This chapter describes the Trusted Extensions X Window System APIs. This chapter also includes a short Motif application that is used to describe the Trusted X Window System security policy and the Trusted Extensions interfaces.
For examples of how the Trusted Extensions APIs are used in the Oracle Solaris OS, see the Oracle Solaris source code. Go to the OpenSolaris web site and click Source Browser in the left navigation bar. Use the Source Browser to search through the Oracle Solaris source code.
This chapter covers the following topics:
A system that is configured with Trusted Extensions uses the Trusted Extensions CDE (CDE), which is an enhanced version of the Common Desktop Environment (CDE). The Trusted Extensions CDE (CDE) uses the Trusted Extensions X Window System. The Trusted Extensions X Window System includes protocol extensions to support mandatory access control (MAC), discretionary access control (DAC), and the use of privileges.
Data transfer sessions are polyinstantiated, meaning that they are instantiated at different sensitivity labels and user IDs. Polyinstantiation ensures that data in an unprivileged client at one sensitivity label or user ID is not transferred to another client at another sensitivity label or user ID. Such a transfer might violate the Trusted X Window System DAC policies and the MAC policies of write-equal and read-down.
The Trusted Extensions X Window System APIs enable you to obtain and set security-related attribute information. These APIs also enable you to translate labels to strings by using a font list and width to apply a style to the text string output. For example, the font might be 14-point, bold Helvetica. These interfaces are usually called by administrative applications that are written with Motif widgets, Xt Intrinsics, Xlib, and CDE interfaces.
Obtaining security-related information – These interfaces operate at the Xlib level where X protocol requests are made. Use Xlib interfaces to obtain data for the input parameter values.
Translating labels to strings – These interfaces operate at the Motif level. The input parameters are the label, a font list that specifies the appearance of the text string output, and the desired width. A compound string of the specified style and width is returned.
For declarations of these routines, see Trusted Extensions X Window System APIs.
The Trusted X Window System interfaces manage security-related attribute information for various X Window System objects. You can choose to create a GUI application with Motif only. The Motif application should use XToolkit routines to retrieve the Xlib object IDs underlying the Motif widgets to handle security attribute information for an Xlib object.
The X Window System objects for which security attribute information can be retrieved by the Trusted X Window System interfaces are window, property, X Window Server, and the connection between the client and the X Window Server. Xlib provides calls to retrieve the window, property, display, and client connection IDs.
A window displays output to the user and accepts input from clients.
A property is an arbitrary collection of data that is accessed by the property name. Property names and property types can be referenced by an atom, which is a unique, 32-bit identifier and a character name string.
The security attributes for windows, properties, and client connections consist of ownership IDs and sensitivity label information. For information about the structures for capturing some of these attributes, see Data Types for X11. For information about the interfaces that obtain and set security attribute information, see Trusted Extensions X Window System APIs.
Window, property, and pixmap objects have a user ID, a client ID, and a sensitivity label. Graphic contexts, fonts, and cursors have a client ID only. The connection between the client and the X Window Server has a user ID, an X Window Server ID, and a sensitivity label.
The user ID is the ID of the client that created the object. The client ID is related to the connection number to which the client that creates the object is connected.
The DAC policy requires a client to own an object to perform any operations on that object. A client owns an object when the client's user ID equals the object's ID. For a connection request, the user ID of the client must be in the access control list (ACL) of the owner of the X Window Server workstation. Or, the client must assert the Trusted Path attribute.
The MAC policy is write-equal for windows and pixmaps, and read-equal for naming windows. The MAC policy is read-down for properties. The sensitivity label is set to the sensitivity label of the creating client. The following shows the MAC policy for these actions:
Modify, create, or delete – The sensitivity label of the client must equal the object's sensitivity label.
Name, read, or retrieve – The client's sensitivity label must dominate the object's sensitivity label.
Connection request – The sensitivity label of the client must be dominated by the session clearance of the owner of the X Window Server workstation, or the client must assert the Trusted Path attribute.
Windows can have properties that contain information to be shared among clients. Window properties are created at the sensitivity label at which the application is running, so access to the property data is segregated by its sensitivity label. Clients can create properties, store data in a property on a window, and retrieve the data from a property subject to MAC and DAC restrictions. To specify properties that are not polyinstantiated, update the TrustedExtensionsPolicy file.
The TrustedExtensionsPolicy file is supported for the Xsun server and the Xorg server:
SPARC: For Xsun, the file is in /usr/openwin/server/etc.
x86: For Xorg, the file is in /usr/X11/lib/X11/xserver.
These sections describe the security policy for the following:
Root window
Client windows
Override-redirect windows
Keyboard, pointer, and server control
Selection Manager
Default window resources
Moving data between windows
The root window is at the top of the window hierarchy. The root window is a public object that does not belong to any client, but it has data that must be protected. The root window attributes are protected at ADMIN_LOW.
A client usually has at least one top-level client window that descends from the root window and additional windows nested within the top-level window. All windows that descend from the client's top-level window have the same sensitivity label.
Override-redirect windows, such as menus and certain dialog boxes, cannot take the input focus away from another client. This prevents the input focus from accepting input into a file at the wrong sensitivity label. Override-redirect windows are owned by the creating client and cannot be used by other clients to access data at another sensitivity label.
A client needs MAC and DAC to gain control of the keyboard, pointer, and server. To reset the focus, a client must own the focus or have the win_devices privilege in its effective set.
To warp a pointer, the client needs pointer control and MAC and DAC to the destination window. X and Y coordinate information can be obtained for events that involve explicit user action.
The Selection Manager application arbitrates user-level interwindow data moves, such as cut and paste or drag and drop, where information is transferred between untrusted windows. When a transfer is attempted, the Selection Manager captures the transfer, verifies the controlling user's authorization, and requests confirmation and labeling information from the user. Any time the user attempts a data move, the Selection Manager automatically appears. You do not need to update your application code to get the Selection Manager to appear.
The administrator can set automatic confirmation for some transfer types, in which case the Selection Manager does not appear. If the transfer meets the MAC and DAC policies, the data transfer completes. The File Manager and the window manager also act as selection agents for their private drop sites. See the /usr/openwin/server/etc/TrustedExtensionsPolicy file to specify selection targets that are polyinstantiated. See the /usr/dt/config/sel_config file to determine which selection targets are automatically confirmed.
Resources that are not created by clients are default resources that are protected at ADMIN_LOW. Only clients that run at ADMIN_LOW or with the appropriate privileges can modify default resources.
The following are window resources:
Root window attributes – All clients have read and create access, but only privileged clients have write or modify access. See Privileged Operations and the Trusted X Window System.
Default cursor – Clients are free to reference the default cursor in protocol requests.
Predefined atoms – The TrustedExtensionsPolicy file contains a read-only list of predefined atoms.
A client needs the win_selection privilege in its effective set to move data between one window and another window without going through the Selection Manager. See Selection Manager.
Library routines that access a window, property, or atom name without user involvement require MAC and DAC. Library routines that access frame buffer graphic contexts, fonts, and cursors require discretionary access and might also require additional privileges for special tasks.
The client might need one or more of the following privileges in its effective set if access to the object is denied: win_dac_read, win_dac_write, win_mac_read, or win_mac_write. See the TrustedExtensionsPolicy file to enable or disable these privileges.
This list shows the privileges needed to perform the following tasks:
Configuring and destroying window resources – A client process needs the win_config privilege in its effective set to configure or destroy windows or properties that are permanently retained by the X Window Server. The screen saver timeout is an example of such a resource.
Using window input devices – A client process needs the win_devices privilege in its effective set to obtain and set keyboard and pointer controls, or to modify pointer button mappings and key mappings.
Using direct graphics access – A client process needs the win_dga privilege in its effective set to use the direct graphics access (DGA) X protocol extension.
