From patchwork Tue Aug 4 01:33:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 11699375 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DC7141392 for ; Tue, 4 Aug 2020 01:33:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0308320786 for ; Tue, 4 Aug 2020 01:33:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="d6Z5C7sl" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729209AbgHDBdp (ORCPT ); Mon, 3 Aug 2020 21:33:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726276AbgHDBdp (ORCPT ); Mon, 3 Aug 2020 21:33:45 -0400 Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31646C06174A for ; Mon, 3 Aug 2020 18:33:45 -0700 (PDT) Received: by mail-qk1-x729.google.com with SMTP id g26so37104093qka.3 for ; Mon, 03 Aug 2020 18:33:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=subject:from:to:date:message-id:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=dI103vdqyGcVlIl5+VUq0P5t55uuTpMc/MxyiAd6DuM=; b=d6Z5C7sl8xoE0fxDe75Ku7tcB3RyCn0fE6ccWX8NqSfEtX8QkM9raE/mwBsqMET07d f0G/lju9rV4cUjp2jFYYNG4YZiQuDQpYLiEt6FQNfx0F6MDwlRakbeBcV0mEBVqIbzA3 GkW73pKEOGxtXDTwTY4jL0oQdYFWwqAX+T9Us86VtXndUZFijr765vp7V5ZjfnjSiiBG dLUt6Ylchokiq4Vn1NnArkcqdLQRPCny9LTaIy8Ek8xV2MF3aKsC3SYzSIpbCt910S8d YqAdxwqGbG72XXKNxB1W0Sa3WmR4te9vvK7HVSae1eunaiF6yHuebLwa1IIs2tPngRQc DkYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=dI103vdqyGcVlIl5+VUq0P5t55uuTpMc/MxyiAd6DuM=; b=keXFiHzHhx6tK1rSo6NbfJShDNiLDfuDCIhI2uIWPbpVPhOtUZTO3nwh03O+W4Fn/D 2Eqfww30lHX3IyocEreRqKAgR9MOmPJVjRAEBubi9b7TCO1i5fD3dZO+vVmxfSJRkyBa 6wfRQ6OpFTaW+iuid3vHpz+dD+daMN0i9a1SGCbhd5bol6DbONEB2M6OR96NJkL+99Aj 8Ih1m6yc9cYDGtFDAaFe+f+NoR+JVtD2Dh7i+mGGsTBk+gh7rsRNlWjKzQ7/U3iQxjOW apvhgPMd10Y9VY/5mcLbtptdHnVCsRaMrqGWdP2/W0wweUbg5dIYacddRF9YisMXx/YP FZVw== X-Gm-Message-State: AOAM531uuZeXrhIvBp0vIpmO5zXPk86e5Q2CjD4Jc8w2y1hmOciiQyUS 6VKMKAQRRivujBrOI6kR7HZNbTOfZM1S X-Google-Smtp-Source: ABdhPJz1LRXl8Rtz/z3lGohLopO6e5AdcETvBaJ4rOAetAO1mPi++uuG3PZNWDPsoirxZu4jxBOixg== X-Received: by 2002:a37:a882:: with SMTP id r124mr14461038qke.56.1596504823596; Mon, 03 Aug 2020 18:33:43 -0700 (PDT) Received: from localhost (pool-96-230-24-152.bstnma.fios.verizon.net. [96.230.24.152]) by smtp.gmail.com with ESMTPSA id l189sm21236963qke.67.2020.08.03.18.33.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Aug 2020 18:33:42 -0700 (PDT) Subject: [RFC,selinux-notebook PATCH 04/18] x_windows: fully convert to markdown From: Paul Moore To: selinux@vger.kernel.org Date: Mon, 03 Aug 2020 21:33:42 -0400 Message-ID: <159650482221.8961.7779250010228783136.stgit@sifl> In-Reply-To: <159650470076.8961.12721446818345626943.stgit@sifl> References: <159650470076.8961.12721446818345626943.stgit@sifl> User-Agent: StGit/0.23 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Paul Moore --- src/x_windows.md | 330 +++++++++++++++++++++++++++--------------------------- 1 file changed, 163 insertions(+), 167 deletions(-) diff --git a/src/x_windows.md b/src/x_windows.md index e2625f7..86f966e 100644 --- a/src/x_windows.md +++ b/src/x_windows.md @@ -68,7 +68,8 @@ time, then the X-function will only succeed if allowed by all the security extensions in the chain. This interface is defined in the -"[**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf)". The specification also defines the hooks available to OMs and +"[**X Access Control Extension Specification**](http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.pdf)". +The specification also defines the hooks available to OMs and how they should be used. The provision of polyinstantiation services for properties and selections is also discussed. The XACE interface is a similar service to the LSM that supports the kernel OMs. @@ -85,8 +86,6 @@ managers such as Gnome, twm or KDE. [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) section. -
