xace.c 9.23 KB
Newer Older
Eamon Walsh's avatar
Eamon Walsh committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
/************************************************************

Author: Eamon Walsh <ewalsh@epoch.ncsc.mil>

Permission to use, copy, modify, distribute, and sell this software and its
documentation for any purpose is hereby granted without fee, provided that
this permission notice appear in supporting documentation.  This permission
notice shall be included in all copies or substantial portions of the
Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

********************************************************/

Eamon Walsh's avatar
Eamon Walsh committed
20 21 22 23
#ifdef HAVE_DIX_CONFIG_H
#include <dix-config.h>
#endif

Eamon Walsh's avatar
Eamon Walsh committed
24 25
#include <stdarg.h>
#include "scrnintstr.h"
26 27 28 29
#include "extnsionst.h"
#include "pixmapstr.h"
#include "regionstr.h"
#include "gcstruct.h"
Eamon Walsh's avatar
Eamon Walsh committed
30 31
#include "xacestr.h"

32 33 34 35 36
#define XSERV_t
#define TRANS_SERVER
#include <X11/Xtrans/Xtrans.h>
#include "../os/osdep.h"

37
_X_EXPORT CallbackListPtr XaceHooks[XACE_NUM_HOOKS] = {0};
Eamon Walsh's avatar
Eamon Walsh committed
38

39 40
/* Special-cased hook functions.  Called by Xserver.
 */
41
int XaceHookDispatch(ClientPtr client, int major)
42
{
43 44
    /* Call the audit begin callback, there is no return value. */
    XaceAuditRec rec = { client, 0 };
45
    CallCallbacks(&XaceHooks[XACE_AUDIT_BEGIN], &rec);
46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

    if (major < 128) {
	/* Call the core dispatch hook */
	XaceCoreDispatchRec rec = { client, Success /* default allow */ };
	CallCallbacks(&XaceHooks[XACE_CORE_DISPATCH], &rec);
	return rec.status;
    } else {
	/* Call the extension dispatch hook */
	ExtensionEntry *ext = GetExtensionEntry(major);
	XaceExtAccessRec rec = { client, ext, DixUseAccess, Success };
	if (ext)
	    CallCallbacks(&XaceHooks[XACE_EXT_DISPATCH], &rec);
	/* On error, pretend extension doesn't exist */
	return (rec.status == Success) ? Success : BadRequest;
    }
61 62
}

63
int XaceHookPropertyAccess(ClientPtr client, WindowPtr pWin,
64
			   PropertyPtr *ppProp, Mask access_mode)
65
{
66
    XacePropertyAccessRec rec = { client, pWin, ppProp, access_mode, Success };
67 68 69 70
    CallCallbacks(&XaceHooks[XACE_PROPERTY_ACCESS], &rec);
    return rec.status;
}

71 72
int XaceHookSelectionAccess(ClientPtr client,
			    Selection **ppSel, Mask access_mode)
73
{
74
    XaceSelectionAccessRec rec = { client, ppSel, access_mode, Success };
75 76 77 78
    CallCallbacks(&XaceHooks[XACE_SELECTION_ACCESS], &rec);
    return rec.status;
}

79 80 81 82 83 84 85
void XaceHookAuditEnd(ClientPtr ptr, int result)
{
    XaceAuditRec rec = { ptr, result };
    /* call callbacks, there is no return value. */
    CallCallbacks(&XaceHooks[XACE_AUDIT_END], &rec);
}

Eamon Walsh's avatar
Eamon Walsh committed
86 87
/* Entry point for hook functions.  Called by Xserver.
 */
88
int XaceHook(int hook, ...)
Eamon Walsh's avatar
Eamon Walsh committed
89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107
{
    pointer calldata;	/* data passed to callback */
    int *prv = NULL;	/* points to return value from callback */
    va_list ap;		/* argument list */
    va_start(ap, hook);

