JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Developer's Guide     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

1.  Trusted Extensions APIs and Security Policy

2.  Labels and Clearances

3.  Label Code Examples

4.  Interprocess Communications

5.  Trusted X Window System

Trusted X Window System Environment

Trusted X Window System Security Attributes

Trusted X Window System Security Policy

Root Window

Client Windows

Override-Redirect Windows

Keyboard, Pointer, and Server Control

Selection Manager

Default Window Resources

Moving Data Between Windows

Privileged Operations and the Trusted X Window System

Trusted Extensions X Window System APIs

Data Types for X11

Accessing Attributes

Accessing and Setting a Window Label

Accessing and Setting a Window User ID

Accessing and Setting a Window Property Label

Accessing and Setting a Window Property User ID

Accessing and Setting a Workstation Owner ID

Setting the X Window Server Clearance and Minimum Label

Working With the Trusted Path Window

Accessing and Setting the Screen Stripe Height

Setting Window Polyinstantiation Information

Working With the X11 Label-Clipping Interface

Using Trusted X Window System Interfaces

Obtaining Window Attributes

Translating the Window Label With the Font List

Obtaining a Window Label

Setting a Window Label

Obtaining the Window User ID

Obtaining the X Window Server Workstation Owner ID

6.  Label Builder GUI

7.  Trusted Web Guard Prototype

8.  Experimental Java Bindings for the Solaris Trusted Extensions Label APIs

A.  Programmer's Reference

B.  Trusted Extensions API Reference

Index

Trusted X Window System Security Policy

Window, property, and pixmap objects have a user ID, a client ID, and a sensitivity label. Graphic contexts, fonts, and cursors have a client ID only. The connection between the client and the X Window Server has a user ID, an X Window Server ID, and a sensitivity label.

The user ID is the ID of the client that created the object. The client ID is related to the connection number to which the client that creates the object is connected.

The DAC policy requires a client to own an object to perform any operations on that object. A client owns an object when the client's user ID equals the object's ID. For a connection request, the user ID of the client must be in the access control list (ACL) of the owner of the X Window Server workstation. Or, the client must assert the Trusted Path attribute.

The MAC policy is write-equal for windows and pixmaps, and read-equal for naming windows. The MAC policy is read-down for properties. The sensitivity label is set to the sensitivity label of the creating client. The following shows the MAC policy for these actions:

Windows can have properties that contain information to be shared among clients. Window properties are created at the sensitivity label at which the application is running, so access to the property data is segregated by its sensitivity label. Clients can create properties, store data in a property on a window, and retrieve the data from a property subject to MAC and DAC restrictions. To specify properties that are not polyinstantiated, update the /usr/lib/xorg/TrustedExtensionsPolicy file.

These sections describe the security policy for the following:

Root Window

The root window is at the top of the window hierarchy. The root window is a public object that does not belong to any client, but it has data that must be protected. The root window attributes are protected at ADMIN_LOW.

Client Windows

A client usually has at least one top-level client window that descends from the root window and additional windows nested within the top-level window. All windows that descend from the client's top-level window have the same sensitivity label.

Override-Redirect Windows

Override-redirect windows, such as menus and certain dialog boxes, cannot take the input focus away from another client. This prevents the input focus from accepting input into a file at the wrong sensitivity label. Override-redirect windows are owned by the creating client and cannot be used by other clients to access data at another sensitivity label.

Keyboard, Pointer, and Server Control

A client needs MAC and DAC to gain control of the keyboard, pointer, and server. To reset the focus, a client must own the focus or have the win_devices privilege in its effective set.

To warp a pointer, the client needs pointer control and MAC and DAC to the destination window. X and Y coordinate information can be obtained for events that involve explicit user action.

Selection Manager

The Selection Manager application arbitrates user-level interwindow data moves, such as cut and paste or drag and drop, where information is transferred between untrusted windows. When a transfer is attempted, the Selection Manager captures the transfer, verifies the controlling user's authorization, and requests confirmation and labeling information from the user. Any time the user attempts a data move, the Selection Manager automatically appears. You do not need to update your application code to get the Selection Manager to appear.

The administrator can set automatic confirmation for some transfer types, in which case the Selection Manager does not appear. If the transfer meets the MAC and DAC policies, the data transfer completes. The File Browser and the window manager also act as selection agents for their private drop sites. See the /usr/lib/xorg/TrustedExtensionsPolicy file to specify selection targets that are polyinstantiated. See the /usr/share/gnome/sel_config file to determine which selection targets are automatically confirmed.

Default Window Resources

Resources that are not created by clients are default resources that are protected at ADMIN_LOW. Only clients that run at ADMIN_LOW or with the appropriate privileges can modify default resources.

The following are window resources:

Moving Data Between Windows

A client needs the win_selection privilege in its effective set to move data between one window and another window without going through the Selection Manager. See Selection Manager.