From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [144.51.25.7] (moss-huskies [144.51.25.7]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id l0PNAc8Y014936 for ; Thu, 25 Jan 2007 18:10:38 -0500 Message-ID: <45B938EE.8010303@tycho.nsa.gov> Date: Thu, 25 Jan 2007 18:10:38 -0500 From: Eamon Walsh Reply-To: ewalsh@tycho.nsa.gov MIME-Version: 1.0 To: selinux@tycho.nsa.gov Subject: [PATCH] refpolicy: experimental X policy Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is an experimental policy for use with the X userspace object manager. It includes both unconfined and strict policy and is controlled by a tunable, xwindows_object_manager. The labeling conf file in the X.org xserver git (XACE-SELINUX branch) assumes that this policy is loaded, i.e. the types listed in that file are defined in this policy. The target audience for this is people experimenting with the X object manager. Signed-off-by: Eamon Walsh --- policy/global_tunables | 7 policy/modules/services/xserver.if | 14 policy/modules/services/xwindows.fc | 13 policy/modules/services/xwindows.if | 522 ++++++++++++++++++++++++++++++++++++ policy/modules/services/xwindows.te | 65 ++++ policy/modules/system/unconfined.if | 24 + 6 files changed, 645 insertions(+) --- Index: policy/modules/services/xwindows.te =================================================================== --- policy/modules/services/xwindows.te (revision 0) +++ policy/modules/services/xwindows.te (revision 0) @@ -0,0 +1,65 @@ + +policy_module(xwindows,1.0.0) + +######################################## +# +# Declarations +# + +# X Window System userspace-managed objects +attribute xclient_type; +attribute xwindow_type; +attribute xproperty_type; +attribute xextension_type; + +# Default type for remotely connected clients +type remote_xclient_t, xclient_type; + +# X Property types and attributes +attribute client_xproperty_type; +attribute info_xproperty_type; +attribute seclabel_xproperty_type; +attribute rm_xproperty_type; +attribute wm_xproperty_type; +attribute clipboard_xproperty_type; +attribute unknown_xproperty_type; + +type client_xproperty_t, client_xproperty_type, xproperty_type; +type info_xproperty_t, info_xproperty_type, xproperty_type; +type seclabel_xproperty_t, seclabel_xproperty_type, xproperty_type; +type rm_xproperty_t, rm_xproperty_type, xproperty_type; +type wm_xproperty_t, wm_xproperty_type, xproperty_type; +type clipboard_xproperty_t, clipboard_xproperty_type, xproperty_type; +type unknown_xproperty_t, unknown_xproperty_type, xproperty_type; + +# X Extension types +type accelgraphics_xext_t, xextension_type; +type debug_xext_t, xextension_type; +type font_xext_t, xextension_type; +type input_xext_t, xextension_type; +type output_xext_t, xextension_type; +type screensaver_xext_t, xextension_type; +type security_xext_t, xextension_type; +type shmem_xext_t, xextension_type; +type std_xext_t, xextension_type; +type video_xext_t, xextension_type; +type unknown_xext_t, xextension_type; +type windowmgr_xext_t, xextension_type; + + +# X client domains + +# Display Manager +# defined in services/xserver.te + +# Window Manager +type xwm_exec_t; +corecmd_executable_file(xwm_exec_t) + +# Resource Manager +type xrdb_exec_t; +corecmd_executable_file(xrdb_exec_t) + +# Protected test client +type xprotected_exec_t; +corecmd_executable_file(xprotected_exec_t) Index: policy/modules/services/xwindows.fc =================================================================== --- policy/modules/services/xwindows.fc (revision 0) +++ policy/modules/services/xwindows.fc (revision 0) @@ -0,0 +1,13 @@ +# +# /usr +# + +/usr/bin/(t|m|fv)wm -- gen_context(system_u:object_r:xwm_exec_t,s0) +/usr/bin/metacity -- gen_context(system_u:object_r:xwm_exec_t,s0) +/usr/bin/xrdb -- gen_context(system_u:object_r:xrdb_exec_t,s0) +/usr/bin/xeyes -- gen_context(system_u:object_r:xprotected_exec_t,s0) + +/usr/X11R6/bin/(t|m|fv)wm -- gen_context(system_u:object_r:xwm_exec_t,s0) +/usr/X11R6/bin/metacity -- gen_context(system_u:object_r:xwm_exec_t,s0) +/usr/X11R6/bin/xrdb -- gen_context(system_u:object_r:xrdb_exec_t,s0) +/usr/X11R6/bin/xeyes -- gen_context(system_u:object_r:xprotected_exec_t,s0) Index: policy/modules/services/xwindows.if =================================================================== --- policy/modules/services/xwindows.if (revision 0) +++ policy/modules/services/xwindows.if (revision 0) @@ -0,0 +1,522 @@ +## X Window System Userspace Object Manager + +####################################### +## +## Declares a single X property type using a user prefix +## and base type, along with appropriate transition rules. