Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Solaris Trusted Extensions Developer's Guide
Previous Next

Trusted X Window System Security Policy

Window, property, and pixmap objects have a user ID, a client ID, and a sensitivity label. Graphic contexts, fonts, and cursors have a client ID only. The connection between the client and the X Window Server has a user ID, an X Window Server ID, and a sensitivity label.

The user ID is the ID of the client that created the object. The client ID is related to the connection number to which the client that creates the object is connected.

The DAC policy requires a client to own an object to perform any operations on that object. A client owns an object when the client's user ID equals the object's ID. For a connection request, the user ID of the client must be in the access control list (ACL) of the owner of the X Window Server workstation. Or, the client must assert the Trusted Path attribute.

The MAC policy is write-equal for windows and pixmaps, and read-equal for naming windows. The MAC policy is read-down for properties. The sensitivity label is set to the sensitivity label of the creating client. The following shows the MAC policy for these actions:

  • Modify, create, or delete – The sensitivity label of the client must equal the object's sensitivity label.

  • Name, read, or retrieve – The client's sensitivity label must dominate the object's sensitivity label.

  • Connection request – The sensitivity label of the client must be dominated by the session clearance of the owner of the X Window Server workstation, or the client must assert the Trusted Path attribute.

Windows can have properties that contain information to be shared among clients. Window properties are created at the sensitivity label at which the application is running, so access to the property data is segregated by its sensitivity label. Clients can create properties, store data in a property on a window, and retrieve the data from a property subject to MAC and DAC restrictions. To specify properties that are not polyinstantiated, update the TrustedExtensionsPolicy file.

The TrustedExtensionsPolicy file is supported for the Xsun server and the Xorg server:

  • SPARC: For Xsun, the file is in /usr/openwin/server/etc.

  • x86: For Xorg, the file is in /usr/X11/lib/X11/xserver.

These sections describe the security policy for the following:

  • Root window

  • Client windows

  • Override-redirect windows

  • Keyboard, pointer, and server control

  • Selection Manager

  • Default window resources

  • Moving data between windows

Root Window

The root window is at the top of the window hierarchy. The root window is a public object that does not belong to any client, but it has data that must be protected. The root window attributes are protected at ADMIN_LOW.

Client Windows

A client usually has at least one top-level client window that descends from the root window and additional windows nested within the top-level window. All windows that descend from the client's top-level window have the same sensitivity label.

Override-Redirect Windows

Override-redirect windows, such as menus and certain dialog boxes, cannot take the input focus away from another client. This prevents the input focus from accepting input into a file at the wrong sensitivity label. Override-redirect windows are owned by the creating client and cannot be used by other clients to access data at another sensitivity label.

Keyboard, Pointer, and Server Control

A client needs MAC and DAC to gain control of the keyboard, pointer, and server. To reset the focus, a client must own the focus or have the win_devices privilege in its effective set.

To warp a pointer, the client needs pointer control and MAC and DAC to the destination window. X and Y coordinate information can be obtained for events that involve explicit user action.

Selection Manager

The Selection Manager application arbitrates user-level interwindow data moves, such as cut and paste or drag and drop, where information is transferred between untrusted windows. When a transfer is attempted, the Selection Manager captures the transfer, verifies the controlling user's authorization, and requests confirmation and labeling information from the user. Any time the user attempts a data move, the Selection Manager automatically appears. You do not need to update your application code to get the Selection Manager to appear.

The administrator can set automatic confirmation for some transfer types, in which case the Selection Manager does not appear. If the transfer meets the MAC and DAC policies, the data transfer completes. The File Manager and Window Manager also act as selection agents for their private drop sites. See the /usr/openwin/server/etc/TrustedExtensionsPolicy file to specify selection targets that are polyinstantiated. See the /usr/dt/config/sel_config file to determine which selection targets are automatically confirmed.

Default Window Resources

Resources that are not created by clients are default resources that are protected at ADMIN_LOW. Only clients that run at ADMIN_LOW or with the appropriate privileges can modify default resources.

The following are window resources:

  • Root window attributes – All clients have read and create access, but only privileged clients have write or modify access. See Privileged Operations and the Trusted X Window System.

  • Default cursor – Clients are free to reference the default cursor in protocol requests.

  • Predefined atoms – The TrustedExtensionsPolicy file contains a read-only list of predefined atoms.

Moving Data Between Windows

A client needs the win_selection privilege in its effective set to move data between one window and another window without going through the Selection Manager. See Selection Manager.

Previous Next

 
 
  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire