From nobody Tue Apr 09 09:37:09 2024 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VDLTg6yFRz5Gb7C; Tue, 9 Apr 2024 09:37:27 +0000 (UTC) (envelope-from jbeich@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VDLTg6R6zz4cgb; Tue, 9 Apr 2024 09:37:27 +0000 (UTC) (envelope-from jbeich@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1712655447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=yPkyMvyF8DCg4uXeqxLTJrw7jJ9r5wwx77TtGw8z/sk=; b=odD8/0ksAXvEyC5LuDqFQmtT4M5rvhwruOgV/pOtr4heyTBivEKufBokNs8PSenBHWKlO1 0Lrn44U0ps0C9RYpmxsTjJ8f61f+Sembod0wUWUOTpedJgdBp57WY8DzPBuV3VC+0RzyE1 TxMavGj5kOC9yqe9ib3PxOqaPMq5jPQBtBV/KhSuY4VTV6Me+ZBWggtIWGkxW5XQImAd9b 6Qrr5X9RLkqwZbRmynzzHCLRpVfRkh9s6niqQcnooQxgO/EBTKgFDuYPpNxaOwDuapw1Nv D8OB9V3FVKkNpfN12Hpct7+1BipiIJTrMLM/EzPZLCNJZcAZeJIozTHiotl82g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712655447; a=rsa-sha256; cv=none; b=udK/Zlx1BY1fq1Dnt/7o4v1ypu4Bjbq3K6lrReKXpgV675iXFFacFlsrNur4763hcHwGyt I1haApa2mnStngwkEroADyB6Stjgvvw89hrt0qiw5fjzbWkKiZz6m9f9LUYDyl6hTg1GSI 0GiW+BSaNCiIombSCP1KSmU67VQ37cKBx8vGbre+8j/ODajpgo1qXmPjUA8pXaecgM54R+ O/fBXwOSUyZVVVOu4NXV1XA7vigTiiiT8UxOtZi+UV/Uvy+vOB7uaP0+qgAtDVjp4Isb7N LTlkj0jYqdZupTY22tX0WeoAQOlKGk8gsG6L/38Su2mxy98JrB5q0UKz2fKEjw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1712655447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=yPkyMvyF8DCg4uXeqxLTJrw7jJ9r5wwx77TtGw8z/sk=; b=QWFIIeKT4ksCEr80KhtX8Hmp3UFxHN2G+gXrGRQY7QeWXAtyUwdwG2z7oL0C9rnaOZrLCA 6pI91EGkj5jpzMxYwUzpjDXpL17BawvXUvIqxFSoZ1lfmgwEdpb7tv9WhivWTFgoapB7qx BZPFxxlu96gZNoBlrLrpC0yziSQ9RoomIrYiCZC5VvdQa9nySzsm+5OOyzF4RTyXv1vlmU fqzqVfyOh5t3uA6oTaSuK2U8GvVVJS+VCqfCC5yLII/UdBkRGAIH8LMwmOcKS9XL5f7DT5 fRDNRk2uhIU84fSwTuesWXx6J6H42beZdqcMUWnSwYuf3CELj4QghIE+WcpBqQ== Received: by freefall.freebsd.org (Postfix, from userid 1354) id 9D5EBE124; Tue, 9 Apr 2024 09:37:27 +0000 (UTC) From: Jan Beich To: Emmanuel Vadot Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes In-Reply-To: <20240409094402.147972b37e03f594f3d7f588@bidouilliste.com> (Emmanuel Vadot's message of "Tue, 9 Apr 2024 09:44:02 +0200") References: <202404040955.4349tDrM089062@gitrepo.freebsd.org> <20240404125743.1e52876a69053b726cb456e4@bidouilliste.com> <8r1t-ny0j-wny@FreeBSD.org> <20240404141239.35d54535539b66cd6336ee5b@bidouilliste.com> <7chd-l2ru-wny@FreeBSD.org> <20240404151554.04340786db8562e522f7b1a8@bidouilliste.com> <20240405104111.9d9263dfe7ce99a01d620ab3@bidouilliste.com> <20240409094402.147972b37e03f594f3d7f588@bidouilliste.com> Date: Tue, 09 Apr 2024 11:37:09 +0200 Message-ID: List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: dev-commits-ports-branches+owner@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain Emmanuel Vadot writes: >> > xcsecurity is disabled by default in xorg-server upstream (in meson) >> > and I think that we should do the same (granted that XACE works >> > correctly). >> >> From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59 >> # X-ACE extension: provides hooks for building security policy extensions >> # like XC-Security, X-SELinux & XTSol >> >> X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left >> with the legacy XC-Security (trusted/untrusted) or nothing. > > No, We build with X-ACE currently and this isn't what the doc is > saying. It just says that X-ACE is somewhat what X-SELinux and XTSol is. > In fact it seems that XCSECURITY imply X-ACE, I haven't looked > at the code but it's possible that the XCSECURITY code is using X-ACE > as the backend. X-ACE is not an extension by itself like pfil(9) is not a firewall by itself. xdpyinfo(1) doesn't list ACE unlike SECURITY, and X-ACE lacks public API. X-ACE is enabled by default because X-SElinux is (in Meson unlike autotools). Out-of-tree vendors were probably meant to use X-ACE via dynamically loaded extensions[1] (thus need X-ACE by default) or as an open source base in proprietary forks. [1] Plugins under /usr/local/lib/xorg/modules/extensions/