Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes

Reply: Emmanuel Vadot : "Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes"
In reply to: Emmanuel Vadot : "Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Jan Beich <jbeich_at_FreeBSD.org>
Date: Tue, 09 Apr 2024 09:37:09 UTC

Emmanuel Vadot <manu@bidouilliste.com> writes:

>> >  xcsecurity is disabled by default in xorg-server upstream (in meson)
>> > and I think that we should do the same (granted that XACE works
>> > correctly).
>> 
>> From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59
>>   # X-ACE extension: provides hooks for building security policy extensions
>>   # like XC-Security, X-SELinux & XTSol
>> 
>> X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left
>> with the legacy XC-Security (trusted/untrusted) or nothing.
>
>  No, We build with X-ACE currently and this isn't what the doc is
> saying. It just says that X-ACE is somewhat what X-SELinux and XTSol is.
>  In fact it seems that XCSECURITY imply X-ACE, I haven't looked
> at the code but it's possible that the XCSECURITY code is using X-ACE
> as the backend.

X-ACE is not an extension by itself like pfil(9) is not a firewall by itself.
xdpyinfo(1) doesn't list ACE unlike SECURITY, and X-ACE lacks public API.

X-ACE is enabled by default because X-SElinux is (in Meson unlike autotools).
Out-of-tree vendors were probably meant to use X-ACE via dynamically
loaded extensions[1] (thus need X-ACE by default) or as an open source
base in proprietary forks.

[1] Plugins under /usr/local/lib/xorg/modules/extensions/