1 /************************************************************ 2 3 Author: Eamon Walsh <ewalsh@tycho.nsa.gov> 4 5 Permission to use, copy, modify, distribute, and sell this software and its 6 documentation for any purpose is hereby granted without fee, provided that 7 this permission notice appear in supporting documentation. This permission 8 notice shall be included in all copies or substantial portions of the 9 Software. 10 11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 12 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 14 AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN 15 AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 16 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 17 18 ********************************************************/ 19 20 #ifndef _XSELINUXINT_H 21 #define _XSELINUXINT_H 22 23 #include <selinux/selinux.h> 24 #include <selinux/avc.h> 25 26 #include "globals.h" 27 #include "dixaccess.h" 28 #include "dixstruct.h" 29 #include "privates.h" 30 #include "resource.h" 31 #include "registry.h" 32 #include "inputstr.h" 33 #include "xselinux.h" 34 35 /* 36 * Types 37 */ 38 39 #define COMMAND_LEN 64 40 41 /* subject state (clients and devices only) */ 42 typedef struct { 43 security_id_t sid; 44 security_id_t dev_create_sid; 45 security_id_t win_create_sid; 46 security_id_t sel_create_sid; 47 security_id_t prp_create_sid; 48 security_id_t sel_use_sid; 49 security_id_t prp_use_sid; 50 struct avc_entry_ref aeref; 51 char command[COMMAND_LEN]; 52 int privileged; 53 } SELinuxSubjectRec; 54 55 /* object state */ 56 typedef struct { 57 security_id_t sid; 58 int poly; 59 } SELinuxObjectRec; 60 61 /* 62 * Globals 63 */ 64 65 extern DevPrivateKeyRec subjectKeyRec; 66 67 #define subjectKey (&subjectKeyRec) 68 extern DevPrivateKeyRec objectKeyRec; 69 70 #define objectKey (&objectKeyRec) 71 extern DevPrivateKeyRec dataKeyRec; 72 73 #define dataKey (&dataKeyRec) 74 75 /* 76 * Label functions 77 */ 78 79 int 80 SELinuxAtomToSID(Atom atom, int prop, SELinuxObjectRec ** obj_rtn); 81 82 int 83 84 SELinuxSelectionToSID(Atom selection, SELinuxSubjectRec * subj, 85 security_id_t * sid_rtn, int *poly_rtn); 86 87 int 88 89 SELinuxPropertyToSID(Atom property, SELinuxSubjectRec * subj, 90 security_id_t * sid_rtn, int *poly_rtn); 91 92 int 93 94 SELinuxEventToSID(unsigned type, security_id_t sid_of_window, 95 SELinuxObjectRec * sid_return); 96 97 int 98 SELinuxExtensionToSID(const char *name, security_id_t * sid_rtn); 99 100 security_class_t SELinuxTypeToClass(RESTYPE type); 101 102 security_context_t SELinuxDefaultClientLabel(void); 103 104 void 105 SELinuxLabelInit(void); 106 107 void 108 SELinuxLabelReset(void); 109 110 /* 111 * Security module functions 112 */ 113 114 void 115 SELinuxFlaskInit(void); 116 117 void 118 SELinuxFlaskReset(void); 119 120 /* 121 * Private Flask definitions 122 */ 123 124 /* Security class constants */ 125 #define SECCLASS_X_DRAWABLE 1 126 #define SECCLASS_X_SCREEN 2 127 #define SECCLASS_X_GC 3 128 #define SECCLASS_X_FONT 4 129 #define SECCLASS_X_COLORMAP 5 130 #define SECCLASS_X_PROPERTY 6 131 #define SECCLASS_X_SELECTION 7 132 #define SECCLASS_X_CURSOR 8 133 #define SECCLASS_X_CLIENT 9 134 #define SECCLASS_X_POINTER 10 135 #define SECCLASS_X_KEYBOARD 11 136 #define SECCLASS_X_SERVER 12 137 #define SECCLASS_X_EXTENSION 13 