security.c

unix vnc 协议源码. VNC是一款远程控制工具软件.

	else
	    return SecurityAuditResourceIDAccess(client, id);
    }
    else /* server-owned resource - probably a default colormap or root window */
    {
	if (RT_WINDOW == rtype || RC_DRAWABLE == rtype)
	{
	    switch (reqtype)
	    {   /* the following operations are allowed on root windows */
	        case X_CreatePixmap:
	        case X_CreateGC:
	        case X_CreateWindow:
	        case X_CreateColormap:
		case X_ListProperties:
		case X_GrabPointer:
	        case X_UngrabButton:
		case X_QueryBestSize:
		case X_GetWindowAttributes:
		    break;
		case X_SendEvent:
		{ /* see if it is an event specified by the ICCCM */
		    xSendEventReq *req = (xSendEventReq *)
						(client->requestBuffer);
		    if (req->propagate == xTrue
			||
			  (req->eventMask != ColormapChangeMask &&
			   req->eventMask != StructureNotifyMask &&
			   req->eventMask !=
			      (SubstructureRedirectMask|SubstructureNotifyMask)
			  )
			||
			  (req->event.u.u.type != UnmapNotify &&
			   req->event.u.u.type != ConfigureRequest &&
			   req->event.u.u.type != ClientMessage
			  )
		       )
		    { /* not an ICCCM event */
			return SecurityAuditResourceIDAccess(client, id);
		    }
		    break;
		} /* case X_SendEvent on root */

		case X_ChangeWindowAttributes:
		{ /* Allow selection of PropertyNotify and StructureNotify
		   * events on the root.
		   */
		    xChangeWindowAttributesReq *req =
			(xChangeWindowAttributesReq *)(client->requestBuffer);
		    if (req->valueMask == CWEventMask)
		    {
			CARD32 value = *((CARD32 *)(req + 1));
			if ( (value &
			      ~(PropertyChangeMask|StructureNotifyMask)) == 0)
			    break;
		    }
		    return SecurityAuditResourceIDAccess(client, id);
		} /* case X_ChangeWindowAttributes on root */

		default:
		{
#ifdef LBX
		    /* XXX really need per extension dispatching */
		    if (reqtype == LbxReqCode) {
			switch (((xReq *)client->requestBuffer)->data) {
			case X_LbxGetProperty:
			case X_LbxChangeProperty:
			    return rval;
			default:
			    break;
			}
		    }
#endif
		    /* others not allowed */
		    return SecurityAuditResourceIDAccess(client, id);
		}
	    }
	} /* end server-owned window or drawable */
	else if (SecurityAuthorizationResType == rtype)
	{
	    SecurityAuthorizationPtr pAuth = (SecurityAuthorizationPtr)rval;
	    if (pAuth->trustLevel != client->trustLevel)
		return SecurityAuditResourceIDAccess(client, id);
	}
	else if (RT_COLORMAP != rtype)
	{ /* don't allow anything else besides colormaps */
	    return SecurityAuditResourceIDAccess(client, id);
	}
    }
    return rval;
} /* SecurityCheckResourceIDAccess */


/* SecurityClientStateCallback
 *
 * Arguments:
 *	pcbl is &ClientStateCallback.
 *	nullata is NULL.
 *	calldata is a pointer to a NewClientInfoRec (include/dixstruct.h)
 *	which contains information about client state changes.
 *
 * Returns: nothing.
 *
 * Side Effects:
 * 
 * If a new client is connecting, its authorization ID is copied to
 * client->authID.  If this is a generated authorization, its reference
 * count is bumped, its timer is cancelled if it was running, and its
 * trustlevel is copied to client->trustLevel.
 * 
 * If a client is disconnecting and the client was using a generated
 * authorization, the authorization's reference count is decremented, and
 * if it is now zero, the timer for this authorization is started.
 */

static void
SecurityClientStateCallback(pcbl, nulldata, calldata)
    CallbackListPtr *pcbl;
    pointer nulldata;
    pointer calldata;
{
    NewClientInfoRec *pci = (NewClientInfoRec *)calldata;
    ClientPtr client = pci->client;

    switch (client->clientState)
    {
	case ClientStateRunning:
	{ 
	    XID authId = AuthorizationIDOfClient(client);
	    SecurityAuthorizationPtr pAuth;

	    client->authId = authId;
	    pAuth = (SecurityAuthorizationPtr)LookupIDByType(authId,
						SecurityAuthorizationResType);
	    if (pAuth)
	    { /* it is a generated authorization */
		pAuth->refcnt++;
		if (pAuth->refcnt == 1)
		{
		    if (pAuth->timer) TimerCancel(pAuth->timer);
		}
		client->trustLevel = pAuth->trustLevel;
		if (client->trustLevel != XSecurityClientTrusted)
		{
		    client->CheckAccess = SecurityCheckResourceIDAccess;
		    client->requestVector = client->swapped ?
			SwappedUntrustedProcVector : UntrustedProcVector;
		}
	    }
	    break;
	}
	case ClientStateGone:
	case ClientStateRetained: /* client disconnected */
	{
	    XID authId = client->authId;
	    SecurityAuthorizationPtr pAuth;

	    pAuth = (SecurityAuthorizationPtr)LookupIDByType(authId,
						SecurityAuthorizationResType);
	    if (pAuth)
	    { /* it is a generated authorization */
		pAuth->refcnt--;
		if (pAuth->refcnt == 0)
		{
		    SecurityStartAuthorizationTimer(pAuth);
		}
	    }	    
	    break;
	}
	default: break; 
    }
} /* SecurityClientStateCallback */

#ifdef LBX
Bool
SecuritySameLevel(client, authId)
    ClientPtr client;
    XID authId;
{
    SecurityAuthorizationPtr pAuth;

    pAuth = (SecurityAuthorizationPtr)LookupIDByType(authId,
						SecurityAuthorizationResType);
    if (pAuth)
	return client->trustLevel == pAuth->trustLevel;
    return client->trustLevel == XSecurityClientTrusted;
}
#endif

/* SecurityCensorImage
 *
 * Called after pScreen->GetImage to prevent pieces or trusted windows from
 * being returned in image data from an untrusted window.
 *
 * Arguments:
 *	client is the client doing the GetImage.
 *      pVisibleRegion is the visible region of the window.
 *	widthBytesLine is the width in bytes of one horizontal line in pBuf.
 *	pDraw is the source window.
 *	x, y, w, h is the rectangle of image data from pDraw in pBuf.
 *	format is the format of the image data in pBuf: ZPixmap or XYPixmap.
 *	pBuf is the image data.
 *
 * Returns: nothing.
 *
 * Side Effects:
 *	Any part of the rectangle (x, y, w, h) that is outside the visible
 *	region of the window will be destroyed (overwritten) in pBuf.
 */
void
SecurityCensorImage(client, pVisibleRegion, widthBytesLine, pDraw, x, y, w, h,
		    format, pBuf)
    ClientPtr client;
    RegionPtr pVisibleRegion;
    long widthBytesLine;
    DrawablePtr pDraw;
    int x, y, w, h;
    unsigned int format;
    char * pBuf;
{
    RegionRec imageRegion;  /* region representing x,y,w,h */
    RegionRec censorRegion; /* region to obliterate */
    BoxRec imageBox;
    int nRects;

    imageBox.x1 = x;
    imageBox.y1 = y;
    imageBox.x2 = x + w;
    imageBox.y2 = y + h;
    REGION_INIT(pScreen, &imageRegion, &imageBox, 1);
    REGION_INIT(pScreen, &censorRegion, NullBox, 0);

