SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: In FC8 I would like to start playing with trusted X. This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Eamon Walsh <ewalsh_at_tycho.nsa.gov> Date: Wed, 16 May 2007 14:14:14 -0400 Daniel J Walsh wrote: > Eamon Walsh wrote: >> Daniel J Walsh wrote: >>> Ok now I was hoping the NSA guys would hop in and say. Hey here is >>> how you would do it. :^) >>> Because I have no idea. Any help would be appreciated. >> I've been slowly reviewing all of the 35 X protocol extensions of >> which I'm aware, trying to revise the set of object classes and >> permissions. I have about 8 more extensions to go. I'm hoping to do a >> major release of the security framework and Flask module before FC8. >> >> I think the two goals you have set forth are a reasonable target. The >> input goal I don't think is possible with the current implementation, >> because the input extensions (XKB, XInput) are not covered by the >> security hooks. The screenshot goal should be possible. There are >> many screenshot apps but they all should call XCopyImage or similar, >> which are controllable. The problem is that the screenshot app gets a >> BadAccess error from the denial and Xlib calls abort; it's not very >> graceful. >> > That is what I figured. And in order to get upstream of Xorg to fix > these problems, we have to start showing usefulness of the access control. I have some ideas for demos to show the usefulness of the controls. Basically bring up a graffiti program that draws on other windows and show how it can be selectively stopped. Same thing with a program that monitors keyboard input. This doesn't have to be SELinux-based, it could be a simple DAC module with permission buttons on the window title bar. Just as soon as I finish my Big Spreadsheet of X Protocol and implement the support for the extensions... Upstream Xorg is not really the problem though. The new XCB libraries have support for proper error handling. The problem is getting the toolkits and applications, GTK+ etc. to switch over from Xlib and/or actually check for errors on every request. -- Eamon Walsh <ewalsh@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 16 May 2007 - 14:14:17 EDT This message: [ Message body ] Next message: Ted X Toth: "Re: In FC8 I would like to start playing with trusted X." Previous message: Norman Elton: "Re: Console login problems" In reply to: Daniel J Walsh: "Re: In FC8 I would like to start playing with trusted X." Next in thread: Ted X Toth: "Re: In FC8 I would like to start playing with trusted X." Reply: Ted X Toth: "Re: In FC8 I would like to start playing with trusted X." Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom