From: ewalsh@tycho.nsa.gov (Eamon Walsh) Date: Tue, 13 Oct 2009 21:27:11 -0400 Subject: [refpolicy] [PATCH 1/6] Add separate x_pointer and x_keyboard classes inheriting from x_device. In-Reply-To: <4AD52806.1040604@tycho.nsa.gov> References: <4AD52806.1040604@tycho.nsa.gov> Message-ID: <4AD528EF.7070901@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add separate x_pointer and x_keyboard classes inheriting from x_device. This is needed to allow more fine-grained control over X devices without using different types. Using different types is problematic because devices act as subjects in the X Flask implementation, and subjects cannot be labeled through a type transition (since the output role is hardcoded to object_r). Signed-off-by: Eamon Walsh --- policy/flask/access_vectors | 55 +++++++++++++++++++++++++--------------- policy/flask/security_classes | 4 +++ 2 files changed, 38 insertions(+), 21 deletions(-) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 3998b77..6620e4c 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -94,6 +94,33 @@ common database } # +# Define a common prefix for pointer and keyboard access vectors. +# + +common x_device +{ + getattr + setattr + use + read + write + getfocus + setfocus + bell + force_cursor + freeze + grab + manage + list_property + get_property + set_property + add + remove + create + destroy +} + +# # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } @@ -525,27 +552,7 @@ class x_client } class x_device -{ - getattr - setattr - use - read - write - getfocus - setfocus - bell - force_cursor - freeze - grab - manage - list_property - get_property - set_property - add - remove - create - destroy -} +inherits x_device class x_server { @@ -802,3 +809,9 @@ class kernel_service class tun_socket inherits socket + +class x_pointer +inherits x_device + +class x_keyboard +inherits x_device diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 2bd1bf6..fa65db2 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -121,4 +121,8 @@ class kernel_service class tun_socket +# Still More SE-X Windows stuff +class x_pointer # userspace +class x_keyboard # userspace + # FLASK -- 1.6.5.rc2