Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes

In reply to: Jan Beich : "Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Emmanuel Vadot <manu_at_bidouilliste.com>
Date: Tue, 09 Apr 2024 09:56:53 UTC

On Tue, 09 Apr 2024 11:37:09 +0200
Jan Beich <jbeich@FreeBSD.org> wrote:

> Emmanuel Vadot <manu@bidouilliste.com> writes:
> 
> >> >  xcsecurity is disabled by default in xorg-server upstream (in meson)
> >> > and I think that we should do the same (granted that XACE works
> >> > correctly).
> >> 
> >> From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59
> >>   # X-ACE extension: provides hooks for building security policy extensions
> >>   # like XC-Security, X-SELinux & XTSol
> >> 
> >> X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left
> >> with the legacy XC-Security (trusted/untrusted) or nothing.
> >
> >  No, We build with X-ACE currently and this isn't what the doc is
> > saying. It just says that X-ACE is somewhat what X-SELinux and XTSol is.
> >  In fact it seems that XCSECURITY imply X-ACE, I haven't looked
> > at the code but it's possible that the XCSECURITY code is using X-ACE
> > as the backend.
> 
> X-ACE is not an extension by itself like pfil(9) is not a firewall by itself.
> xdpyinfo(1) doesn't list ACE unlike SECURITY, and X-ACE lacks public API.
> 
> X-ACE is enabled by default because X-SElinux is (in Meson unlike autotools).

 I think it's more complex than than, x-ace is needed when xcsecurity
is enabled too, see
https://gitlab.freedesktop.org/xorg/xserver/-/blob/master/meson.build?ref_type=heads#L543

> Out-of-tree vendors were probably meant to use X-ACE via dynamically
> loaded extensions[1] (thus need X-ACE by default) or as an open source
> base in proprietary forks.
> 
> [1] Plugins under /usr/local/lib/xorg/modules/extensions/

 Could be, I honestly don't care much about Xorg :)

 Anyway, xcsecurity seems to be required for ssh -X, looks like nothing
else can be used. That doesn't explain why it's not enabled by default
in xorg-server upstream but explain why everyone enables it, so I'll
switch it to enabled for x11-servers/xwayland.

-- 
Emmanuel Vadot <manu@bidouilliste.com> <manu@freebsd.org>