    /* Marshal arguments for passing to callback.
     * Each callback has its own case, which sets up a structure to hold
     * the arguments and integer return parameter, or in some cases just
     * sets calldata directly to a single argument (with no return result)
     */
    switch (hook)
    {
	case XACE_RESOURCE_ACCESS: {
	    XaceResourceAccessRec rec = {
		va_arg(ap, ClientPtr),
		va_arg(ap, XID),
		va_arg(ap, RESTYPE),
		va_arg(ap, pointer),
108 109 110
		va_arg(ap, RESTYPE),
		va_arg(ap, pointer),
		va_arg(ap, Mask),
111
		Success /* default allow */
Eamon Walsh's avatar
Eamon Walsh committed
112 113
	    };
	    calldata = &rec;
114
	    prv = &rec.status;
Eamon Walsh's avatar
Eamon Walsh committed
115 116 117 118 119 120
	    break;
	}
	case XACE_DEVICE_ACCESS: {
	    XaceDeviceAccessRec rec = {
		va_arg(ap, ClientPtr),
		va_arg(ap, DeviceIntPtr),
121
		va_arg(ap, Mask),
122
		Success /* default allow */
Eamon Walsh's avatar
Eamon Walsh committed
123 124
	    };
	    calldata = &rec;
125
	    prv = &rec.status;
Eamon Walsh's avatar
Eamon Walsh committed
126 127
	    break;
	}
128 129 130 131 132 133 134 135 136 137 138 139 140 141 142
	case XACE_SEND_ACCESS: {
	    XaceSendAccessRec rec = {
		va_arg(ap, ClientPtr),
		va_arg(ap, DeviceIntPtr),
		va_arg(ap, WindowPtr),
		va_arg(ap, xEventPtr),
		va_arg(ap, int),
		Success /* default allow */
	    };
	    calldata = &rec;
	    prv = &rec.status;
	    break;
	}
	case XACE_RECEIVE_ACCESS: {
	    XaceReceiveAccessRec rec = {
Eamon Walsh's avatar
Eamon Walsh committed
143 144
		va_arg(ap, ClientPtr),
		va_arg(ap, WindowPtr),
145 146
		va_arg(ap, xEventPtr),
		va_arg(ap, int),
147
		Success /* default allow */
Eamon Walsh's avatar
Eamon Walsh committed
148 149
	    };
	    calldata = &rec;
150
	    prv = &rec.status;
Eamon Walsh's avatar
Eamon Walsh committed
151 152
	    break;
	}
153 154 155 156 157 158 159 160 161 162 163
	case XACE_CLIENT_ACCESS: {
	    XaceClientAccessRec rec = {
		va_arg(ap, ClientPtr),
		va_arg(ap, ClientPtr),
		va_arg(ap, Mask),
		Success /* default allow */
	    };
	    calldata = &rec;
	    prv = &rec.status;
	    break;
	}
Eamon Walsh's avatar
Eamon Walsh committed
164 165 166 167
	case XACE_EXT_ACCESS: {
	    XaceExtAccessRec rec = {
		va_arg(ap, ClientPtr),
		va_arg(ap, ExtensionEntry*),
168
		DixGetAttrAccess,
169
		Success /* default allow */
Eamon Walsh's avatar
Eamon Walsh committed
170 171
	    };
	    calldata = &rec;
172
	    prv = &rec.status;
Eamon Walsh's avatar
Eamon Walsh committed
173 174
	    break;
	}
175 176
	case XACE_SERVER_ACCESS: {
	    XaceServerAccessRec rec = {
Eamon Walsh's avatar
Eamon Walsh committed
177 178
		va_arg(ap, ClientPtr),
		va_arg(ap, Mask),
179
		Success /* default allow */
Eamon Walsh's avatar
Eamon Walsh committed
180 181
	    };
	    calldata = &rec;
182
	    prv = &rec.status;
183 184
	    break;
	}
185 186 187 188 189 190 191
	case XACE_SCREEN_ACCESS:
	case XACE_SCREENSAVER_ACCESS: {
	    XaceScreenAccessRec rec = {
		va_arg(ap, ClientPtr),
		va_arg(ap, ScreenPtr),
		va_arg(ap, Mask),
		Success /* default allow */
Eamon Walsh's avatar
Eamon Walsh committed
192 193
	    };
	    calldata = &rec;
194
	    prv = &rec.status;
Eamon Walsh's avatar
Eamon Walsh committed
195 196 197 198 199 200 201 202 203 204
	    break;
	}
	case XACE_AUTH_AVAIL: {
	    XaceAuthAvailRec rec = {
		va_arg(ap, ClientPtr),
		va_arg(ap, XID)
	    };
	    calldata = &rec;
	    break;
	}
205 206 207 208 209 210 211 212 213
	case XACE_KEY_AVAIL: {
	    XaceKeyAvailRec rec = {
		va_arg(ap, xEventPtr),
		va_arg(ap, DeviceIntPtr),
		va_arg(ap, int)
	    };
	    calldata = &rec;
	    break;
	}
Eamon Walsh's avatar
Eamon Walsh committed
214 215 216 217 218 219 220 221 222
	default: {
	    va_end(ap);
	    return 0;	/* unimplemented hook number */
	}
    }
    va_end(ap);
 
    /* call callbacks and return result, if any. */
    CallCallbacks(&XaceHooks[hook], calldata);
223
    return prv ? *prv : Success;
Eamon Walsh's avatar
Eamon Walsh committed
224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246
}

