tsolpolicy.c revision 639
606N/A/* Copyright 2009 Sun Microsystems, Inc. All rights reserved. 0N/A * Permission is hereby granted, free of charge, to any person obtaining a 0N/A * copy of this software and associated documentation files (the 0N/A * "Software"), to deal in the Software without restriction, including 0N/A * without limitation the rights to use, copy, modify, merge, publish, 0N/A * distribute, and/or sell copies of the Software, and to permit persons 0N/A * to whom the Software is furnished to do so, provided that the above 0N/A * copyright notice(s) and this permission notice appear in all copies of 0N/A * the Software and that both the above copyright notice(s) and this 0N/A * permission notice appear in supporting documentation. 0N/A * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 0N/A * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 0N/A * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT 0N/A * OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR 0N/A * HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL 0N/A * INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING 0N/A * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, 0N/A * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION 0N/A * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 0N/A * Except as contained in this notice, the name of a copyright holder 0N/A * shall not be used in advertising or otherwise to promote the sale, use 0N/A * or other dealings in this Software without prior written authorization 0N/A * of the copyright holder. 639N/A/* Unless NO_TSOL_DEBUG_MESSAGES is defined, admins will be able to enable 639N/A debugging messages at runtime via Xorg -logverbose */ 639N/A#
else /* NO_TSOL_DEBUG_MESSAGES */ 639N/A#
endif /* NO_TSOL_DEBUG_MESSAGES */ 0N/A * return 1 for success and 0 for failure 0N/A * this routine contains the privd debugging for the system 0N/A * as well as auditing the success or failure of use of priv. 0N/A * Priv debugging will be done later TBD 0N/A /* LOG_USER doesn't work */ 0N/A /* if priv debugging is on, allow this priv to succeed */ 639N/A#
endif /* !NO_TSOL_DEBUG_MESSAGES */ 0N/A "DEBUG: %s pid %ld lacking privilege %d to %d %d",
0N/A * for window contents. read/modify pixel handle the contents policy 0N/A * Anyone can read RootWindow attributes 0N/A /* optimization based on client id */ 0N/A /* uid == DEF_UID means public window, shared read */ 0N/A /* optimization based on client id */ 0N/A * Trusted Path Windows require Trusted Path attrib 0N/A}
/* modify_window */ 0N/A * Anyone can create a child of root window 0N/A * Trusted Path Windows required Trusted Path attrib 606N/A /* XTSOLERR("tp", misc, tsolres, tsolinfo, 606N/A "create window", pWin->drawable.id); */ 0N/A}
/* create_window */ 0N/A * Trusted Path Windows required Trusted Path attrib 0N/A}
/* destroy_window */ 0N/A * read_pixel: used for reading contents of drawable like GetImage 0N/A return (
PASSED);
/* server will handle bad params */ 0N/A return (
PASSED);
/* server will handle bad params */ 73N/A * Client must have Trusted Path to access root window 73N/A * in multilevel desktop. 0N/A /* PRIV override? */ 0N/A }
/* end if !SAMECLIENT */ 470N/A * NOTE: For Panorama, the real resource id is extracted from the 470N/A * Panorama resource and policy check is done on the real resource. 0N/A * Trusted Path Windows required Trusted Path attrib 0N/A /* optimization based on client id */ 0N/A * Trusted Path Windows require Trusted Path attrib 606N/A * You need win_config priv to write to root window 0N/A }
/* end if SAMECLIENT */ 0N/A}
/* modify_pixmap */ 0N/A}
/* destroy_pixmap */ 250N/A /* TrustedPath is needed to get serverClient attributes */ 0N/A * Trusted Path Windows required Trusted Path attrib 0N/A * Special win_config priv used for ChangeSaveSet, SetCloseDownMode 0N/A * Needs win_config priv 0N/A}
/* modify_client */ 0N/A /* Server a special client */ 0N/A * Trusted Path Windows required Trusted Path attrib 0N/A}
/* destroy_client */ 606N/A * access_ccell: access policy for color cells. 0N/A * any colorcell owned by root is readable by all 0N/A * any colorcell owned by root is readable by all 0N/A /* handle default colormap */ 0N/A * modify_cmap: resource passed is ColormapPtr & not an XID 0N/A /* modify default colormap ok */ 0N/A /* handle default colormap */ 0N/A * check only win_colormap priv 606N/A * access_xid: access policy for XIDs 0N/A * assign appropriate error code 0N/A * DAC check is based on client isolation. 0N/A /* PRIV override? */ 0N/A * modify_fontpath: requires win_fontpath priv 0N/A * No MAC & DAC. Check win_fontpath priv only 0N/A * requires win_devices priv 0N/A * BadAccess is not a valid error code for many protocols 0N/A * and does not work especially for SetPointerModifierMapping etc 0N/A * requires win_devices priv 0N/A * Needs win_config priv 0N/A * MAC Check is slightly different. We do a series of 0N/A * MAC checks for all SLs in the table before we 639N/A "mac failed:%s,subj(%s,%d,%d)," 639N/A#
