Last update: 24 Oct 2002 by
zunrob
The X Supervisor Extension provides a security model for the X Window System. In the model, the server and a special client (the supervisor) contribute to the definition of the security policy. The server checks every about-to-be-processed request against its internal server policy (usually hardcoded in the server or configurable to some extent by the administrator of the server). Whenever the internal server policy is violated, the server asks the supervisor to check the request against its policy (fully defined by the user, who can write his/her own supervisor client). If the supervisor policy is also violated, the request is rejected.
In this document, the term trusted client refers to a client that successfully authenticated with the server using a trusted cookie, as specified by the X Security extension. Similarly, the term untrusted client is used for a client that successfully authenticated using an untrusted cookie.
The term internal server policy denotes a security policy
implemented by the server. The internal server policy is used
to compute whether a request from a client is allowed or rejected. In
the latter case the internal server policy specifies which
action must be taken instead of the normal request processing
(e.g. whether to ignore the request, or to generate an X core error,
etc.): this will be referred as the rejection handling. The
internal server policy can be defined in terms of any
information stored in the server: in particular, it is highly
recommended that the internal server policy be based on
whether the request comes from a trusted client or an
untrusted one. Requests from trusted clients should
always be allowed.
This document does not define the internal server
policy. A server which implements the X Supervisor Extension can
use any internal server policy. For instance, the
internal server policy could be defined as the policy
specified by the X Security extension.
This extension is hidden from untrusted clients.
The server, at any time, is either supervised or non-supervised. Whenever the server is supervised, a special client (the supervisor) contributes to the server security policy as specified in this document, thus refining the internal server policy. When the server is non-supervised, no supervisor exists. At any time, there is at most one supervisor client. At startup, the server is initially non-supervised.
The transition from the non-supervised state to the
supervised one occurs when a SupervisorCandidate request is
received from a trusted client. The transition from the
supervised state to the non-supervised one occurs
when a SupervisorResign request is
received from the supervisor or the supervisor
connection is closed.
Each client, at any time, is either running or suspended. After the connection to the server, a client is running. Trusted clients are always running.
When a client is suspended, the processing of requests and of
close-down on its connection is disabled. A suspended client can
be still forced to close down by another client (e.g. with a
KillClient core request).
Except as explicitly noted below, when the server is supervised and it is about to process a request from an untrusted client, the request is checked against the internal server policy and if the request is allowed, it is processed. Otherwise, if the untrusted client is holding the server grab, the request is rejected and rejection handling is performed. Otherwise, the following actions are performed:
SupervisorNotify event is sent to the
supervisor.
A suspended client returns in the running state when
a SupervisorPronounceVerdict
request (related to that client) is received from the
supervisor. The request whose rejection caused the client to
become suspended is then processed in a special way as
specified in the description of
SupervisorPronounceVerdict.
On a transition to the non-supervised state, the server
behaves as if the supervisor sent a
SupervisorPronounceVerdict
request for each suspended client with the
verdict field set to False, except that the
supervisor request sequence number is not
affected. Therefore, when the server is non-supervised, there
may be no suspended clients.
Clients that wish to use the Supervisor extension must ensure that the
extension is supported by the server by sending a
QueryExtension core request, using
"Supervisor" as the name of the extension. In
this document, we write MajorOp, EvBase and
ErBase for the major opcode, first event number and first
error number, respectively, as reported in the
QueryExtension reply.
Clients should also check the version of the extension
supported by the server by sending a SupervisorQueryVersion request,
thus obtaining the major and minor version number.
4 CARD32 client resource id base 4 CARD32 client resource id mask
A CLIENTID is a unique identifier for X clients. It is
composed by the resource-id-base and
resource-id-mask fields that the client was sent during
the initial connection setup with the server.
In order to check whether a resource has been created by a client with
a known CLIENTID, it is sufficient to test if
(resource-id AND NOT mask) == base.
The extension uses only the errors specified in the X core protocol.
1 EvBase code
1 BYTE client request opcode
2 CARD16 sequence number
8 CLIENTID client
4 CARD32 client request length
4 CARD32 resource
1 resource type
0 Other
1 Window
2 Pixmap
3 GC
4 Font
5 Cursor
6 Colormap
7 ColormapEntry
1 access mode
0 Other
1 ReadAccess
2 WriteAccess
3 DestroyAccess
1 BOOL client coaligned
5 unused
The SupervisorNotify event is sent to the
supervisor whenever a request (with major opcode client
request opcode and length client request length,
in 4-bytes units) from an untrusted client (identified by
client) is rejected by the internal server
policy. If the request is rejected because the access to some
resource is denied, the resource, resource
type and access mode fields are filled accordingly
(the actual resource id and access mode are policy-defined, the
resource type is infered from the resource id); if this is not the
case, the above fields are set respectively to 0xe0000000
(invalid resource id), Other and Other.