    /* censorRegion = imageRegion - visibleRegion */
    REGION_SUBTRACT(pScreen, &censorRegion, &imageRegion, pVisibleRegion);
    nRects = REGION_NUM_RECTS(&censorRegion);
    if (nRects > 0)
    { /* we have something to censor */
	GCPtr pScratchGC = NULL;
	PixmapPtr pPix = NULL;
	xRectangle *pRects = NULL;
	Bool failed = FALSE;
	int depth = 1;
	int bitsPerPixel = 1;
	int i;
	BoxPtr pBox;

	/* convert region to list-of-rectangles for PolyFillRect */

	pRects = (xRectangle *)ALLOCATE_LOCAL(nRects * sizeof(xRectangle *));
	if (!pRects)
	{
	    failed = TRUE;
	    goto failSafe;
	}
	for (pBox = REGION_RECTS(&censorRegion), i = 0;
	     i < nRects;
	     i++, pBox++)
	{
	    pRects[i].x = pBox->x1;
	    pRects[i].y = pBox->y1 - imageBox.y1;
	    pRects[i].width  = pBox->x2 - pBox->x1;
	    pRects[i].height = pBox->y2 - pBox->y1;
	}

	/* use pBuf as a fake pixmap */

	if (format == ZPixmap)
	{
	    depth = pDraw->depth;
	    bitsPerPixel = pDraw->bitsPerPixel;
	}

	pPix = GetScratchPixmapHeader(pDraw->pScreen, w, h,
		    depth, bitsPerPixel,
		    widthBytesLine, (pointer)pBuf);
	if (!pPix)
	{
	    failed = TRUE;
	    goto failSafe;
	}

	pScratchGC = GetScratchGC(depth, pPix->drawable.pScreen);
	if (!pScratchGC)
	{
	    failed = TRUE;
	    goto failSafe;
	}

	ValidateGC(&pPix->drawable, pScratchGC);
	(* pScratchGC->ops->PolyFillRect)(&pPix->drawable,
			    pScratchGC, nRects, pRects);

    failSafe:
	if (failed)
	{
	    /* Censoring was not completed above.  To be safe, wipe out
	     * all the image data so that nothing trusted gets out.
	     */
	    bzero(pBuf, (int)(widthBytesLine * h));
	}
	if (pRects)     DEALLOCATE_LOCAL(pRects);
	if (pScratchGC) FreeScratchGC(pScratchGC);
	if (pPix)       FreeScratchPixmapHeader(pPix);
    }
    REGION_UNINIT(pScreen, &imageRegion);
    REGION_UNINIT(pScreen, &censorRegion);
} /* SecurityCensorImage */

/**********************************************************************/

typedef struct _PropertyAccessRec {
    ATOM name;
    ATOM mustHaveProperty;
    char *mustHaveValue;
    char windowRestriction;
#define SecurityAnyWindow          0
#define SecurityRootWindow         1
#define SecurityWindowWithProperty 2
    char readAction;
    char writeAction;
    char destroyAction;
    struct _PropertyAccessRec *next;
} PropertyAccessRec, *PropertyAccessPtr;

static PropertyAccessPtr PropertyAccessList = NULL;
static char SecurityDefaultAction = SecurityErrorOperation;
static char *SecurityPolicyFile = DEFAULTPOLICYFILE;
static ATOM SecurityMaxPropertyName = 0;

static char *SecurityKeywords[] = {
#define SecurityKeywordComment 0
    "#",
#define SecurityKeywordProperty 1
    "property",
#define SecurityKeywordSitePolicy 2
    "sitepolicy",
#define SecurityKeywordRoot 3
    "root",
#define SecurityKeywordAny 4
    "any"
};

#define NUMKEYWORDS (sizeof(SecurityKeywords) / sizeof(char *))

