Security Policy

Window, property, and pixmap objects have a user ID, client ID, and a CMW label. Graphic contexts, fonts, and cursors have a client ID only. The connection between the client and the X Window Server has a user ID, X Window Server ID, and a CMW label.

The user ID is the ID of the client that created the object. The client ID is related to the connection number to which the client that creates the object is connected.

The discretionary access policy requires a client to own an object to perform any operations on the object. A client owns an object when the client's user ID equals the object's ID. For a connection request, the user ID of the client must be in the Access Control List (ACL) of the owner of the X Window Server workstation or the client must assert the Trusted Path attribute as described in "Get and Set Process Security Attribute Flags".

The mandatory access policy is write-equal, read-equal for naming windows, and read-down for properties. The sensitivity label portion of the CMW label is set to the sensitivity label of the creating client. The information label portion of the CMW label is always ADMIN_LOW.

• Modify, create, or delete - The sensitivity label of the client must equal the object's sensitivity label.

• Name, read, or retrieve - The client's sensitivity label must dominate the object's sensitivity label.

• Connection request - The sensitivity label of the client must be dominated by the session clearance of the owner of the X Window Server workstation or the client must assert the Trusted Path attribute as described in "Get and Set Process Security Attribute Flags"

Windows can have properties that contain information to be shared among clients. Window properties are created at the sensitivity label at which the application is running so access to the property data is segregated by its sensitivity label. clients can create properties, store data in a property on a window, and retrieve the data from a property subject to mandatory and discretionary access restrictions. See /usr/openwin/server/tsol/property.atoms to specify properties that are not polyinstantiated.

Root Window

The root window is at the top of the window hierarchy. The root window is a public object that does not belong to any client, but has data that must be protected. The root window attributes are protected at ADMIN_LOW.

Client Windows

A client usually has at least one top-level client window that descends from the root window, and additional windows nested within the top-level window. All windows that descend from the client's top-level window have the same sensitivity label.

Override-Redirect Windows

Override-redirect windows such as menus and certain dialog boxes cannot take the input focus away from another client to prevent the input focus from accepting input into a file at the wrong sensitivity label. Override-redirect windows are owned by the creating client and cannot be used by other clients to access data at another sensitivity label.

Keyboard, Pointer, and Server Control

A client needs mandatory and discretionary access to gain keyboard, pointer, or server control. To reset the focus, a client must own the focus or have the win_devices privilege.

To warp a pointer, the client needs pointer control and mandatory and discretionary access to the destination window. X and Y coordinate information can be obtained for events that involve explicit user action.

Selection Manager

The Selection Manager arbitrates user-level inter-window data moves such as cut-and-paste or drag-and-drop where information is transferred between untrusted windows. When a transfer is attempted, Selection Manager captures the transfer, verifies the controlling user's authorization, and requests confirmation and labeling information from the user. The Selection Manager displays whenever the end user attempts a data move without your writing application code.

The administrator can set autoconfirm for some transfer types in which case the Selection Manager does not appear. If the transfer meets mandatory and discretionary access policies, the data transfer completes. The File Manager and Window Manager also act as selection agents for their private drop sites. See /usr/openwin/server/tsol/selection.atoms to specify selection targets that are polyinstantiated. See /usr/dt/config/sel_config to determine which selection targets are automatically confirmed.

Default Resources

Resources not created by clients are default resources labeled ADMIN_LOW. Only clients running at ADMIN_LOW or with the appropriate privileges can modify default resources.

• Root window attributes - All clients have read and create access, but only privileged clients have write or modify access. See "Privileged Operations".

• Default cursor - Clients are free to reference the default cursor in protocol requests.

• Predefined atoms - The /usr/openwin/server/tsol/public.atoms file contains a read-only list of predefined atoms.

Moving Data Between Windows

A client needs the win_selection privilege to move data between one window and another without going through the "Selection Manager".

Getting and setting process attribute flags is covered in Chapter 2, Getting Started.