From e4928c5f7954ea062815c8a37c9d37e3e3fa40df Mon Sep 17 00:00:00 2001 From: Eamon Walsh Date: Tue, 13 Oct 2009 19:17:13 -0400 Subject: [PATCH] Add separate x_pointer and x_keyboard classes inheriting from x_device. This is needed to allow more fine-grained control over X devices without using different types. Using different types is problematic because devices act as subjects in the X Flask implementation, and subjects cannot be labeled through a type transition (since the output role is hardcoded to object_r). Signed-off-by: Eamon Walsh --- policy/flask/access_vectors | 55 ++++++++++++++++++++++------------- policy/flask/security_classes | 4 +++ 2 files changed, 38 insertions(+), 21 deletions(-) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 3998b774..6620e4cc 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -93,6 +93,33 @@ common database relabelto } +# +# Define a common prefix for pointer and keyboard access vectors. +# + +common x_device +{ + getattr + setattr + use + read + write + getfocus + setfocus + bell + force_cursor + freeze + grab + manage + list_property + get_property + set_property + add + remove + create + destroy +} + # # Define the access vectors. # @@ -525,27 +552,7 @@ class x_client } class x_device -{ - getattr - setattr - use - read - write - getfocus - setfocus - bell - force_cursor - freeze - grab - manage - list_property - get_property - set_property - add - remove - create - destroy -} +inherits x_device class x_server { @@ -802,3 +809,9 @@ class kernel_service class tun_socket inherits socket + +class x_pointer +inherits x_device + +class x_keyboard +inherits x_device diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 2bd1bf6d..fa65db2c 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -121,4 +121,8 @@ class kernel_service class tun_socket +# Still More SE-X Windows stuff +class x_pointer # userspace +class x_keyboard # userspace + # FLASK