Downgrading window labels – A client process needs the win_downgrade_sl privilege in its effective set to change the sensitivity label of a window, pixmap, or property to a new label that does not dominate the existing label.
Upgrading window labels – A client process needs the win_upgrade_sl privilege in its effective set to change the sensitivity label of a window, pixmap, or property to a new label that dominates the existing label.
Setting a font path on a window – A client process needs the win_fontpath privilege in its effective set to modify the font path.
To use the Trusted X11 APIs, you need the following header file:
#include <X11/extensions/Xtsol.h> |
The Trusted X11 examples compile with the -lXtsol and -ltsol library options.
To use the X11 label-clipping APIs, you need the following header file:
#include <Dt/label_clipping.h> |
The label-clipping examples compile with the -lDtTsol and -ltsol library options.
The following sections provide data types and declarations for the Trusted X11 interfaces and the X11 label-clipping interfaces:
Data types for X11
Accessing attributes
Accessing and setting a window label
Accessing and setting a window user ID
Accessing and setting a window property label
Accessing and setting a window property user ID
Accessing and setting a workstation owner ID
Setting the X Window Server clearance and minimum label
Working with the Trusted Path window
Accessing and setting the screen stripe height
Setting window polyinstantiation information
Working with the X11 label-clipping interface
The following data types are defined in X11/extensions/Xtsol.h and are used for the Trusted Extensions X Window System APIs:
Object type for X11 – The ResourceType definition indicates the type of resource to be handled. The value can be IsWindow, IsPixmap, or IsColormap.
ResourceType is a type definition to represent a clearance. Interfaces accept a structure of type m_label_t as parameters and return clearances in a structure of the same type.
Object attributes for X11 –The XTsolResAttributes structure contains these resource attributes:
typedef struct _XTsolResAttributes { CARD32 ouid; /* owner uid */ CARD32 uid; /* uid of the window */ m_label_t *sl; /* sensitivity label */ } XTsolResAttributes;
Property attributes for X11 – The XTsolPropAttributes structure contains these property attributes:
typedef struct _XTsolPropAttributes { CARD32 uid; /* uid of the property */ m_label_t *sl; /* sensitivity label */ } XTsolPropAttributes;
Client attributes for X11 – The XTsolClientAttributes structure contains these client attributes:
typedef struct _XTsolClientAttributes { int trustflag; /* true if client masked as trusted */ uid_t uid; /* owner uid who started the client */ gid_t gid; /* group id */ pid_t pid; /* process id */ u_long sessionid; /* session id */ au_id_t auditid; /* audit id */ u_long iaddr; /* internet addr of host where client is running */ } XTsolClientAttributes;
The following routines are used to access resource, property, and client attributes:
This routine returns the resource attributes for a window ID in winattrp. See the XTSOLgetResAttributes(3XTSOL) man page.
This routine returns the property attributes for a property hanging on a window ID in propattrp. See the XTSOLgetPropAttributes(3XTSOL) man page.
This routine returns the client attributes in clientattrp. See the XTSOLgetClientAttributes(3XTSOL) man page.
The XTSOLgetResLabel() and XTSOLsetResLabel() routines are used to obtain and set the sensitivity label of a window.
This routine obtains the sensitivity label of a window. See the XTSOLgetResLabel(3XTSOL) man page.
This routine sets the sensitivity label of a window. See the XTSOLsetResLabel(3XTSOL) man page.
The XTSOLgetResUID() and XTSOLsetResUID() routines are used to obtain and set the user ID of a window.
This routine obtains the user ID of a window. See the XTSOLgetResUID(3XTSOL) man page.
This routine sets the user ID of a window. See the XTSOLsetResUID(3XTSOL) man page.
The XTSOLgetPropLabel() and XTSOLsetPropLabel() routines are used to obtain and set the sensitivity label of a property hanging on a window ID.
This routine obtains the sensitivity label of a property hanging on a window ID. See the XTSOLgetPropLabel(3XTSOL) man page.
