Skip to content

XACE/XSEL XEXT: DRI3 clients need to read all x drawables

Submitted by dac.override

Assigned to Xorg Project Team

Link to original bug (#108501)

Description

X clients that use DRI3 need have access to all xdrawables. This is not feasible because that would allow these clients to capture drawables of other X clients (do screenscraping)

XACE can be used to enforce fine-grained mandatory access control. If you disable any DRI3 user access to the root xdrawables, it will freeze the root xdrawable:

avc: denied { read } for request=DRI3:Open comm=/app/extra/vscode/code --type=gpu-process --disable-features=Co resid=155 restype=WINDOW scontext=wheel.id:wheel.role:flatpak.container.wheel.subj:s0 tcontext=wheel.id:object_r:xserver.root_xdrawable.xdrawable:s0 tclass=x_drawable permissive=0

In the example above a process "/app/extra/vscode/code" was requesting "DRI3:Open" , and this caused it to "read" the xserver root x_drawable. Without this access, this event would cause this x_drawable to freeze (and since that is the root xdrawable, basically your screen is frozen)

To reproduce this event just block access to the root x_drawable for any DRI3 process.

To make this easier to reproduce I have a Fedora Rawhide liveCD available that has a policy (almost ready to test). Be aware that this issue cannot reproduced on QEMU/QXL as that does not support DRI3 (supposedly).

URL to livecd to test:

https://tfirg.undo.it/~kcinimod/stuff/Fedora-Rawhide-DSSP2.iso

Instructions:

Boot the liveCD (make sure you have enough memory allocated Log in with: liveuser (no password) sudo setsebool xserver_object_manager on (enable XACE) sudo setsebool xserver.xace.enable_dri3_xextension off (turn off the boolean with bad access control rule that allows DRI3 user to read arbitrary xdrawables) sudo semodule -DB (make selinux verbose) sudo cat > mytest.cil <<EOF (in xserver (call dri3_xextension.query_xextension (xace.client_subj_type_attribute)) (call dri3_xextension.use_xextension (xace.client_subj_type_attribute))) EOF sudo semodule -i mytest.cil Above allows the subject to query and use the dri3 xextension startx /usr/bin/awesome (start awesomewm) SUPER+ENTER to open xterm sudo dnf install rpm-plugin-selinux (this needs to be installed first, was a bug in rawhide at the time of livecd image compilation) sudo dnf install flatpak (install flatpak because that is what is contained using XACE) flatpak --user remote-add flathub --from https://flathub.org/repo/flathub.flatpakrepo (install the flathub repository) flatpak --user install flathub com.visualstudio.code (this app is knows to use DRI3) flatpak --user run com.visualstudio.code (not how this freezes your root xdrawable) CTRL+ALT+F2 (turn to TTY) journalctl -rb --grep denied | grep -i DRI3 (notice the AVC denial mentioned above

To see the rules associated with the xserver.xace.allow_dri3_xextension: sesearch -A -b xserver.xace.allow_dri3_xextension

To confirm that it does work if it has access to xdrawables simple toggle the boolean to on and try again.

Video demo on YouTube using QEMU/QXL (so was unable to reproduce issue there but might give some pointers as to how to try this out)

https://www.youtube.com/watch?v=GIOebHvfeFU

Policy used:

https://github.com/DefenSec/dssp2-standard

Theres also a few other issues with XACE that are visible in this procedure:

Rootless Xserver tries to log to privileged audit but is not allowed due to missing CAP_AUDIT_WRITE

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information