- ## Polyinstantiation The OM / XACE services support polyinstantiation of properties and @@ -104,8 +103,6 @@ polyinstantiation, instead the MLS policy uses [**`mlsconstrain`**](constraint_statements.md#mlsconstrain) to limit the scope of properties and selections. -
- ## Configuration Information This section covers: @@ -234,167 +231,169 @@ client * system_u:object_r:remote_t:s0 A full description of the *x_contexts* file format is given in the [***x_contexts***](policy_config_files.md#contextsx_contexts) section. -
- ## SELinux Extension Functions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function NameMinor ParametersOpcodeComments
XSELinuxQueryVersion0NoneReturns the XSELinux version. Fedora returns 1.1
XSELinuxSetDeviceCreateContext1Context+LenSets the context for creating a device object (x_device).
XSELinuxGetDeviceCreateContext2NoneRetrieves the context set by XSELinuxSetDeviceCreateContext.
XSELinuxSetDeviceContext3DeviceID + Context+LenSets the context for creating the specified DeviceID object.
XSELinuxGetDeviceContext4DeviceIDRetrieves the context set by XSELinuxSetDeviceContext.
XSELinuxSetWindowCreateContext5Context+LenSet the context for creating a window object (x_window).
XSELinuxGetWindowCreateContext6NoneRetrieves the context set by XSELinuxSetWindowCreateContext.
XSELinuxGetWindowContext7WindowIDRetrieves the specified WindowID context.
XSELinuxSetPropertyCreateContext8Context + LenSets the context for creating a property object (x_property).
XSELinuxGetPropertyCreateContext9NoneRetrieves the context set by XSELinuxSetPropertyCreateContext.
XSELinuxSetPropertyUseContext10Context + LenSets the context of the property object to be retrieved when polyinstantiation is being used.
XSELinuxGetPropertyUseContext11NoneRetrieves the property object context set by SELinuxSetPropertyUseContext.
XSELinuxGetPropertyContext12WindowID + AtomIDRetrieves the context of the property atom object.
XSELinuxGetPropertyDataContext13WindowID + AtomIDRetrieves the context of the property atom data.
XSELinuxListProperties14WindowIDLists the object and data contexts of properties associated with the selected WindowID.
XSELinuxSetSelectionCreateContext15Context+LenSets the context to be used for creating a selection object.
XSELinuxGetSelectionCreateContext16NoneRetrieves the context set by SELinuxSetSelectionCreateContext.
XSELinuxSetSelectionUseContext17Context+LenSets the context of the selection object to be retrieved when polyinstantiation is being used. See the XSELinuxListSelections function for an example.
XSELinuxGetSelectionUseContext18NoneRetrieves the selection object context set by SELinuxSetSelectionUseContext.
XSELinuxGetSelectionContext19AtomIDRetrieves the context of the specified selection atom object.
XSELinuxGetSelectionDataContext20AtomIDRetrieves the context of the selection data from the current selection owner (x_application_data object).
XSELinuxListSelections21None