This routine sets the sensitivity label of a property hanging on a window ID. See the XTSOLsetPropLabel(3XTSOL) man page.
The XTSOLgetPropUID() and XTSOLsetPropUID() routines are used to obtain and set the user ID of a property hanging on a window ID.
This routine obtains the user ID of a property hanging on a window ID. See the XTSOLgetPropUID(3XTSOL) man page.
This routine sets the user ID of a property hanging on a window ID. See the XTSOLsetPropUID(3XTSOL) man page.
The XTSOLgetWorkstationOwner() and XTSOLsetWorkstationOwner() routines are used to obtain and set the user ID of the owner of the workstation server.
The XTSOLsetWorkstationOwner() routine should only be used by the window manager.
This routine obtains the user ID of the owner of the workstation server. See the XTSOLgetWorkstationOwner(3XTSOL) man page
This routine sets the user ID of the owner of the workstation server. See the XTSOLsetWorkstationOwner(3XTSOL) man page.
The XTSOLsetSessionHI() and XTSOLsetSessionLO() routines are used to set the session high clearance and the session low minimum label for the X Window Server. Session high can be selected from the Label Builder GUI and must be within the user's range. Session low is the same as the user's minimum label for the multilevel session.
These interfaces should only be used by the window manager.
The session high clearance is set from the workstation owner's clearance at login. The session high clearance must be dominated by the owner's clearance and by the upper bound of the machine monitor's label range. Once changed, connection requests from clients that run at a sensitivity label higher than the window server clearance are rejected unless they have privileges. See the XTSOLsetSessionHI(3XTSOL) man page.
The session low minimum label is set from the workstation owner's minimum label at login. The session low minimum label must be greater than the user's administratively set minimum label and the lower bound of the machine monitor's label range. When this setting is changed, connection requests from clients that run at a sensitivity label lower than the window server sensitivity label are rejected unless they have privileges. See the XTSOLsetSessionLO(3XTSOL) man page.
The XTSOLMakeTPWindow() and XTSOLIsWindowTrusted() routines are used to make the specified window the Trusted Path window and to test whether the specified window is the Trusted Path window.
This routine makes the specified window the Trusted Path window. See the XTSOLMakeTPWindow(3XTSOL) man page.
This routine tests whether the specified window is the Trusted Path window. See the XTSOLIsWindowTrusted(3XTSOL) man page.
The XTSOLgetSSHeight() and XTSOLsetSSHeight() routines are used to obtain and set the screen stripe height.
These interfaces should only be used by the window manager.
This routine obtains the screen stripe height. See the XTSOLgetSSHeight(3XTSOL) man page.
This routine sets the screen stripe height. Be careful that you do not end up without a screen stripe or with a very large screen stripe. See the XTSOLsetSSHeight(3XTSOL) man page.
The XTSOLsetPolyInstInfo() routine enables a client to obtain property information from a property at a different sensitivity label than the client. In the first call, you specify the desired sensitivity label and the user ID, and set the enabled property to True. Then, you call XTSOLgetPropAttributes(), XTSOLgetPropLabel(), or XTSOLgetPropUID(). To finish, you call the XTSOLsetPolyInstInfo() routine again with the enabled property set to False. See the XTSOLsetPolyInstInfo(3XTSOL) man page.
The label_to_str() routine translates a sensitivity label or clearance to a string. See the label_to_str(3TSOL) man page.
The following sections provide example code excerpts that use Trusted Extensions interface calls. These calls handle security attributes and translate a label to a string. The excerpts focus on handling window security attributes, the most commonly managed attributes in application programs. Often, a client retrieves security attributes by using the appropriate privileges for an object that was created by another application. The client then checks the attributes to determine whether an operation on the object is permitted by the system's security policy. The security policy covers DAC policies and the MAC write-equal and read-down policies. If access is denied, the application generates an error or uses privileges, as appropriate. See Privileged Operations and the Trusted X Window System for a discussion about when privileges are needed.
You must create an object before you can retrieve its ID to pass to the Trusted Extensions APIs.
The XTSOLgetResAttributes() routine returns security-related attributes for a window. You supply the following:
Display ID
Window ID
Flag to indicate that the object for which you want security attributes is a window
XtsolResAttributes structure to receive the returned attributes
Because the client is obtaining the security attributes for a window that the client created, no privileges are required.
Note that the example programs in this book focus on the APIs being shown and do not perform error checking. Your applications should perform the appropriate error checking.
/* Retrieve underlying window and display IDs with Xlib calls */ window = XtWindow(topLevel); display = XtDisplay(topLevel); /* Retrieve window security attributes */ retval = XTSOLgetResAttributes(display, window, IsWindow, &winattrs); /* Translate labels to strings */ retval = label_to_str(&winattrs.sl, &plabel, M_LABEL, LONG_NAMES); /* Print security attribute information */ printf(“Workstation Owner ID = %d\nUser ID = %d\nLabel = %s\n”, winattrs.ouid, winattrs.uid, string1);
The printf statement prints the following:
Workstation Owner ID = 29378 User ID = 29378 Label = CONFIDENTIAL |
This example shows how to obtain the process sensitivity label and translate it to a string by using a font list and the pixel width. A label widget is created with the string for its label. The process sensitivity label equals the window sensitivity label. Therefore, no privileges are required.
When the final string is longer than the width, the string is clipped and the clipped indicator is used. Note that the X Window System label-translation interfaces clip to the specified number of pixels, while the label-clipping interfaces clip to the number of characters.
If your site uses a label_encodings file in a language other than English, the translation might not work on accent characters in the ISO standard above 128. The following example does not work for the Asian character set.
retval = getplabel(&senslabel); /* Create the font list and translate the label using it */ italic = XLoadQueryFont(XtDisplay(topLevel), “-adobe-times-medium-i-*-*-14-*-*-*-*-*-iso8859-1”); fontlist = XmFontListCreate(italic, “italic”); xmstr = Xbsltos(XtDisplay(topLevel), &senslabel, width, fontlist, LONG_WORDS); /* Create a label widget using the font list and label text*/ i=0; XtSetArg(args[i], XmNfontList, fontlist); i++; XtSetArg(args[i], XmNlabelString, xmstr); i++; label = XtCreateManagedWidget(“label”, xmLabelWidgetClass, form, args, i);
This example shows how to obtain the sensitivity label for a window. The process sensitivity label equals the window sensitivity label. Therefore, no privileges are required.
/* Retrieve window label */ retval = XTSOLgetResLabel(display, window, IsWindow, &senslabel); /* Translate labels to string and print */ retval = label_to_str(label, &string, M_LABEL, LONG_NAMES); printf(“Label = %s\n”, string);
The printf statement, for example, prints the following:
Label = PUBLIC |
This example shows how to set the sensitivity label on a window. The new sensitivity label dominates the sensitivity label of the window and the process. The client needs the sys_trans_label privilege in its effective set to translate a label that the client does not dominate. The client also needs the win_upgrade_sl privilege to change the window's sensitivity label.
For more information about using privileges, see Oracle Solaris Security for Developers Guide.
/* Translate text string to sensitivity label */ retval = label_to_str(string4, &label, M_LABEL, L_NO_CORRECTION, &error); /* Set sensitivity label with new value */ retval = XTSOLsetResLabel(display, window, IsWindow, label);
This example shows how to obtain the window user ID. The process owns the window resource and is running at the same sensitivity label. Therefore, no privileges are required.
/* Get the user ID of the window */ retval = XTSOLgetResUID(display, window, IsWindow, &uid);
This example shows how to obtain the ID of the user who is logged in to the X Window Server. The process sensitivity label equals the window sensitivity label. Therefore, no privileges are required.
/* Get the user ID of the window */ retval = XTSOLgetWorkstationOwner(display, &uid);