endif /* NO_TSOL_DEBUG_MESSAGES */ 0N/A /* PRIV override? */ 0N/A * for window contents. read/modify pixel handle the contents policy 0N/A /* Initialize property created internally by server */ 438N/A * Anyone can read properties created internally by loadable modules. 168N/A * roles can read property created by workstation owner at admin_low. 0N/A}
/* read_property */ 0N/A /* Initialize property created internally by server */ 168N/A * workstation owner can write properties created internally by loadable modules. 0N/A}
/* modify_property */ 168N/A /* Initialize property created internally by server */ 0N/A}
/* destroy_property */ 0N/A * Allow pointer grab on root window, as long as 0N/A * pointer is currently in a window owned by 0N/A * requesting client. 0N/A /* Grab on trusted window requires TP */ 0N/A}
/* modify_grabwin */ 0N/A * modify_confwin - ConfineTo window access 0N/A /*if (priv_win_devices) 0N/A * confine window can be None. Root window is OK 0N/A /* Trusted window requires TP */ 0N/A}
/* modify_confwin */ 0N/A * create_srvgrab: GrabServer requires a priv 0N/A * destroy_srvgrab: GrabServer requires a priv 606N/A * check_priv: Use this for all policies that require 0N/A * Converts SL to string 639N/A#
endif /* !NO_TSOL_DEBUG_MESSAGES */ 0N/A /* uid == DEF_UID means public window, shared read */ 0N/A}
/* read_selection */ 0N/A * modify_propwin. This is slightly different from modify_window in that 0N/A * Anyone can modify properties on RootWindow subjected to 0N/A * property policies. 0N/A if (XTSOLTrusted(pWin)) 0N/A if (!HasTrustedPath(tsolinfo)) 606N/A XTSOLERR("tp", misc, tsolres, tsolinfo, 606N/A "modify propwin", pWin->drawable.id); 0N/A}
/* modify_propwin */ 0N/A * modify_focuswin - Focus Window policy 0N/A * Focus window can be None is checked outside of this func 0N/A * Trusted Path Windows require Trusted Path attrib 0N/A * This causes problems when dragging cmdtool 0N/A * the grabbing client 0N/A}
/* modify_focuswin */ 0N/A * Anyone can read RootWindow attributes 0N/A}
/* read_focuswin */ 606N/A * XTsolErr : used for debugging. 639N/A " obj(%s,%d,%d,%s), subj(%s,%d,%d,%s), %s, xid=%s\n",
639N/A#
endif /* !NO_TSOL_DEBUG_MESSAGES */ 606N/A/* int err_code = BadAccess; 0N/A char *extn_name = (char *)resource; 0N/A ClientPtr client = subject; 0N/A TsolInfoPtr tsolinfo = GetClientTsolInfo(client); 0N/A * No policy for this 0N/A if (extn_name != NULL & *extn_name != '\0') 0N/A ErrorF("Access to %s extension allowed\n", extn_name); 0N/A * Trusted Path Windows require Trusted Path attrib 0N/A * misc parameter is actually sl of resource & not the protocol no. 0N/A * misc == NULL means we are trying to set session hi/lo clearance 0N/A * Are we trying to check for session hi/lo clearance 639N/A "modify_sl: failed for %s\n",
639N/A#
endif /* NO_TSOL_DEBUG_MESSAGES */ 639N/A "modify_sl: failed for %s\n",
639N/A#
endif /* NO_TSOL_DEBUG_MESSAGES */ 639N/A "modify_sl: failed for %s\n",
639N/A#
endif /* NO_TSOL_DEBUG_MESSAGES */ 0N/A * Anyone can send event to root win 0N/A * NOTE: window sl must dominate the client's sl for send event 0N/A * event sends to windows owned by client with priv_win_seln 0N/A * particularly front panel whose sl is admin_low 0N/A /* uid == DEF_UID means public window */ 0N/A}
/* modify_eventwin */ 0N/A * Trusted stripe requires only trusted path attrib 639N/A "modify stripe",
"<none>");
0N/A * set workstation owner 639N/A "modify tpwin",
"<none>");
0N/A * Set UID for resource 639N/A "modify_uid: failed for %s\n",
639N/A#
endif /* NO_TSOL_DEBUG_MESSAGES */ 606N/A * Modify polyinstantiation info(sl, uid) 639N/A "modify_polyinfo: failed for %s\n",
639N/A#
endif /* NO_TSOL_DEBUG_MESSAGES */ 0N/A * access_dbe - check whether the buffer is client-private 0N/A * swap_dbe - check if the window is created by the client 0N/A * Return value of 0 success, errcode for failure 639N/A "policy not implemented for res=%d, method=%d\n",
639N/A#
endif /* NO_TSOL_DEBUG_MESSAGES */ 0N/A * X POLICY FUNCTION TABLE. One row per resource. 0N/A * TSOL_RES_NAME READ MODIFY CREATE\ 0N/A * main xtsol_policy. External interface to dix layer of X server 36N/A * Allocate a single privilege set 36N/A * Initialize all string window privileges to the binary equivalent. 36N/A * Binary privilege testing is much faster than the string testing