Lists the selection atom object and data contexts associated with this display. The main difference in the listings is that when (for example) the PRIMARY selection atom is polyinstantiated, multiple entries can returned. One has the context of the atom itself, and one entry for each process (or x-client) that has an active polyinstantiated entry, for example:

-

Atom: PRIMARY - label defined in the x_contexts file (this is also for non-poly listing):

-

Object Context: system_u:object_r:primary_xselection_t

-

Data Context: system_u:object_r:primary_xselection_t

-

Atom: PRIMARY - Labels for client 1:

-

Object Context: system_u:object_r:x_select_paste1_t

-

Data Context: system_u:object_r:x_select_paste1_t

-

Atom: PRIMARY - Labels for client 2:

-

Object Context: system_u:object_r:x_select_paste2_t

-

Data Context: system_u:object_r:x_select_paste2_t

XSELinuxGetClientContext22ResourceIDRetrieves the client context of the specified ResourceID.
+| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxQueryVersion | 0 | None | + +Returns the XSELinux version. Fedora returns 1.1. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetDeviceCreateContext | 1 | Context + Len | + +Sets the context for creating a device object (*x_device*). + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetDeviceCreateContext | 2 | None | + +Retrieves the context set by *XSELinuxSetDeviceCreateContext*. + +| Function Name | Minor Parameter | Opcode | +| ------------------------------- | --------------- | ------------------------ | +| XSELinuxSetDeviceContext | 3 | DeviceID + Context + Len | + +Sets the context for creating the specified DeviceID object. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetDeviceContext | 4 | DeviceID | + +Retrieves the context set by *XSELinuxSetDeviceContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetWindowCreateContext | 5 | Context + Len | + +Set the context for creating a window object (*x_window*). + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetWindowCreateContext | 6 | None | + +Retrieves the context set by *XSELinuxSetWindowCreateContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetWindowContext | 7 | WindowID | + +Retrieves the specified WindowID context. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetPropertyCreateContext | 8 | Context | + +Sets the context for creating a property object (*x_property*). + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetPropertyCreateContext | 9 | None | + +Retrieves the context set by *XSELinuxSetPropertyCreateContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetPropertyUseContext | 10 | Context + Len | + +Sets the context of the property object to be retrieved when polyinstantiation +is being used. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetPropertyUseContext | 11 | None | + +Retrieves the property object context set by *SELinuxSetPropertyUseContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetPropertyContext | 12 | WindowID + AtomID | + +Retrieves the context of the property atom object. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetPropertyDataContext | 13 | WindowID + AtomID | + +Retrieves the context of the property atom data. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxListProperties | 14 | WindowID | + +Lists the object and data contexts of properties associated with the selected +WindowID. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetSelectionCreateContext | 15 | Context + Len | + +Sets the context to be used for creating a selection object. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetSelectionCreateContext | 16 | None | + +Retrieves the context set by *SELinuxSetSelectionCreateContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxSetSelectionUseContext | 17 | Context + Len | + +Sets the context of the selection object to be retrieved when polyinstantiation +is being used. See the *XSELinuxListSelections* function for an example. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetSelectionUseContext | 18 | None | + +Retrieves the selection object context set by *SELinuxSetSelectionUseContext*. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetSelectionContext | 19 | AtomID | + +Retrieves the context of the specified selection atom object. + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetSelectionDataContext | 20 | AtomID | + +Retrieves the context of the selection data from the current selection owner +(*x_application_data* object). + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxListSelections | 21 | None | + +Lists the selection atom object and data contexts associated with this display. +The main difference in the listings is that when (for example) the *PRIMARY* +selection atom is polyinstantiated, multiple entries can returned. One has the +context of the atom itself, and one entry for each process (or x-client) that +has an active polyinstantiated entry, for example: + +Atom: PRIMARY - label defined in the *x_contexts* file (this is also for +non-poly listing): + +- Object Context: *system_u:object_r:primary_xselection_t* +- Data Context: *system_u:object_r:primary_xselection_t* + +Atom: PRIMARY - Labels for client 1: + +- Object Context: *system_u:object_r:x_select_paste1_t* +- Data Context: *system_u:object_r:x_select_paste1_t* + +Atom: PRIMARY - Labels for client 2: + +- Object Context: *system_u:object_r:x_select_paste2_t* +- Data Context: *system_u:object_r:x_select_paste2_t* + +| Function Name | Minor Parameters | Opcode | +| --------------------------------- | ---------------- | --------------------- | +| XSELinuxGetClientContext | 22 | ResourceID | + +Retrieves the client context of the specified ResourceID. **Table 12: The XSELinux Extension Functions** - *Supported by the object manager as X-protocol extensions. Note that some functions will return @@ -402,9 +401,6 @@ the default contexts, while others (2, 6, 9, 11, 16, 18) will not return a value unless one has been set the the appropriate function (1, 5, 8, 10, 15, 17) by an SELinux-aware application.* - -
- ---