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Base X property type +## +## +# +template(`xwindows_property',` + gen_require(` + type $1_t; + type $2; + attribute xproperty_type; + attribute $1_xproperty_type; + attribute $2ype; + class property all_property_perms; + ') + + ############################## + # + # Declarations + # + + type $1_$2, $1_xproperty_type, $2ype, xproperty_type; + type_transition $1_t $2:property $1_$2; +') + +####################################### +## +## Declares a set of X property types for use with an X +## client domain. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +# +template(`xwindows_property_set',` + + ############################## + # + # Declarations + # + + attribute $1_xproperty_type; + xwindows_property($1,client_xproperty_t) + xwindows_property($1,info_xproperty_t) + xwindows_property($1,seclabel_xproperty_t) + xwindows_property($1,rm_xproperty_t) + xwindows_property($1,wm_xproperty_t) + xwindows_property($1,clipboard_xproperty_t) + xwindows_property($1,unknown_xproperty_t) +') + +####################################### +## +## Template to provide X object permissions on a given X server to +## an X client domain. Provides the minimal set required by a basic +## X client application. +## +## +## +## The prefix of the server domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The prefix of the client domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Client domain allowed access. +## +## +## +## +## The role associated with the client domain. +## +## +# +template(`xwindows_basic_client',` + gen_require(` + type $1_xserver_t; + type $1_root_window_t; + type $1_xserver_rm_xproperty_t; + type $2_info_xproperty_t; + type $1_xserver_info_xproperty_t; + type $1_xserver_clipboard_xproperty_t; + type $2_client_xproperty_t; + attribute $2_xproperty_type; + class drawable all_drawable_perms; + class window all_window_perms; + class gc all_gc_perms; + class font all_font_perms; + class colormap all_colormap_perms; + class property all_property_perms; + class cursor all_cursor_perms; + class xclient all_xclient_perms; + class xserver all_xserver_perms; + class xinput all_xinput_perms; + class xextension all_xextension_perms; + ') + + ############################## + # + # Local Policy + # + + tunable_policy(`xwindows_object_manager',` + # X Protocol Extensions + allow $3 xextension_type:xextension query; + allow $3 std_xext_t:xextension use; + allow $3 input_xext_t:xextension use; + allow $3 font_xext_t:xextension use; + allow $3 shmem_xext_t:xextension use; + + # X Properties + # can read resource manager settings on the root window + allow $3 $1_xserver_rm_xproperty_t:property read; + # can read info properties + allow $3 $2_info_xproperty_t:property read; + allow $3 $1_xserver_info_xproperty_t:property read; + # can read and write client properties + allow $3 $2_client_xproperty_t:property { read write free }; + # can read and write cut buffers on the root window + allow $3 $1_xserver_clipboard_xproperty_t:property { read write free }; + + # X Windows + # can get attributes of root window + allow $3 $1_root_window_t:window getattr; + # can add children to root window + allow $3 $1_root_window_t:window { addchild chstack }; + # can change properties of root window + allow $3 $1_root_window_t:window { listprop chprop chproplist }; + + # can query window manager windows (GTK2 thing?) + # allow $3 $1_xwm_t:window { enumerate getattr }; + # allow $3 $1_xwm_t:drawable getattr; + + # X Fonts + allow $3 self:font { use free }; + + # X Input + # can set focus on own windows + allow $3 self:window setfocus; + allow $3 $1_xserver_t:xinput { setfocus getattr }; + # can track mouse motions on own windows + allow $3 self:window mousemotion; + # can create and use cursors + allow $3 self:cursor { createglyph setattr free }; + # can set selections on own windows + allow $3 self:window chselection; + + # X Drawing + # can query root window attributes + allow $3 $1_root_window_t:drawable getattr; + allow $3 $1_xserver_t:colormap { read store }; + allow $3 $1_xserver_t:font { load use free }; + allow $3 self:drawable { create getattr draw copy destroy }; + allow $3 self:gc { create setattr free }; + allow $3 self:window { addchild chprop chproplist chstack create destroy enumerate getattr listprop map move setattr unmap }; + ') +') + +####################################### +## +## Template to provide X object permissions to an X window manager. +## +## +## +## The prefix of the server domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The prefix of the client domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Client