By setting the client coaligned field to
True, the server informs the supervisor about
its ability to handle a SupervisorGetRequest for the
request that caused the event without endianness issues, as described
below. Usually, this is because the server
shares the same endianness with both the suspended client and
the supervisor or it performs the necessary byte-swaps.
In the requests definition, we write MajorOp for the
extension major opcode, as it appears in the reply of a
QueryExtension core request.
1 MajorOp opcode 1 0 SupervisorQueryVersion 2 1 request length -> 1 1 Reply 1 unused 2 CARD16 sequence number 4 0 reply length 2 CARD16 major version 2 CARD16 minor version 20 unused
The SupervisorQueryVersion request asks the server for
the major and minor version number it supports.
A reply is generated with the major version and
minor version set to the maximum version number of the
extension the server supports. The version number of the protocol
described by this document is reported at the beginning of this document.
1 MajorOp opcode 1 1 SupervisorCandidate 2 1 request length -> 1 1 Reply 1 BOOL success 2 CARD16 sequence number 4 0 reply lenght 24 unused
The SupervisorCandidate request candidates the client to
be the supervisor.
If the server is non-supervised, the client becomes the
supervisor, a reply is generated with the success
field set to True and the server becomes
supervised. Otherwise, no action is performed and a reply is
generated with the success field set to False.
1 MajorOp opcode 1 2 SupervisorResign 2 1 request length
The SupervisorResign request makes the client lose the
supervisor status.
If the client is the supervisor, the server becomes non-supervised. Otherwise, no action is performed.
1 MajorOp opcode 1 3 SupervisorPronounceVerdict 2 4 request length 8 CLIENTID client 1 BOOL verdict 3 unused
The SupervisorPronounceVerdict request resumes a
suspended client, specifying whether special permissions are
granted for the processing of the request that was rejected by the
internal server policy.
If the client (the requestor) is not the supervisor, a
BadAccess error occurs. If the client field
does not match an actual client a BadValue error occurs
reporting the client base as the invalid value. If the matching client
is not suspended, a BadMatch occurs.
Otherwise, the following actions are performed (in an asynchronous way
with respect to the processing of the
SupervisorPronounceVerdict request):
verdict field is True, the result of the
internal server policy is computed as if the client were
trusted.1 MajorOp opcode 1 4 SupervisorGetRequest 2 5 request length 8 CLIENTID client 4 CARD32 client request offset 4 CARD32 client request length -> 1 1 Reply 1 unused 2 CARD16 sequence number 4 n reply length 24 unused 4n LISTofCARD32 client request extract
The SupervisorGetRequest request "peeks" a
request of a suspended client.
If the client (the requestor) is not the supervisor, a
BadAccess error occurs. If the client field
does not match an actual client a BadValue error occurs
reporting the client base as the invalid value. If the matching client
is not suspended, a BadMatch occurs.
Otherwise, an extract from the first pending request of the matching
client is sent along with the reply. The client request
offset and client request length fields specify,
in 4-byte units, the offset and length of the extract.
If the specified offset is greater than the atcual length of the
request, the returned extract is empty. Otherwise the extract is
formed from byte 4*offset till byte
4*(offset+length) (excluded) or the end of the request,
whichever comes first.
Each 16-bit or 32-bit value in the request extract is not guaranteed
to be encoded in the supervisor endianness, unless in the
related SupervisorNotify event the
client coaligned field was set to True.
1 MajorOp opcode 1 5 SupervisorGetClient 2 2 request length 4 CARD32 resource -> 1 1 Reply 1 unused 2 CARD16 sequence number 4 0 reply length 8 CLIENTID client 16 unused
The SupervisorGetClient request obtains a
CLIENTID from a resource id.
If the
resource field does not specify an actual server
resource, a BadValue error occurs. Otherwise, a reply is
sent to the client with the CLIENTID for the resource
creator. As a special case, if the resource has been created by the
server (e.g. a root window) the base and
mask in the client field are set to zero.
1 MajorOp opcode 1 6 SupervisorKillClient 2 3 request length 8 CLIENTID client
The SupervisorKillClient request forces a close-down of a client.
If the client does not specify a valid client, a
BadValue error occurs. Otherwise, the client is killed
as by the KillClient core request.
Last update: 24 Oct 2002 by
zunrob