From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 30 Oct 2009 09:17:08 -0400 Subject: [refpolicy] [PATCH 0/3] Updated X object manager policy -v2: Intro In-Reply-To: <4AEA1DE2.9000400@tycho.nsa.gov> References: <4AE7A702.60309@tycho.nsa.gov> <1256738245.6392.53.camel@gorn.columbia.tresys.com> <4AEA1DE2.9000400@tycho.nsa.gov> Message-ID: <1256908631.6392.79.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2009-10-29 at 18:57 -0400, Eamon Walsh wrote: > On 10/28/2009 09:57 AM, Christopher J. PeBenito wrote: > > On Tue, 2009-10-27 at 22:05 -0400, Eamon Walsh wrote: > >> This patch series is an updated policy for the X server object manager. > >> This is the policy that I was running in Portland for my various demos. > >> It includes new x_pointer/x_keyboard classes, unconfined-by-default > >> user types, and other changes. The only thing missing here is updated > >> mls constraints; I am still working on those. > >> > >> The 3 patches here are NOT independent and breakage will probably > >> result if only some of them are applied. I only broke them up in an > >> attempt to make it easier to review the changes. > >> > >> This is also available in a git tree at > >> git://anongit.freedesktop.org/~ewalsh/refpolicy (branch "master"), for > >> ease of pulling. > >> > > This looks ok. I have this in a branch in my local repo for now, as I > > have a couple minor questions/issues: > > > > 1) +xserver_object_types_template(root) > > > > Is this for the root window? > > It defines the root_input_xevent_t type that is used for input events > sent to the root window (if no other window has focus). This is new; > before this patchset they were just labeled generic "input_xevent_t." > > If other derived event types are reintroduced they will go in that > template as well so calling it will define root_* variants that can be used. > > > > 2) The aliases that were removed need to be restored, and updated for > > the removals this patchset. > > > > Are you referring to the type aliases here? What needs to be updated? The ones like these that were removed: -typealias user_property_xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t }; -typealias user_property_xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t }; They shouldn't be removed, but they should be revised to make them aliases of the new types. So the above looks like it turns into: typealias xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t user_property_xevent_t }; typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t }; or should it be aliased to client_xevent_t (I'm not sure)? > > 3) I'd like to try to find a better name for "xserver_unprotected", if > > possible. > > > > Let's just drop this interface (attached patch). I'm not seeing the > AVC's that motivated this anymore, probably because the default user > types are X unconfined. If they show up again I can resubmit this. Merged. > commit 509cc124f67abc46e9088c05dbe75e0f4d4c94a9 > Author: Eamon Walsh > Date: Thu Oct 29 18:47:32 2009 -0400 > > Drop the xserver_unprotected interface. > > The motivation for this was xdm_t objects not getting cleaned up, > so the user session tried to interact with them. But since the > default user type is unconfined this problem has gone away for now. > > Signed-off-by: Eamon Walsh > > diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if > index cffc058..e34a892 100644 > --- a/policy/modules/services/xserver.if > +++ b/policy/modules/services/xserver.if > @@ -1200,26 +1200,6 @@ interface(`xserver_manage_core_devices',` > > ######################################## > ## > -## Interface to remove protections on an X client domain. > -## Gives other X client domains full permissions over the target > -## domain's X objects. > -## > -## > -## > -## Domain to be unprotected. > -## > -## > -# > -interface(`xserver_unprotected',` > - gen_require(` > - attribute xserver_unprotected_type; > - ') > - > - typeattribute $1 xserver_unprotected_type; > -') > - > -######################################## > -## > ## Interface to provide X object permissions on a given X server to > ## an X client domain. Gives the domain complete control over the > ## display. > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index d6c4b95..f7e7637 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -82,7 +82,6 @@ type root_xdrawable_t, xdrawable_type; > type root_xcolormap_t, xcolormap_type; > > attribute xserver_unconfined_type; > -attribute xserver_unprotected_type; > > xserver_object_types_template(root) > xserver_object_types_template(user) > @@ -157,7 +156,6 @@ init_daemon_domain(xdm_t, xdm_exec_t) > xserver_object_types_template(xdm) > xserver_common_x_domain_template(xdm, xdm_t) > xserver_unconfined(xdm_t) > -xserver_unprotected(xdm_t) > > type xdm_lock_t; > files_lock_file(xdm_lock_t) > @@ -950,20 +948,6 @@ allow x_domain xserver_t:x_screen { getattr saver_getattr }; > > ######################################## > # > -# Rules for unprotected access to a domain > -# > - > -allow x_domain xserver_unprotected_type:x_drawable *; > -allow x_domain xserver_unprotected_type:x_gc *; > -allow x_domain xserver_unprotected_type:x_colormap *; > -allow x_domain xserver_unprotected_type:x_property *; > -allow x_domain xserver_unprotected_type:x_cursor *; > -allow x_domain xserver_unprotected_type:x_client *; > -allow x_domain xserver_unprotected_type:x_device *; > -allow x_domain xserver_unprotected_type:x_resource *; > - > -######################################## > -# > # Rules for unconfined access to this module > # > > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150