#undef PROPDEBUG
/*#define PROPDEBUG  1*/

static void
SecurityFreePropertyAccessList()
{
    while (PropertyAccessList)
    {
	PropertyAccessPtr freeit = PropertyAccessList;
	PropertyAccessList = PropertyAccessList->next;
	xfree(freeit);
    }
} /* SecurityFreePropertyAccessList */

#ifndef __EMX__
#define SecurityIsWhitespace(c) ( (c == ' ') || (c == '\t') || (c == '\n') )
#else
#define SecurityIsWhitespace(c) ( (c == ' ') || (c == '\t') || (c == '\n') || (c == '\r') )
#endif

static char *
SecuritySkipWhitespace(p)
    char *p;
{
    while (SecurityIsWhitespace(*p))
	p++;
    return p;
} /* SecuritySkipWhitespace */


static char *
SecurityParseString(rest)
    char **rest;
{
    char *startOfString;
    char *s = *rest;
    char endChar = 0;

    s = SecuritySkipWhitespace(s);

    if (*s == '"' || *s == '\'')
    {
	endChar = *s++;
	startOfString = s;
	while (*s && (*s != endChar))
	    s++;
    }
    else
    {
	startOfString = s;
	while (*s && !SecurityIsWhitespace(*s))
	    s++;
    }
    if (*s)
    {
	*s = '\0';
	*rest = s + 1;
	return startOfString;
    }
    else
    {
	*rest = s;
	return (endChar) ? NULL : startOfString;
    }
} /* SecurityParseString */


static int
SecurityParseKeyword(p)
    char **p;
{
    int i;
    char *s = *p;
    s = SecuritySkipWhitespace(s);
    for (i = 0; i < NUMKEYWORDS; i++)
    {
	int len = strlen(SecurityKeywords[i]);
	if (strncmp(s, SecurityKeywords[i], len) == 0)
	{
	    *p = s + len;
	    return (i);
	}
    }
    *p = s;
    return -1;
} /* SecurityParseKeyword */


static Bool
SecurityParsePropertyAccessRule(p)
    char *p;
{
    char *propname;
    char c;
    char action = SecurityDefaultAction;
    char readAction, writeAction, destroyAction;
    PropertyAccessPtr pacl, prev, cur;
    ATOM atom;
    char *mustHaveProperty = NULL;
    char *mustHaveValue = NULL;
    Bool invalid;
    char windowRestriction;
    int size;
    int keyword;

    /* get property name */
    propname = SecurityParseString(&p);
    if (!propname || (strlen(propname) == 0))
	return FALSE;

    /* get window on which property must reside for rule to apply */

    keyword = SecurityParseKeyword(&p);
    if (keyword == SecurityKeywordRoot)
	windowRestriction = SecurityRootWindow;
    else if (keyword == SecurityKeywordAny) 
	windowRestriction = SecurityAnyWindow;
    else /* not root or any, must be a property name */
    {
	mustHaveProperty = SecurityParseString(&p);
	if (!mustHaveProperty || (strlen(mustHaveProperty) == 0))
	    return FALSE;
	windowRestriction = SecurityWindowWithProperty;
	p = SecuritySkipWhitespace(p);
	if (*p == '=')
	{ /* property value is specified too */
	    p++; /* skip over '=' */
	    mustHaveValue = SecurityParseString(&p);
	    if (!mustHaveValue)
		return FALSE;
	}
    }

    /* get operations and actions */

    invalid = FALSE;
    readAction = writeAction = destroyAction = SecurityDefaultAction;
    while ( (c = *p++) && !invalid)
    {
	switch (c)
	{
	    case 'i': action = SecurityIgnoreOperation; break;
	    case 'a': action = SecurityAllowOperation;  break;
	    case 'e': action = SecurityErrorOperation;  break;

	    case 'r': readAction    = action; break;
	    case 'w': writeAction   = action; break;
	    case 'd': destroyAction = action; break;

	    default :
		if (!SecurityIsWhitespace(c))
		    invalid = TRUE;
	    break;
	}
    }
    if (invalid)