domain allowed access. +## +## +## +## +## The role associated with the client domain. +## +## +# +template(`xwindows_windowmgr_client',` + gen_require(` + class xextension use; + ') + + ############################## + # + # Declarations + # + + xwindows_basic_client($1,$2,$3,$4) + + ############################## + # + # Local Policy + # + + tunable_policy(`xwindows_object_manager',` + # X Protocol Extensions + allow $3 windowmgr_xext_t:xextension use; + + # X Properties + # can read all security labels + allow $3 seclabel_xproperty_type:property read; + # can read and write all wm-specific properties + allow $3 wm_xproperty_type:property { read write }; + # can set properties on all windows + allow $3 domain:window { chprop chproplist }; + + # can install colormaps + allow $3 $1_xserver_t:colormap install; + + # X Windows - extensive control over all windows + # can query windows for visual information + allow $3 domain:drawable getattr; + # can enumerate and change attributes of root window + allow $3 $1_root_window_t:window { enumerate setattr }; + # can enumerate, set, and change attributes of all non-root windows + allow $3 domain:window { enumerate getattr setattr }; + # can map and unmap all non-root windows + allow $3 domain:window { map unmap move ctrllife }; + # can send various events to all non-root windows + allow $3 domain:window { windowchangeevent clientcomevent }; + # can reparent all non-root windows + allow $3 domain:window { chparent chstack }; + # can list properties of all non-root windows + allow $3 domain:window listprop; + + # X Input + # can change input focus on all windows + allow $3 domain:window setfocus; + allow $3 $1_root_window_t:window setfocus; + allow $3 $1_xserver_t:xinput setfocus; + # can move the mouse cursor + allow $3 $1_xserver_t:xinput warppointer; + # can grab server + allow $3 $1_xserver_t:xserver { grab ungrab }; + allow $3 $1_xserver_t:xinput { activegrab passivegrab ungrab }; + + # X Drawing + # can draw on the root window + allow $3 $1_root_window_t:drawable draw; + ') +') + +####################################### +## +## Template to provide X object permissions to an X display manager. +## +## +## +## The prefix of the server domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The prefix of the client domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Client domain allowed access. +## +## +## +## +## The role associated with the client domain. +## +## +# +template(`xwindows_displaymgr_client',` + gen_require(` + class xextension use; + ') + + ############################## + # + # Declarations + # + + xwindows_basic_client($1,$2,$3,$4) + + ############################## + # + # Local Policy + # + + tunable_policy(`xwindows_object_manager',` + # X Protocol Extensions + allow $3 output_xext_t:xextension use; + + # allow server grabs + allow $3 $1_xserver_t:xserver { grab ungrab }; + allow $3 $1_xserver_t:xinput { getattr activegrab }; + + # can move the mouse cursor + allow $3 $1_xserver_t:xinput warppointer; + + # can set resource manager properties + allow $3 $2_rm_xproperty_t:property { write free }; + + # can enumerate windows + allow $3 $1_root_window_t:window enumerate; + ') +') + +####################################### +## +## Template to provide X object permissions to an X resource manager. +## +## +## +## The prefix of the server domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The prefix of the client domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Client domain allowed access. +## +## +## +## +## The role associated with the client domain. +## +## +# +template(`xwindows_resourcemgr_client',` + gen_require(` + class property all_property_perms; + ') + + ############################## + # + # Local Policy + # + + tunable_policy(`xwindows_object_manager',` + # X Properties + # can read and write resource manager settings + allow $3 $2_rm_xproperty_t:property { read write }; + ') +') + +####################################### +## +## Template to provide X object permissions to an X server domain. +## +## +## +## The prefix of the domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## Domain allowed access. +## +## +## +## +## The role associated with the domain. +## +## +# +template(`xwindows_server',` + gen_require(` + attribute xwindow_type; + class window map; + class drawable draw; + ') + + ############################## + # + # Declarations + # + + # Type for the root window + type $1_root_window_t, xwindow_type; + role $3 types $1_root_window_t; + + # Types for properties + xwindows_property_set($1_xserver) + role $3 types $1_xserver_xproperty_type; + + ############################## + # + # Local Policy + # + + tunable_policy(`xwindows_object_manager',` + # Labeling rules for root windows + type_transition $2 $2:window $1_root_window_t; + type_transition $2 $2:drawable $1_root_window_t; + + # Allow server to map the root window + allow $2 $1_root_window_t:window map; + ') +') + +####################################### +## +## The per role template for the xwindows module. +## +## +##

