XACE/SELinux Extensions
Abstract
The XACE (X Access Control Extension) is a set of generic "hooks" that can be used by other X extensions to perform access checks. The goal of XACE is to prevent clutter in the core dix/os code by providing a common mechanism for doing these sorts of checks. The concept is identical to the Linux Security Module (LSM) in the Linux Kernel.
The SELinux extension uses XACE to provide a "userspace object manager" in the X server. Essentially, the extension is a part of the SELinux enforcement system, with the job of protecting access to window contents, input events, etc. in the same way that the kernel protects access to files, processes, etc.
News
- [2006-09-09] The SELinux extension is up and running again.
- [2006-09-13] The XACE hooks have been proposed for merge in 7.2.
- [2006-09-18] Information concerning the merge of XACE to the xserver trunk
- [2006-10-30] XACE documentation is now available (version 1.0): [XML] [PDF].
- [2006-10-31] DocBook output comparison
- [2007-02-07] I delivered a talk at the 2007 X Developer's Conference. A brief agenda can be viewed here.
- [2007-02-22] devPrivates proposal has been posted to the xorg list for review and comment. Text of proposal Diagram 1 Diagram 2.
(Note: this is not the way it works anymore, updated documentation coming soon.)
- [2007-11-20] The second version of XACE, along with the devPrivates rework and an SELinux extension is ready for merge! View the complete patch.
X Security Goals
- Access control: prevent clients from accessing each other's resources, drawing into each other's drawables, capturing screen contents, etc. where inappropriate.
- Information flow: prevent clients from using the X server as a channel for communicating, e.g. through the keyboard map, resources, cut buffers, etc. where inappropriate.
- Labeling: securely label each window so that its originating program is known.
- Trusted Path: prevent spoofing and interception of input events.
Links
