_client", 326 { "", /* DixReadAccess */ 327 "", /* DixWriteAccess */ 328 "destroy", /* DixDestroyAccess */ 329 "", /* DixCreateAccess */ 330 "getattr", /* DixGetAttrAccess */ 331 "setattr", /* DixSetAttrAccess */ 332 "", /* DixListPropAccess */ 333 "", /* DixGetPropAccess */ 334 "", /* DixSetPropAccess */ 335 "", /* DixGetFocusAccess */ 336 "", /* DixSetFocusAccess */ 337 "", /* DixListAccess */ 338 "", /* DixAddAccess */ 339 "", /* DixRemoveAccess */ 340 "", /* DixHideAccess */ 341 "", /* DixShowAccess */ 342 "", /* DixBlendAccess */ 343 "", /* DixGrabAccess */ 344 "", /* DixFreezeAccess */ 345 "", /* DixForceAccess */ 346 "", /* DixInstallAccess */ 347 "", /* DixUninstallAccess */ 348 "", /* DixSendAccess */ 349 "", /* DixReceiveAccess */ 350 "", /* DixUseAccess */ 351 "manage", /* DixManageAccess */ 352 NULL }}, 353 { "x_pointer", 354 { "read", /* DixReadAccess */ 355 "write", /* DixWriteAccess */ 356 "destroy", /* DixDestroyAccess */ 357 "create", /* DixCreateAccess */ 358 "getattr", /* DixGetAttrAccess */ 359 "setattr", /* DixSetAttrAccess */ 360 "list_property", /* DixListPropAccess */ 361 "get_property", /* DixGetPropAccess */ 362 "set_property", /* DixSetPropAccess */ 363 "getfocus", /* DixGetFocusAccess */ 364 "setfocus", /* DixSetFocusAccess */ 365 "", /* DixListAccess */ 366 "add", /* DixAddAccess */ 367 "remove", /* DixRemoveAccess */ 368 "", /* DixHideAccess */ 369 "", /* DixShowAccess */ 370 "", /* DixBlendAccess */ 371 "grab", /* DixGrabAccess */ 372 "freeze", /* DixFreezeAccess */ 373 "force_cursor", /* DixForceAccess */ 374 "", /* DixInstallAccess */ 375 "", /* DixUninstallAccess */ 376 "", /* DixSendAccess */ 377 "", /* DixReceiveAccess */ 378 "use", /* DixUseAccess */ 379 "manage", /* DixManageAccess */ 380 "", /* DixDebugAccess */ 381 "bell", /* DixBellAccess */ 382 NULL }}, 383 { "x_keyboard", 384 { "read", /* DixReadAccess */ 385 "write", /* DixWriteAccess */ 386 "destroy", /* DixDestroyAccess */ 387 "create", /* DixCreateAccess */ 388 "getattr", /* DixGetAttrAccess */ 389 "setattr", /* DixSetAttrAccess */ 390 "list_property", /* DixListPropAccess */ 391 "get_property", /* DixGetPropAccess */ 392 "set_property", /* DixSetPropAccess */ 393 "getfocus", /* DixGetFocusAccess */ 394 "setfocus", /* DixSetFocusAccess */ 395 "", /* DixListAccess */ 396 "add", /* DixAddAccess */ 397 "remove", /* DixRemoveAccess */ 398 "", /* DixHideAccess */ 399 "", /* DixShowAccess */ 400 "", /* DixBlendAccess */ 401 "grab", /* DixGrabAccess */ 402 "freeze", /* DixFreezeAccess */ 403 "force_cursor", /* DixForceAccess */ 404 "", /* DixInstallAccess */ 405 "", /* DixUninstallAccess */ 406 "", /* DixSendAccess */ 407 "", /* DixReceiveAccess */ 408 "use", /* DixUseAccess */ 409 "manage", /* DixManageAccess */ 410 "", /* DixDebugAccess */ 411 "bell", /* DixBellAccess */ 412 NULL }}, 413 { "x_server", 414 { "record", /* DixReadAccess */ 415 "", /* DixWriteAccess */ 416 "", /* DixDestroyAccess */ 417 "", /* DixCreateAccess */ 418 "getattr", /* DixGetAttrAccess */ 419 "setattr", /* DixSetAttrAccess */ 420 "", /* DixListPropAccess */ 421 "", /* DixGetPropAccess */ 422 "", /* DixSetPropAccess */ 423 "", /* DixGetFocusAccess */ 424 "", /* DixSetFocusAccess */ 425 "", /* DixListAccess */ 426 "", /* DixAddAccess */ 427 "", /* DixRemoveAccess */ 428 "", /* DixHideAccess */ 429 "", /* DixShowAccess */ 430 "", /* DixBlendAccess */ 431 "grab", /* DixGrabAccess */ 432 "", /* DixFreezeAccess */ 433 "", /* DixForceAccess */ 434 "", /* DixInstallAccess */ 435 "", /* DixUninstallAccess */ 436 "", /* DixSendAccess */ 437 "", /* DixReceiveAccess */ 438 "", /* DixUseAccess */ 439 "manage", /* DixManageAccess */ 440 "debug", /* DixDebugAccess */ 441 NULL }}, 442 { "x_extension", 443 { "", /* DixReadAccess */ 444 "", /* DixWriteAccess */ 445 "", /* DixDestroyAccess */ 446 "", /* DixCreateAccess */ 447 "query", /* DixGetAttrAccess */ 448 "", /* DixSetAttrAccess */ 449 "", /* DixListPropAccess */ 450 "", /* DixGetPropAccess */ 451 "", /* DixSetPropAccess */ 452 "", /* DixGetFocusAccess */ 453 "", /* DixSetFocusAccess */ 454 "", /* DixListAccess */ 455 "", /* DixAddAccess */ 456 "", /* DixRemoveAccess */ 457 "", /* DixHideAccess */ 458 "", /* DixShowAccess */ 459 "", /* DixBlendAccess */ 460 "", /* DixGrabAccess */ 461 "", /* DixFreezeAccess */ 462 "", /* DixForceAccess */ 463 "", /* DixInstallAccess */ 464 "", /* DixUninstallAccess */ 465 "", /* DixSendAccess */ 466 "", /* DixReceiveAccess */ 467 "use", /* DixUseAccess */ 468 NULL }}, 469 { "x_event", 470 { "", /* DixReadAccess */ 471 "", /* DixWriteAccess */ 472 "", /* DixDestroyAccess */ 473 "", /* DixCreateAccess */ 474 "", /* DixGetAttrAccess */ 475 "", /* DixSetAttrAccess */ 476 "", /* DixListPropAccess */ 477 "", /* DixGetPropAccess */ 478 "", /* DixSetPropAccess */ 479 "", /* DixGetFocusAccess */ 480 "", /* DixSetFocusAccess */ 481 "", /* DixListAccess */ 482 "", /* DixAddAccess */ 483 "", /* DixRemoveAccess */ 484 "", /* DixHideAccess */ 485 "", /* DixShowAccess */ 486 "", /* DixBlendAccess */ 487 "", /* DixGrabAccess */ 488 "", /* DixFreezeAccess */ 489 "", /* DixForceAccess */ 490 "", /* DixInstallAccess */ 491 "", /* DixUninstallAccess */ 492 "send", /* DixSendAccess */ 493 "receive", /* DixReceiveAccess */ 494 NULL }}, 495 { "x_synthetic_event", 496 { "", /* DixReadAccess */ 497 "", /* DixWriteAccess */ 498 "", /* DixDestroyAccess */ 499 "", /* DixCreateAccess */ 500 "", /* DixGetAttrAccess */ 501 "", /* DixSetAttrAccess */ 502 "", /* DixListPropAccess */ 503 "", /* DixGetPropAccess */ 504 "", /* DixSetPropAccess */ 505 "", /* DixGetFocusAccess */ 506 "", /* DixSetFocusAccess */ 507 "", /* DixListAccess */ 508 "", /* DixAddAccess */ 509 "", /* DixRemoveAccess */ 510 "", /* DixHideAccess */ 511 "", /* DixShowAccess */ 512 "", /* DixBlendAccess */ 513 "", /* DixGrabAccess */ 514 "", /* DixFreezeAccess */ 515 "", /* DixForceAccess */ 516 "", /* DixInstallAccess */ 517 "", /* DixUninstallAccess */ 518 "send", /* DixSendAccess */ 519 "receive", /* DixReceiveAccess */ 520 NULL }}, 521 { "x_resource", 522 { "read", /* DixReadAccess */ 523 "write", /* DixWriteAccess */ 524 "write", /* DixDestroyAccess */ 525 "write", /* DixCreateAccess */ 526 "read", /* DixGetAttrAccess */ 527 "write", /* DixSetAttrAccess */ 528 "read", /* DixListPropAccess */ 529 "read", /* DixGetPropAccess */ 530 "write", /* DixSetPropAccess */ 531 "read", /* DixGetFocusAccess */ 532 "write", /* DixSetFocusAccess */ 533 "read", /* DixListAccess */ 534 "write", /* DixAddAccess */ 535 "write", /* DixRemoveAccess */ 536 "write", /* DixHideAccess */ 537 "read", /* DixShowAccess */ 538 "read", /* DixBlendAccess */ 539 "write", /* DixGrabAccess */ 540 "write", /* DixFreezeAccess */ 541 "write", /* DixForceAccess */ 542 "write", /* DixInstallAccess */ 543 "write", /* DixUninstallAccess */ 544 "write", /* DixSendAccess */ 545 "read", /* DixReceiveAccess */ 546 "read", /* DixUseAccess */ 547 "write", /* DixManageAccess */ 548 "read", /* DixDebugAccess */ 549 "write", /* DixBellAccess */ 550 NULL }}, 551 { NULL } 552}; 553 554/* x_resource "read" bits from the list above */ 555#define SELinuxReadMask (DixReadAccess|DixGetAttrAccess|DixListPropAccess| \ 556 DixGetPropAccess|DixGetFocusAccess|DixListAccess| \ 557 DixShowAccess|DixBlendAccess|DixReceiveAccess| \ 558 DixUseAccess|DixDebugAccess) 559 560#endif /* _XSELINUX_NEED_FLASK_MAP */ 561#endif /* _XSELINUXINT_H */ 562