+## This template creates a derived domains which are used +## for X userspace object manager related programs. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`xwindows_per_role_template',` + + ############################## + # + # Declarations + # + + # Types for window managers + type $1_xwm_t; + domain_type($1_xwm_t) + domain_entry_file($1_xwm_t,xwm_exec_t) + role $3 types $1_xwm_t; + + # Types for resource managers + type $1_xrdb_t; + domain_type($1_xrdb_t) + domain_entry_file($1_xrdb_t,xrdb_exec_t) + role $3 types $1_xrdb_t; + + # Protected test type + type $1_xprotected_t; + domain_type($1_xprotected_t) + domain_entry_file($1_xprotected_t,xprotected_exec_t) + role $3 types $1_xprotected_t; + + # Types for properties + xwindows_property_set($1) + role $3 types $1_xproperty_type; + xwindows_property_set($1_xwm) + role $3 types $1_xwm_xproperty_type; + xwindows_property_set($1_xrdb) + role $3 types $1_xrdb_xproperty_type; + xwindows_property_set($1_xprotected) + role $3 types $1_xprotected_xproperty_type; + + # Basic default client + xwindows_basic_client($1,$1,$1_t,$3) + + # Other clients + xwindows_basic_client($1,$1_xprotected,$1_xprotected_t,$3) + xwindows_windowmgr_client($1,$1_xwm,$1_xwm_t,$3) + xwindows_resourcemgr_client($1,$1_xrdb,$1_xrdb_t,$3) + + ############################## + # + # Local Policy + # + + tunable_policy(`xwindows_object_manager',` + domain_auto_trans($2,xwm_exec_t,$1_xwm_t) + domain_auto_trans($2, xrdb_exec_t, $1_xrdb_t) + domain_auto_trans($2, xprotected_exec_t, $1_xprotected_t) + ') +') +') Index: policy/modules/services/xserver.if =================================================================== --- policy/modules/services/xserver.if (revision 2178) +++ policy/modules/services/xserver.if (working copy) @@ -90,6 +90,13 @@ kernel_read_kernel_sysctls($1_xserver_t) kernel_write_proc_files($1_xserver_t) + # X server userspace object manager + tunable_policy(`xwindows_object_manager',` + allow $1_xserver_t self:netlink_audit_socket create; + allow $1_xserver_t self:netlink_selinux_socket { bind create read }; + allow $1_xserver_t security_t:security { check_context compute_av compute_create }; + ') + # Run helper programs in $1_xserver_t. corecmd_search_sbin($1_xserver_t) corecmd_exec_bin($1_xserver_t) @@ -267,6 +274,13 @@ ############################## # + # $1_xserver_t X Userspace Object Manager + # + + xwindows_server($1,$1_xserver_t,$3) + + ############################## + # # $1_xserver_t Local policy # Index: policy/modules/system/unconfined.if =================================================================== --- policy/modules/system/unconfined.if (revision 2178) +++ policy/modules/system/unconfined.if (working copy) @@ -15,6 +15,17 @@ class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; + class drawable all_drawable_perms; + class window all_window_perms; + class gc all_gc_perms; + class font all_font_perms; + class colormap all_colormap_perms; + class property all_property_perms; + class cursor all_cursor_perms; + class xclient all_xclient_perms; + class xserver all_xserver_perms; + class xinput all_xinput_perms; + class xextension all_xextension_perms; ') # Use any Linux capability. @@ -31,6 +42,19 @@ allow $1 self:nscd *; allow $1 self:dbus *; allow $1 self:passwd *; + tunable_policy(`xwindows_object_manager',` + allow $1 self:drawable *; + allow $1 self:window *; + allow $1 self:gc *; + allow $1 self:font *; + allow $1 self:colormap *; + allow $1 self:property *; + allow $1 self:cursor *; + allow $1 self:xclient *; + allow $1 self:xserver *; + allow $1 self:xinput *; + allow $1 self:xextension *; + ') kernel_unconfined($1) corenet_unconfined($1) Index: policy/global_tunables =================================================================== --- policy/global_tunables (revision 2178) +++ policy/global_tunables (working copy) @@ -348,6 +348,13 @@ ## gen_tunable(use_samba_home_dirs,false) +## +##

+## Support X userspace object manager +##

+## +gen_tunable(xwindows_object_manager,false) + ######################################## # # Strict policy specific -- Eamon Walsh National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.