/* XaceCensorImage
 *
 * Called after pScreen->GetImage to prevent pieces or trusted windows from
 * being returned in image data from an untrusted window.
 *
 * Arguments:
 *	client is the client doing the GetImage.
 *      pVisibleRegion is the visible region of the window.
 *	widthBytesLine is the width in bytes of one horizontal line in pBuf.
 *	pDraw is the source window.
 *	x, y, w, h is the rectangle of image data from pDraw in pBuf.
 *	format is the format of the image data in pBuf: ZPixmap or XYPixmap.
 *	pBuf is the image data.
 *
 * Returns: nothing.
 *
 * Side Effects:
 *	Any part of the rectangle (x, y, w, h) that is outside the visible
 *	region of the window will be destroyed (overwritten) in pBuf.
 */
void
Julien Cristau's avatar
Julien Cristau committed
247 248 249 250 251 252 253 254
XaceCensorImage(
	ClientPtr client,
	RegionPtr pVisibleRegion,
	long widthBytesLine,
	DrawablePtr pDraw,
	int x, int y, int w, int h,
	unsigned int format,
	char *pBuf)
Eamon Walsh's avatar
Eamon Walsh committed
255
{
256
    ScreenPtr pScreen;
Eamon Walsh's avatar
Eamon Walsh committed
257 258 259 260 261
    RegionRec imageRegion;  /* region representing x,y,w,h */
    RegionRec censorRegion; /* region to obliterate */
    BoxRec imageBox;
    int nRects;

262 263
    pScreen = pDraw->pScreen;

Eamon Walsh's avatar
Eamon Walsh committed
264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286
    imageBox.x1 = x;
    imageBox.y1 = y;
    imageBox.x2 = x + w;
    imageBox.y2 = y + h;
    REGION_INIT(pScreen, &imageRegion, &imageBox, 1);
    REGION_NULL(pScreen, &censorRegion);

    /* censorRegion = imageRegion - visibleRegion */
    REGION_SUBTRACT(pScreen, &censorRegion, &imageRegion, pVisibleRegion);
    nRects = REGION_NUM_RECTS(&censorRegion);
    if (nRects > 0)
    { /* we have something to censor */
	GCPtr pScratchGC = NULL;
	PixmapPtr pPix = NULL;
	xRectangle *pRects = NULL;
	Bool failed = FALSE;
	int depth = 1;
	int bitsPerPixel = 1;
	int i;
	BoxPtr pBox;

	/* convert region to list-of-rectangles for PolyFillRect */

287
	pRects = xalloc(nRects * sizeof(xRectangle));
Eamon Walsh's avatar
Eamon Walsh committed
288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338
	if (!pRects)
	{
	    failed = TRUE;
	    goto failSafe;
	}
	for (pBox = REGION_RECTS(&censorRegion), i = 0;
	     i < nRects;
	     i++, pBox++)
	{
	    pRects[i].x = pBox->x1;
	    pRects[i].y = pBox->y1 - imageBox.y1;
	    pRects[i].width  = pBox->x2 - pBox->x1;
	    pRects[i].height = pBox->y2 - pBox->y1;
	}

	/* use pBuf as a fake pixmap */

	if (format == ZPixmap)
	{
	    depth = pDraw->depth;
	    bitsPerPixel = pDraw->bitsPerPixel;
	}

	pPix = GetScratchPixmapHeader(pDraw->pScreen, w, h,
		    depth, bitsPerPixel,
		    widthBytesLine, (pointer)pBuf);
	if (!pPix)
	{
	    failed = TRUE;
	    goto failSafe;
	}

	pScratchGC = GetScratchGC(depth, pPix->drawable.pScreen);
	if (!pScratchGC)
	{
	    failed = TRUE;
	    goto failSafe;
	}

	ValidateGC(&pPix->drawable, pScratchGC);
	(* pScratchGC->ops->PolyFillRect)(&pPix->drawable,
			    pScratchGC, nRects, pRects);

    failSafe:
	if (failed)
	{
	    /* Censoring was not completed above.  To be safe, wipe out
	     * all the image data so that nothing trusted gets out.
	     */
	    bzero(pBuf, (int)(widthBytesLine * h));
	}
Daniel Stone's avatar
Daniel Stone committed
339
	if (pRects)     xfree(pRects);
Eamon Walsh's avatar
Eamon Walsh committed
340 341 342 343 344 345
	if (pScratchGC) FreeScratchGC(pScratchGC);
	if (pPix)       FreeScratchPixmapHeader(pPix);
    }
    REGION_UNINIT(pScreen, &imageRegion);
    REGION_UNINIT(pScreen, &censorRegion);
} /* XaceCensorImage */
346 347 348 349 350 351 352 353 354 355 356 357 358 359 360

/*
 * Xtrans wrappers for use by modules
 */
int XaceGetConnectionNumber(ClientPtr client)
{
    XtransConnInfo ci = ((OsCommPtr)client->osPrivate)->trans_conn;
    return _XSERVTransGetConnectionNumber(ci);
}

int XaceIsLocal(ClientPtr client)
{
    XtransConnInfo ci = ((OsCommPtr)client->osPrivate)->trans_conn;
    return _XSERVTransIsLocal(ci);
}