138 #define SECCLASS_X_EVENT 14 139 #define SECCLASS_X_FAKEEVENT 15 140 #define SECCLASS_X_RESOURCE 16 141 142 #ifdef _XSELINUX_NEED_FLASK_MAP 143 /* Mapping from DixAccess bits to Flask permissions */ 144 static struct security_class_mapping map[] = { 145 {"x_drawable", 146 {"read", /* DixReadAccess */ 147 "write", /* DixWriteAccess */ 148 "destroy", /* DixDestroyAccess */ 149 "create", /* DixCreateAccess */ 150 "getattr", /* DixGetAttrAccess */ 151 "setattr", /* DixSetAttrAccess */ 152 "list_property", /* DixListPropAccess */ 153 "get_property", /* DixGetPropAccess */ 154 "set_property", /* DixSetPropAccess */ 155 "", /* DixGetFocusAccess */ 156 "", /* DixSetFocusAccess */ 157 "list_child", /* DixListAccess */ 158 "add_child", /* DixAddAccess */ 159 "remove_child", /* DixRemoveAccess */ 160 "hide", /* DixHideAccess */ 161 "show", /* DixShowAccess */ 162 "blend", /* DixBlendAccess */ 163 "override", /* DixGrabAccess */ 164 "", /* DixFreezeAccess */ 165 "", /* DixForceAccess */ 166 "", /* DixInstallAccess */ 167 "", /* DixUninstallAccess */ 168 "send", /* DixSendAccess */ 169 "receive", /* DixReceiveAccess */ 170 "", /* DixUseAccess */ 171 "manage", /* DixManageAccess */ 172 NULL}}, 173 {"x_screen", 174 {"", /* DixReadAccess */ 175 "", /* DixWriteAccess */ 176 "", /* DixDestroyAccess */ 177 "", /* DixCreateAccess */ 178 "getattr", /* DixGetAttrAccess */ 179 "setattr", /* DixSetAttrAccess */ 180 "saver_getattr", /* DixListPropAccess */ 181 "saver_setattr", /* DixGetPropAccess */ 182 "", /* DixSetPropAccess */ 183 "", /* DixGetFocusAccess */ 184 "", /* DixSetFocusAccess */ 185 "", /* DixListAccess */ 186 "", /* DixAddAccess */ 187 "", /* DixRemoveAccess */ 188 "hide_cursor", /* DixHideAccess */ 189 "show_cursor", /* DixShowAccess */ 190 "saver_hide", /* DixBlendAccess */ 191 "saver_show", /* DixGrabAccess */ 192 NULL}}, 193 {"x_gc", 194 {"", /* DixReadAccess */ 195 "", /* DixWriteAccess */ 196 "destroy", /* DixDestroyAccess */ 197 "create", /* DixCreateAccess */ 198 "getattr", /* DixGetAttrAccess */ 199 "setattr", /* DixSetAttrAccess */ 200 "", /* DixListPropAccess */ 201 "", /* DixGetPropAccess */ 202 "", /* DixSetPropAccess */ 203 "", /* DixGetFocusAccess */ 204 "", /* DixSetFocusAccess */ 205 "", /* DixListAccess */ 206 "", /* DixAddAccess */ 207 "", /* DixRemoveAccess */ 208 "", /* DixHideAccess */ 209 "", /* DixShowAccess */ 210 "", /* DixBlendAccess */ 211 "", /* DixGrabAccess */ 212 "", /* DixFreezeAccess */ 213 "", /* DixForceAccess */ 214 "", /* DixInstallAccess */ 215 "", /* DixUninstallAccess */ 216 "", /* DixSendAccess */ 217 "", /* DixReceiveAccess */ 218 "use", /* DixUseAccess */ 219 NULL}}, 220 {"x_font", 221 {"", /* DixReadAccess */ 222 "", /* DixWriteAccess */ 223 "destroy", /* DixDestroyAccess */ 224 "create", /* DixCreateAccess */ 225 "getattr", /* DixGetAttrAccess */ 226 "", /* DixSetAttrAccess */ 227 "", /* DixListPropAccess */ 228 "", /* DixGetPropAccess */ 229 "", /* DixSetPropAccess */ 230 "", /* DixGetFocusAccess */ 231 "", /* DixSetFocusAccess */ 232 "", /* DixListAccess */ 233 "add_glyph", /* DixAddAccess */ 234 "remove_glyph", /* DixRemoveAccess */ 235 "", /* DixHideAccess */ 236 "", /* DixShowAccess */ 237 "", /* DixBlendAccess */ 238 "", /* DixGrabAccess */ 239 "", /* DixFreezeAccess */ 240 "", /* DixForceAccess */ 241 "", /* DixInstallAccess */ 242 "", /* DixUninstallAccess */ 243 "", /* DixSendAccess */ 244 "", /* DixReceiveAccess */ 245 "use", /* DixUseAccess */ 246 NULL}}, 247 {"x_colormap", 248 {"read", /* DixReadAccess */ 249 "write", /* DixWriteAccess */ 250 "destroy", /* DixDestroyAccess */ 251 "create", /* DixCreateAccess */ 252 "getattr", /* DixGetAttrAccess */ 253 "", /* DixSetAttrAccess */ 254 "", /* DixListPropAccess */ 255 "", /* DixGetPropAccess */ 256 "", /* DixSetPropAccess */ 257 "", /* DixGetFocusAccess */ 258 "", /* DixSetFocusAccess */ 259 "", /* DixListAccess */ 260 "add_color", /* DixAddAccess */ 261 "remove_color", /* DixRemoveAccess */ 262 "", /* DixHideAccess */ 263 "", /* DixShowAccess */ 264 "", /* DixBlendAccess */ 265 "", /* DixGrabAccess */ 266 "", /* DixFreezeAccess */ 267 "", /* DixForceAccess */ 268 "install", /* DixInstallAccess */ 269 "uninstall", /* DixUninstallAccess */ 270 "", /* DixSendAccess */ 271 "", /* DixReceiveAccess */ 272 "use", /* DixUseAccess */ 273 NULL}}, 274 {"x_property", 275 {"read", /* DixReadAccess */ 276 "write", /* DixWriteAccess */ 277 "destroy", /* DixDestroyAccess */ 278 "create", /* DixCreateAccess */ 279 "getattr", /* DixGetAttrAccess */ 280 "setattr", /* DixSetAttrAccess */ 281 "", /* DixListPropAccess */ 282 "", /* DixGetPropAccess */ 283 "", /* DixSetPropAccess */ 284 "", /* DixGetFocusAccess */ 285 "", /* DixSetFocusAccess */ 286 "", /* DixListAccess */ 287 "", /* DixAddAccess */ 288 "", /* DixRemoveAccess */ 289 "", /* DixHideAccess */ 290 "", /* DixShowAccess */ 291 "write", /* DixBlendAccess */ 292 NULL}}, 293 {"x_selection", 294 {"read", /* DixReadAccess */ 295 "", /* DixWriteAccess */ 296 "", /* DixDestroyAccess */ 297 "setattr", /* DixCreateAccess */ 298 "getattr", /* DixGetAttrAccess */ 299 "setattr", /* DixSetAttrAccess */ 300 NULL}}, 301 {"x_cursor", 302 {"read", /* DixReadAccess */ 303 "write", /* DixWriteAccess */ 304 "destroy", /* DixDestroyAccess */ 305 "create", /* DixCreateAccess */ 306 "getattr", /* DixGetAttrAccess */ 307 "setattr", /* DixSetAttrAccess */ 308 "", /* DixListPropAccess */ 309 "", /* DixGetPropAccess */ 310 "", /* DixSetPropAccess */ 311 "", /* DixGetFocusAccess */ 312 "", /* DixSetFocusAccess */ 313 "", /* DixListAccess */ 314 "", /* DixAddAccess */ 315 "", /* DixRemoveAccess */ 316 "", /* DixHideAccess */ 317 "", /* DixShowAccess */ 318 "", /* DixBlendAccess */ 319 "", /* DixGrabAccess */ 320 "", /* DixFreezeAccess */ 321 "", /* DixForceAccess */ 322 "", /* DixInstallAccess */ 323 "", /* DixUninstallAccess */ 324 "", /* DixSendAccess */ 325 "", /* DixReceiveAccess */ 326 "use", /* DixUseAccess */ 327 NULL}}, 328 {"x_client", 329 {"", /* DixReadAccess */ 330 "", /* DixWriteAccess */ 331 "destroy", /* DixDestroyAccess */ 332 "", /* DixCreateAccess */ 333 "getattr", /* DixGetAttrAccess */ 334 "setattr", /* DixSetAttrAccess */ 335 "", /* DixListPropAccess */ 336 "", /* DixGetPropAccess */ 337 "", /* DixSetPropAccess */ 338 "", /* DixGetFocusAccess */ 339 "", /* DixSetFocusAccess */ 340 "", /* DixListAccess */ 341 "", /* DixAddAccess */ 342 "", /* DixRemoveAccess */ 343 "", /* DixHideAccess */ 344 "", /* DixShowAccess */ 345 "", /* DixBlendAccess */ 346 "", /* DixGrabAccess */ 347 "", /* DixFreezeAccess */ 348 "", /* DixForceAccess */ 349 "", /* DixInstallAccess */ 350 "", /* DixUninstallAccess */ 351 "", /* DixSendAccess */ 352 "", /* DixReceiveAccess */ 353 "", /* DixUseAccess */ 354 "manage", /* DixManageAccess */ 355 NULL}}, 356 {"x_pointer", 357 {"read", /* DixReadAccess */ 358 "write", /* DixWriteAccess */ 359 "destroy", /* DixDestroyAccess */ 360 "create", /* DixCreateAccess */ 361 "getattr", /* DixGetAttrAccess */ 362 "setattr", /* DixSetAttrAccess */ 363 "list_property", /* DixListPropAccess */ 364 "get_property", /* DixGetPropAccess */ 365 "set_property", /* DixSetPropAccess */ 366 "getfocus", /* DixGetFocusAccess */ 367 "setfocus", /* DixSetFocusAccess */ 368 "", /* DixListAccess */ 369 "add", /* DixAddAccess */ 370 "remove", /* DixRemoveAccess */ 371 "", /* DixHideAccess */ 372 "", /* DixShowAccess */ 373 "", /* DixBlendAccess */ 374 "grab", /* DixGrabAccess */ 375 "freeze", /* DixFreezeAccess */ 376 "force_cursor", /* DixForceAccess */ 377 "", /* DixInstallAccess */ 378 "", /* DixUninstallAccess */ 379 "", /* DixSendAccess */ 380 "", /* DixReceiveAccess */ 381 "use", /* DixUseAccess */ 382 "manage", /* DixManageAccess */ 383 "", /* DixDebugAccess */ 384 "bell", /* DixBellAccess */ 385 NULL}}, 386 {"x_keyboard", 387 {"read", /* DixReadAccess */ 388 "write", /* DixWriteAccess */ 389 "destroy", /* DixDestroyAccess */ 390 "create", /* DixCreateAccess */ 391 "getattr", /* DixGetAttrAccess */ 392 "setattr", /* DixSetAttrAccess */ 393 "list_property", /* DixListPropAccess */ 394 "get_property", /* DixGetPropAccess */ 395 "set_property", /* DixSetPropAccess */ 396 "getfocus", /* DixGetFocusAccess */ 397 "setfocus", /* DixSetFocusAccess */ 398 "", /* DixListAccess */ 399 "add", /* DixAddAccess */ 400 "remove", /* DixRemoveAccess */ 401 "", /* DixHideAccess */ 402 "", /* DixShowAccess */ 403 "", /* DixBlendAccess */ 404 "grab", /* DixGrabAccess */ 405 "freeze", /* DixFreezeAccess */ 406 "force_cursor", /* DixForceAccess */ 407 "", /* DixInstallAccess */ 408 "", /* DixUninstallAccess */ 409 "", /* DixSendAccess */ 410 "", /* DixReceiveAccess */ 411 "use", /* DixUseAccess */ 412 "manage", /* DixManageAccess */ 413 "", /* DixDebugAccess */ 414 "bell", /* DixBellAccess */ 415 NULL}}, 416 {"x_server", 417 {"record", /* DixReadAccess */ 418 "", /* DixWriteAccess */ 419 "", /* DixDestroyAccess */ 420 "", /* DixCreateAccess */ 421 "getattr", /* DixGetAttrAccess */ 422 "setattr", /* DixSetAttrAccess */ 423 "", /* DixListPropAccess */ 424 "", /* DixGetPropAccess */ 425 "", /* DixSetPropAccess */ 426 "", /* DixGetFocusAccess */ 427 "", /* DixSetFocusAccess */ 428 "", /* DixListAccess */ 429 "", /* DixAddAccess */ 430 "", /* DixRemoveAccess */ 431 "", /* DixHideAccess */ 432 "", /* DixShowAccess */ 433 "", /* DixBlendAccess */ 434 "grab", /* DixGrabAccess */ 435 "", /* DixFreezeAccess */ 436 "", /* DixForceAccess */ 437 "", /* DixInstallAccess */ 438 "", /* DixUninstallAccess */ 439 "", /* DixSendAccess */ 440 "", /* DixReceiveAccess */ 441 "", /* DixUseAccess */ 442 "manage", /* DixManageAccess */ 443 "debug", /* DixDebugAccess */ 444 NULL}}, 445 {"x_extension", 446 {"", /* DixReadAccess */ 447 "", /* DixWriteAccess */ 448 "", /* DixDestroyAccess */ 449 "", /* DixCreateAccess */ 450 "query", /* DixGetAttrAccess */ 451 "", /* DixSetAttrAccess */ 452 "", /* DixListPropAccess */ 453 "", /* DixGetPropAccess */ 454 "", /* DixSetPropAccess */ 455 "", /* DixGetFocusAccess */ 456 "", /* DixSetFocusAccess */ 457 "", /* DixListAccess */ 458 "", /* DixAddAccess */ 459 "", /* DixRemoveAccess */ 460 "", /* DixHideAccess */ 461 "", /* DixShowAccess */ 462 "", /* DixBlendAccess */ 463 "", /* DixGrabAccess */ 464 "", /* DixFreezeAccess */ 465 "", /* DixForceAccess */ 466 "", /* DixInstallAccess */ 467 "", /* DixUninstallAccess */ 468 "", /* DixSendAccess */ 469 "", /* DixReceiveAccess */ 470 "use", /* DixUseAccess */ 471 NULL}}, 472 {"x_event", 473 {"", /* DixReadAccess */ 474 "", /* DixWriteAccess */ 475 "", /* DixDestroyAccess */ 476 "", /* DixCreateAccess */ 477 "", /* DixGetAttrAccess */ 478 "", /* DixSetAttrAccess */ 479 "", /* DixListPropAccess */ 480 "", /* DixGetPropAccess */ 481 "", /* DixSetPropAccess */ 482 "", /* DixGetFocusAccess */ 483 "", /* DixSetFocusAccess */ 484 "", /* DixListAccess */ 485 "", /* DixAddAccess */ 486 "", /* DixRemoveAccess */ 487 "", /* DixHideAccess */ 488 "", /* DixShowAccess */ 489 "", /* DixBlendAccess */ 490 "", /* DixGrabAccess */ 491 "", /* DixFreezeAccess */ 492 "", /* DixForceAccess */ 493 "", /* DixInstallAccess */ 494 "", /* DixUninstallAccess */ 495 "send", /* DixSendAccess */ 496 "receive", /* DixReceiveAccess */ 497 NULL}}, 498 {"x_synthetic_event", 499 {"", /* DixReadAccess */ 500 "", /* DixWriteAccess */ 501 "", /* DixDestroyAccess */ 502 "", /* DixCreateAccess */ 503 "", /* DixGetAttrAccess */ 504 "", /* DixSetAttrAccess */ 505 "", /* DixListPropAccess */ 506 "", /* DixGetPropAccess */ 507 "", /* DixSetPropAccess */ 508 "", /* DixGetFocusAccess */ 509 "", /* DixSetFocusAccess */ 510 "", /* DixListAccess */ 511 "", /* DixAddAccess */ 512 "", /* DixRemoveAccess */ 513 "", /* DixHideAccess */ 514 "", /* DixShowAccess */ 515 "", /* DixBlendAccess */ 516 "", /* DixGrabAccess */ 517 "", /* DixFreezeAccess */ 518 "", /* DixForceAccess */ 519 "", /* DixInstallAccess */ 520 "", /* DixUninstallAccess */ 521 "send", /* DixSendAccess */ 522 "receive", /* DixReceiveAccess */ 523 NULL}}, 524 {"x_resource", 525 {"read", /* DixReadAccess */ 526 "write", /* DixWriteAccess */ 527 "write", /* DixDestroyAccess */ 528 "write", /* DixCreateAccess */ 529 "read", /* DixGetAttrAccess */ 530 "write", /* DixSetAttrAccess */ 531 "read", /* DixListPropAccess */ 532 "read", /* DixGetPropAccess */ 533 "write", /* DixSetPropAccess */ 534 "read", /* DixGetFocusAccess */ 535 "write", /* DixSetFocusAccess */ 536 "read", /* DixListAccess */ 537 "write", /* DixAddAccess */ 538 "write", /* DixRemoveAccess */ 539 "write", /* DixHideAccess */ 540 "read", /* DixShowAccess */ 541 "read", /* DixBlendAccess */ 542 "write", /* DixGrabAccess */ 543 "write", /* DixFreezeAccess */ 544 "write", /* DixForceAccess */ 545 "write", /* DixInstallAccess */ 546 "write", /* DixUninstallAccess */ 547 "write", /* DixSendAccess */ 548 "read", /* DixReceiveAccess */ 549 "read", /* DixUseAccess */ 550 "write", /* DixManageAccess */ 551 "read", /* DixDebugAccess */ 552 "write", /* DixBellAccess */ 553 NULL}}, 554 {NULL} 555 }; 556 557 /* x_resource "read" bits from the list above */ 558 #define SELinuxReadMask (DixReadAccess|DixGetAttrAccess|DixListPropAccess| \ 559 DixGetPropAccess|DixGetFocusAccess|DixListAccess| \ 560 DixShowAccess|DixBlendAccess|DixReceiveAccess| \ 561 DixUseAccess|DixDebugAccess) 562 563 #endif /* _XSELINUX_NEED_FLASK_MAP */ 564 #endif /* _XSELINUXINT_H */ 565