Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes

From: Emmanuel Vadot <>
Date: Tue, 09 Apr 2024 09:56:53 UTC
On Tue, 09 Apr 2024 11:37:09 +0200
Jan Beich <> wrote:

> Emmanuel Vadot <> writes:
> >> >  xcsecurity is disabled by default in xorg-server upstream (in meson)
> >> > and I think that we should do the same (granted that XACE works
> >> > correctly).
> >> 
> >> From
> >>   # X-ACE extension: provides hooks for building security policy extensions
> >>   # like XC-Security, X-SELinux & XTSol
> >> 
> >> X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left
> >> with the legacy XC-Security (trusted/untrusted) or nothing.
> >
> >  No, We build with X-ACE currently and this isn't what the doc is
> > saying. It just says that X-ACE is somewhat what X-SELinux and XTSol is.
> >  In fact it seems that XCSECURITY imply X-ACE, I haven't looked
> > at the code but it's possible that the XCSECURITY code is using X-ACE
> > as the backend.
> X-ACE is not an extension by itself like pfil(9) is not a firewall by itself.
> xdpyinfo(1) doesn't list ACE unlike SECURITY, and X-ACE lacks public API.
> X-ACE is enabled by default because X-SElinux is (in Meson unlike autotools).

 I think it's more complex than than, x-ace is needed when xcsecurity
is enabled too, see

> Out-of-tree vendors were probably meant to use X-ACE via dynamically
> loaded extensions[1] (thus need X-ACE by default) or as an open source
> base in proprietary forks.
> [1] Plugins under /usr/local/lib/xorg/modules/extensions/

 Could be, I honestly don't care much about Xorg :)

 Anyway, xcsecurity seems to be required for ssh -X, looks like nothing
else can be used. That doesn't explain why it's not enabled by default
in xorg-server upstream but explain why everyone enables it, so I'll
switch it to enabled for x11-servers/xwayland.

Emmanuel Vadot <> <>