From ab1324774d2bcdca0042c3fd5ed682a7ec4fd5fa Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Tue, 3 Mar 2009 19:34:21 +0000 Subject: [PATCH] * Tue Mar 03 2009 Adam Jackson 1.6.0-4 - xserver-1.6.0-selinux-raw.patch: Deal in raw contexts, to avoid paying the price for setrans on every object. - xserver-1.6.0-primary.patch: Try harder to figure out what the primary video device is on machines with multiple GPUs. - xserver-1.6.0-selinux-destroy.patch: Don't bother relabeling objects that are on the way to destruction. --- xserver-1.6.0-primary.patch | 95 ++++++++++++ xserver-1.6.0-selinux-destroy.patch | 25 ++++ xserver-1.6.0-selinux-raw.patch | 225 ++++++++++++++++++++++++++++ 3 files changed, 345 insertions(+) create mode 100644 xserver-1.6.0-primary.patch create mode 100644 xserver-1.6.0-selinux-destroy.patch create mode 100644 xserver-1.6.0-selinux-raw.patch diff --git a/xserver-1.6.0-primary.patch b/xserver-1.6.0-primary.patch new file mode 100644 index 0000000..c407534 --- /dev/null +++ b/xserver-1.6.0-primary.patch @@ -0,0 +1,95 @@ +From 9ee22b4f743a2850fed35f179c56f94ce4bb5242 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Tue, 3 Mar 2009 10:58:33 -0500 +Subject: [PATCH] Primary video device hack + +--- + hw/xfree86/common/xf86pciBus.c | 54 ++++++++++++++++++++++++++++++++++----- + 1 files changed, 47 insertions(+), 7 deletions(-) + +diff --git a/hw/xfree86/common/xf86pciBus.c b/hw/xfree86/common/xf86pciBus.c +index 467a0c3..f9999d8 100644 +--- a/hw/xfree86/common/xf86pciBus.c ++++ b/hw/xfree86/common/xf86pciBus.c +@@ -341,6 +341,39 @@ restorePciBusState(BusAccPtr ptr) + } + #undef MASKBITS + ++/* oh god what have i done */ ++static Bool ++looks_like_bios_primary(struct pci_device *info) ++{ ++ unsigned char *bios; ++ unsigned short vendor, device; ++ int offset; ++ Bool ret = FALSE; ++ ++ bios = xf86MapVidMem(-1, VIDMEM_MMIO, 0xc0000, 0x10000); ++ if (!bios) ++ return FALSE; ++ ++ if (bios[0] != 0x55 || bios[1] != 0xAA) ++ goto out; ++ ++ offset = (bios[0x19] << 8) + bios[0x18]; ++ ++ if (bios[offset] != 'P' || ++ bios[offset+1] != 'C' || ++ bios[offset+2] != 'I' || ++ bios[offset+3] != 'R') ++ goto out; ++ ++ vendor = (bios[offset+5] << 8) + bios[offset+4]; ++ device = (bios[offset+7] << 8) + bios[offset+6]; ++ ++ ret = (info->vendor_id == vendor) && (info->device_id == device); ++ ++out: ++ xf86UnMapVidMem(-1, bios, 0x10000); ++ return ret; ++} + + /* + * xf86Bus.c interface +@@ -375,24 +408,31 @@ xf86PciProbe(void) + } + } + +- + /* If we haven't found a primary device try a different heuristic */ + if (primaryBus.type == BUS_NONE && num) { + for (i = 0; i < num; i++) { + uint16_t command; + + info = xf86PciVideoInfo[i]; ++ if (!IS_VGA(info->device_class)) ++ continue; ++ + pci_device_cfg_read_u16(info, & command, 4); + +- if ((command & PCI_CMD_MEM_ENABLE) +- && ((num == 1) || IS_VGA(info->device_class))) { +- if (primaryBus.type == BUS_NONE) { ++ if ((command & PCI_CMD_MEM_ENABLE)) { ++ if (num == 1) { + primaryBus.type = BUS_PCI; + primaryBus.id.pci = info; +- } else { +- xf86Msg(X_NOTICE, ++ break; ++ } else if (looks_like_bios_primary(info)) { ++ if (primaryBus.type == BUS_NONE) { ++ primaryBus.type = BUS_PCI; ++ primaryBus.id.pci = info; ++ } else { ++ xf86Msg(X_NOTICE, + "More than one possible primary device found\n"); +- primaryBus.type ^= (BusType)(-1); ++ primaryBus.type ^= (BusType)(-1); ++ } + } + } + } +-- +1.6.1.3 + diff --git a/xserver-1.6.0-selinux-destroy.patch b/xserver-1.6.0-selinux-destroy.patch new file mode 100644 index 0000000..448793c --- /dev/null +++ b/xserver-1.6.0-selinux-destroy.patch @@ -0,0 +1,25 @@ +From 00fb367cffcc6dd36e5c023757414ed63e13e643 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Tue, 3 Mar 2009 14:32:52 -0500 +Subject: [PATCH] Don't bother relabeling resources that are being destroyed + +--- + Xext/xselinux.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/Xext/xselinux.c b/Xext/xselinux.c +index 6085983..f8495ea 100644 +--- a/Xext/xselinux.c ++++ b/Xext/xselinux.c +@@ -1150,6 +1150,8 @@ SELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata) + + if (rec->type != RT_WINDOW) + return; ++ if (rec->state != ResourceStateAdding) ++ return; + + pWin = (WindowPtr)rec->value; + subj = dixLookupPrivate(&wClient(pWin)->devPrivates, subjectKey); +-- +1.6.1.3 + diff --git a/xserver-1.6.0-selinux-raw.patch b/xserver-1.6.0-selinux-raw.patch new file mode 100644 index 0000000..13758fb --- /dev/null +++ b/xserver-1.6.0-selinux-raw.patch @@ -0,0 +1,225 @@ +From 252522d2caa87dbfb510436a56332bd6e86b1a96 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 2 Mar 2009 18:31:18 -0500 +Subject: [PATCH] selinux raw patch + +--- + Xext/xselinux.c | 64 +++++++++++++++++++++++++++--------------------------- + 1 files changed, 32 insertions(+), 32 deletions(-) + +diff --git a/Xext/xselinux.c b/Xext/xselinux.c +index 8e026be..6085983 100644 +--- a/Xext/xselinux.c ++++ b/Xext/xselinux.c +@@ -186,19 +186,19 @@ SELinuxAtomToSIDLookup(Atom atom, SELinuxObjectRec *obj, int map, int polymap) + obj->poly = 1; + + /* Look in the mappings of names to contexts */ +- if (selabel_lookup(label_hnd, &ctx, name, map) == 0) { ++ if (selabel_lookup_raw(label_hnd, &ctx, name, map) == 0) { + obj->poly = 0; + } else if (errno != ENOENT) { + ErrorF("SELinux: a property label lookup failed!\n"); + return BadValue; +- } else if (selabel_lookup(label_hnd, &ctx, name, polymap) < 0) { ++ } else if (selabel_lookup_raw(label_hnd, &ctx, name, polymap) < 0) { + ErrorF("SELinux: a property label lookup failed!\n"); + return BadValue; + } + + /* Get a SID for context */ +- if (avc_context_to_sid(ctx, &obj->sid) < 0) { +- ErrorF("SELinux: a context_to_SID call failed!\n"); ++ if (avc_context_to_sid_raw(ctx, &obj->sid) < 0) { ++ ErrorF("SELinux: a context_to_SID_raw call failed!\n"); + rc = BadAlloc; + } + +@@ -343,7 +343,7 @@ SELinuxEventToSID(unsigned type, security_id_t sid_of_window, + SELinuxObjectRec *sid_return) + { + const char *name = LookupEventName(type); +- security_context_t con; ++ security_context_t ctx; + type &= 127; + + if (type >= numKnownEvents) { +@@ -359,16 +359,16 @@ SELinuxEventToSID(unsigned type, security_id_t sid_of_window, + + if (!knownEvents[type]) { + /* Look in the mappings of event names to contexts */ +- if (selabel_lookup(label_hnd, &con, name, SELABEL_X_EVENT) < 0) { ++ if (selabel_lookup_raw(label_hnd, &ctx, name, SELABEL_X_EVENT) < 0) { + ErrorF("SELinux: an event label lookup failed!\n"); + return BadValue; + } + /* Get a SID for context */ +- if (avc_context_to_sid(con, knownEvents + type) < 0) { +- ErrorF("SELinux: a context_to_SID call failed!\n"); ++ if (avc_context_to_sid_raw(ctx, knownEvents + type) < 0) { ++ ErrorF("SELinux: a context_to_SID_raw call failed!\n"); + return BadAlloc; + } +- freecon(con); ++ freecon(ctx); + } + + /* Perform a transition to obtain the final SID */ +@@ -474,7 +474,7 @@ SELinuxLabelClient(ClientPtr client) + /* Try to get a context from the socket */ + if (fd < 0 || getpeercon_raw(fd, &ctx) < 0) { + /* Otherwise, fall back to a default context */ +- if (selabel_lookup(label_hnd, &ctx, "remote", SELABEL_X_CLIENT) < 0) ++ if (selabel_lookup_raw(label_hnd, &ctx, "remote", SELABEL_X_CLIENT) < 0) + FatalError("SELinux: failed to look up remote-client context\n"); + } + +@@ -509,8 +509,8 @@ SELinuxLabelClient(ClientPtr client) + + finish: + /* Get a SID from the context */ +- if (avc_context_to_sid(ctx, &subj->sid) < 0) +- FatalError("SELinux: client %d: context_to_sid(%s) failed\n", ++ if (avc_context_to_sid_raw(ctx, &subj->sid) < 0) ++ FatalError("SELinux: client %d: context_to_sid_raw(%s) failed\n", + client->index, ctx); + + sidget(obj->sid = subj->sid); +@@ -541,7 +541,7 @@ SELinuxLabelInitial(void) + FatalError("SELinux: couldn't get context of X server process\n"); + + /* Get a SID from the context */ +- if (avc_context_to_sid(ctx, &subj->sid) < 0) ++ if (avc_context_to_sid_raw(ctx, &subj->sid) < 0) + FatalError("SELinux: serverClient: context_to_sid(%s) failed\n", ctx); + + sidget(obj->sid = subj->sid); +@@ -827,20 +827,20 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata) + /* XXX there should be a separate callback for this */ + if (obj->sid == unlabeled_sid) { + const char *name = rec->ext->name; +- security_context_t con; ++ security_context_t ctx; + security_id_t sid; + + serv = dixLookupPrivate(&serverClient->devPrivates, subjectKey); + + /* Look in the mappings of extension names to contexts */ +- if (selabel_lookup(label_hnd, &con, name, SELABEL_X_EXT) < 0) { ++ if (selabel_lookup_raw(label_hnd, &ctx, name, SELABEL_X_EXT) < 0) { + ErrorF("SELinux: a property label lookup failed!\n"); + rec->status = BadValue; + return; + } + /* Get a SID for context */ +- if (avc_context_to_sid(con, &sid) < 0) { +- ErrorF("SELinux: a context_to_SID call failed!\n"); ++ if (avc_context_to_sid_raw(ctx, &sid) < 0) { ++ ErrorF("SELinux: a context_to_SID_raw call failed!\n"); + rec->status = BadAlloc; + return; + } +@@ -851,11 +851,11 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata) + if (avc_compute_create(serv->sid, sid, SECCLASS_X_EXTENSION, + &obj->sid) < 0) { + ErrorF("SELinux: a SID transition call failed!