Trusted X Window System Security Policy
Window, property, and pixmap objects have a user ID, a client ID,
and a sensitivity label. Graphic contexts, fonts, and cursors have a client
ID only. The connection between the client and the X Window Server
has a user ID, an X Window Server ID, and a sensitivity
The user ID is the ID of the client that created the object.
The client ID is related to the connection number to which the client
that creates the object is connected.
The DAC policy requires a client to own an object to perform
any operations on that object. A client owns an object when the
client's user ID equals the object's ID. For a connection request, the
user ID of the client must be in the access control list
(ACL) of the owner of the X Window Server workstation. Or, the
client must assert the Trusted Path attribute.
The MAC policy is write-equal for windows and pixmaps, and read-equal for
naming windows. The MAC policy is read-down for properties. The sensitivity label
is set to the sensitivity label of the creating client. The following
shows the MAC policy for these actions:
Modify, create, or delete – The sensitivity label of the client must equal the object's sensitivity label.
Name, read, or retrieve – The client's sensitivity label must dominate the object's sensitivity label.
Connection request – The sensitivity label of the client must be dominated by the session clearance of the owner of the X Window Server workstation, or the client must assert the Trusted Path attribute.
Windows can have properties that contain information to be shared among clients.
Window properties are created at the sensitivity label at which the application
is running, so access to the property data is segregated by its
sensitivity label. Clients can create properties, store data in a property on
a window, and retrieve the data from a property subject to MAC
and DAC restrictions. To specify properties that are not polyinstantiated, update the
The TrustedExtensionsPolicy file is supported for the Xsun server and the Xorg
SPARC: For Xsun, the file is in /usr/openwin/server/etc.
x86: For Xorg, the file is in /usr/X11/lib/X11/xserver.
These sections describe the security policy for the following:
Keyboard, pointer, and server control
Default window resources
Moving data between windows
The root window is at the top of the window hierarchy. The
root window is a public object that does not belong to any
client, but it has data that must be protected. The root window
attributes are protected at ADMIN_LOW.
A client usually has at least one top-level client window that descends
from the root window and additional windows nested within the top-level window.
All windows that descend from the client's top-level window have the same
Override-redirect windows, such as menus and certain dialog boxes, cannot take the
input focus away from another client. This prevents the input focus from
accepting input into a file at the wrong sensitivity label. Override-redirect windows
are owned by the creating client and cannot be used by other
clients to access data at another sensitivity label.
Keyboard, Pointer, and Server Control
A client needs MAC and DAC to gain control of the keyboard,
pointer, and server. To reset the focus, a client must own the
focus or have the win_devices privilege in its effective set.
To warp a pointer, the client needs pointer control and MAC and
DAC to the destination window. X and Y coordinate information can be
obtained for events that involve explicit user action.
The Selection Manager application arbitrates user-level interwindow data moves, such as cut
and paste or drag and drop, where information is transferred between untrusted
windows. When a transfer is attempted, the Selection Manager captures the transfer,
verifies the controlling user's authorization, and requests confirmation and labeling information from
the user. Any time the user attempts a data move, the Selection
Manager automatically appears. You do not need to update your application code
to get the Selection Manager to appear.
The administrator can set automatic confirmation for some transfer types, in which
case the Selection Manager does not appear. If the transfer meets the
MAC and DAC policies, the data transfer completes. The File Manager and
Window Manager also act as selection agents for their private drop sites.
See the /usr/openwin/server/etc/TrustedExtensionsPolicy file to specify selection targets that are polyinstantiated. See
the /usr/dt/config/sel_config file to determine which selection targets are automatically confirmed.
Default Window Resources
Resources that are not created by clients are default resources that are
protected at ADMIN_LOW. Only clients that run at ADMIN_LOW or with the
appropriate privileges can modify default resources.
The following are window resources:
Root window attributes – All clients have read and create access, but only privileged clients have write or modify access. See Privileged Operations and the Trusted X Window System.
Default cursor – Clients are free to reference the default cursor in protocol requests.
Predefined atoms – The TrustedExtensionsPolicy file contains a read-only list of predefined atoms.
Moving Data Between Windows
A client needs the win_selection privilege in its effective set to move
data between one window and another window without going through the Selection
Manager. See Selection Manager.