[refpolicy] [PATCH 0/3] Updated X object manager policy -v2: Intro

[cpebenito@tresys.com (Christopher J. PeBenito)]

On Thu, 2009-10-29 at 18:57 -0400, Eamon Walsh wrote:
> On 10/28/2009 09:57 AM, Christopher J. PeBenito wrote:
> > On Tue, 2009-10-27 at 22:05 -0400, Eamon Walsh wrote:
> >> This patch series is an updated policy for the X server object manager.  
> >> This is the policy that I was running in Portland for my various demos. 
> >> It includes new x_pointer/x_keyboard classes, unconfined-by-default 
> >> user types, and other changes.  The only thing missing here is updated 
> >> mls constraints; I am still working on those.
> >>
> >> The 3 patches here are NOT independent and breakage will probably 
> >> result if only some of them are applied.  I only broke them up in an 
> >> attempt to make it easier to review the changes.
> >>
> >> This is also available in a git tree at 
> >> git://anongit.freedesktop.org/~ewalsh/refpolicy (branch "master"), for 
> >> ease of pulling.
> >>     
> > This looks ok.  I have this in a branch in my local repo for now, as I
> > have a couple minor questions/issues:
> >
> > 1) +xserver_object_types_template(root)
> >
> > Is this for the root window?
> 
> It defines the root_input_xevent_t type that is used for input events
> sent to the root window (if no other window has focus).  This is new;
> before this patchset they were just labeled generic "input_xevent_t."
> 
> If other derived event types are reintroduced they will go in that
> template as well so calling it will define root_* variants that can be used.
>  
> 
> > 2) The aliases that were removed need to be restored, and updated for
> > the removals this patchset.
> >   
> 
> Are you referring to the type aliases here?  What needs to be updated?

The ones like these that were removed:

-typealias user_property_xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t };
-typealias user_property_xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };

They shouldn't be removed, but they should be revised to make them
aliases of the new types.  So the above looks like it turns into:

typealias xevent_t alias { staff_property_xevent_t sysadm_property_xevent_t user_property_xevent_t };
typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };

or should it be aliased to client_xevent_t (I'm not sure)?

> > 3) I'd like to try to find a better name for "xserver_unprotected", if
> > possible.
> >   
> 
> Let's just drop this interface (attached patch).  I'm not seeing the
> AVC's that motivated this anymore, probably because the default user
> types are X unconfined.  If they show up again I can resubmit this.

Merged.

> commit 509cc124f67abc46e9088c05dbe75e0f4d4c94a9
> Author: Eamon Walsh <ewalsh@tycho.nsa.gov>
> Date:   Thu Oct 29 18:47:32 2009 -0400
> 
>     Drop the xserver_unprotected interface.
>     
>     The motivation for this was xdm_t objects not getting cleaned up,
>     so the user session tried to interact with them.  But since the
>     default user type is unconfined this problem has gone away for now.
>     
>     Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
> 
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index cffc058..e34a892 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1200,26 +1200,6 @@ interface(`xserver_manage_core_devices',`
>  
>  ########################################
>  ## <summary>
> -##     Interface to remove protections on an X client domain.
> -##     Gives other X client domains full permissions over the target
> -##     domain's X objects.
> -## </summary>
> -## <param name="domain">
> -##     <summary>
> -##     Domain to be unprotected.
> -##     </summary>
> -## </param>
> -#
> -interface(`xserver_unprotected',`
> -       gen_require(`
> -               attribute xserver_unprotected_type;
> -       ')
> -
> -       typeattribute $1 xserver_unprotected_type;
> -')
> -
> -########################################
> -## <summary>
>  ##     Interface to provide X object permissions on a given X server to
>  ##     an X client domain.  Gives the domain complete control over the
>  ##     display.
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index d6c4b95..f7e7637 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -82,7 +82,6 @@ type root_xdrawable_t, xdrawable_type;
>  type root_xcolormap_t, xcolormap_type;
>  
>  attribute xserver_unconfined_type;
> -attribute xserver_unprotected_type;
>  
>  xserver_object_types_template(root)
>  xserver_object_types_template(user)
> @@ -157,7 +156,6 @@ init_daemon_domain(xdm_t, xdm_exec_t)
>  xserver_object_types_template(xdm)
>  xserver_common_x_domain_template(xdm, xdm_t)
>  xserver_unconfined(xdm_t)
> -xserver_unprotected(xdm_t)
>  
>  type xdm_lock_t;
>  files_lock_file(xdm_lock_t)
> @@ -950,20 +948,6 @@ allow x_domain xserver_t:x_screen { getattr saver_getattr };
>  
>  ########################################
>  #
> -# Rules for unprotected access to a domain
> -#
> -
> -allow x_domain xserver_unprotected_type:x_drawable *;
> -allow x_domain xserver_unprotected_type:x_gc *;
> -allow x_domain xserver_unprotected_type:x_colormap *;
> -allow x_domain xserver_unprotected_type:x_property *;
> -allow x_domain xserver_unprotected_type:x_cursor *;
> -allow x_domain xserver_unprotected_type:x_client *;
> -allow x_domain xserver_unprotected_type:x_device *;
> -allow x_domain xserver_unprotected_type:x_resource *;
> -
> -########################################
> -#
>  # Rules for unconfined access to this module
>  #
>  
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150