\n"); +- freecon(con); ++ freecon(ctx); + rec->status = BadValue; + return; + } +- freecon(con); ++ freecon(ctx); + } + + /* Perform the security check */ +@@ -1156,7 +1156,7 @@ SELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata) + + if (subj->sid) { + security_context_t ctx; +- int rc = avc_sid_to_context(subj->sid, &ctx); ++ int rc = avc_sid_to_context_raw(subj->sid, &ctx); + if (rc < 0) + FatalError("SELinux: Failed to get security context!\n"); + rc = dixChangeWindowProperty(serverClient, +@@ -1172,7 +1172,7 @@ SELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata) + + if (obj->sid) { + security_context_t ctx; +- int rc = avc_sid_to_context(obj->sid, &ctx); ++ int rc = avc_sid_to_context_raw(obj->sid, &ctx); + if (rc < 0) + FatalError("SELinux: Failed to get security context!\n"); + rc = dixChangeWindowProperty(serverClient, +@@ -1288,7 +1288,7 @@ SELinuxSendContextReply(ClientPtr client, security_id_t sid) + int len = 0; + + if (sid) { +- if (avc_sid_to_context(sid, &ctx) < 0) ++ if (avc_sid_to_context_raw(sid, &ctx) < 0) + return BadValue; + len = strlen(ctx) + 1; + } +@@ -1347,9 +1347,9 @@ ProcSELinuxSetCreateContext(ClientPtr client, unsigned offset) + *pSid = NULL; + + if (stuff->context_len > 0) { +- if (security_check_context(ctx) < 0) ++ if (security_check_context_raw(ctx) < 0) + return BadValue; +- if (avc_context_to_sid(ctx, pSid) < 0) ++ if (avc_context_to_sid_raw(ctx, pSid) < 0) + return BadValue; + } + return Success; +@@ -1393,9 +1393,9 @@ ProcSELinuxSetDeviceContext(ClientPtr client) + if (rc != Success) + return rc; + +- if (security_check_context(ctx) < 0) ++ if (security_check_context_raw(ctx) < 0) + return BadValue; +- if (avc_context_to_sid(ctx, &sid) < 0) ++ if (avc_context_to_sid_raw(ctx, &sid) < 0) + return BadValue; + + subj = dixLookupPrivate(&dev->devPrivates, subjectKey); +@@ -1511,9 +1511,9 @@ SELinuxPopulateItem(SELinuxListItemRec *i, PrivateRec **privPtr, CARD32 id, + SELinuxObjectRec *obj = dixLookupPrivate(privPtr, objectKey); + SELinuxObjectRec *data = dixLookupPrivate(privPtr, dataKey); + +- if (avc_sid_to_context(obj->sid, &i->octx) < 0) ++ if (avc_sid_to_context_raw(obj->sid, &i->octx) < 0) + return BadValue; +- if (avc_sid_to_context(data->sid, &i->dctx) < 0) ++ if (avc_sid_to_context_raw(data->sid, &i->dctx) < 0) + return BadValue; + + i->id = id; +@@ -1941,7 +1941,7 @@ SELinuxExtensionInit(INITARGS) + ExtensionEntry *extEntry; + struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 }; + struct selinux_opt avc_option = { AVC_OPT_SETENFORCE, (char *)0 }; +- security_context_t con; ++ security_context_t ctx; + int ret = TRUE; + + /* Check SELinux mode on system */ +@@ -1988,11 +1988,11 @@ SELinuxExtensionInit(INITARGS) + if (!label_hnd) + FatalError("SELinux: Failed to open x_contexts mapping in policy\n"); + +- if (security_get_initial_context("unlabeled", &con) < 0) ++ if (security_get_initial_context_raw("unlabeled", &ctx) < 0) + FatalError("SELinux: Failed to look up unlabeled context\n"); +- if (avc_context_to_sid(con, &unlabeled_sid) < 0) ++ if (avc_context_to_sid_raw(ctx, &unlabeled_sid) < 0) + FatalError("SELinux: a context_to_SID call failed!\n"); +- freecon(con); ++ freecon(ctx); + + /* Prepare for auditing */ + audit_fd = audit_open(); +-- +1.6.1.3 +