From nobody Tue Apr 9 09:56:53 2024 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VDLw86Hp0z5Gd1h; Tue, 9 Apr 2024 09:56:56 +0000 (UTC) (envelope-from manu@bidouilliste.com) Received: from mx.blih.net (mx.blih.net [212.83.155.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4VDLw818zTz4fGg; Tue, 9 Apr 2024 09:56:55 +0000 (UTC) (envelope-from manu@bidouilliste.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bidouilliste.com; s=mx; t=1712656614; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ls1AsXmdnLmzFu2MrMpscH3vfsYZDi66qmrn9hylpvo=; b=I8zhVCejJ6/C4IQzkZppXjCxxgvmhd8oU9NQvDvDVfi13mnx8CCKluTpDSzujKynH9sY6y NmkT4069HNFpyzOttfOwBjVRyDDKyNCvChHHM5br8NfOkTIqfwOyC+sPKBorvFHtQAUHmg SqEzsu5QyNMZgLu8aYnNIfhXTA1s6aw= Received: from skull.home.blih.net (lfbn-lyo-1-2174-135.w90-66.abo.wanadoo.fr [90.66.97.135]) by mx.blih.net (OpenSMTPD) with ESMTPSA id 6a8ccd31 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Tue, 9 Apr 2024 09:56:54 +0000 (UTC) Date: Tue, 9 Apr 2024 11:56:53 +0200 From: Emmanuel Vadot To: Jan Beich Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes Message-Id: <20240409115653.c0377095e67f14f8c1d0c718@bidouilliste.com> In-Reply-To: References: <202404040955.4349tDrM089062@gitrepo.freebsd.org> <20240404125743.1e52876a69053b726cb456e4@bidouilliste.com> <8r1t-ny0j-wny@FreeBSD.org> <20240404141239.35d54535539b66cd6336ee5b@bidouilliste.com> <7chd-l2ru-wny@FreeBSD.org> <20240404151554.04340786db8562e522f7b1a8@bidouilliste.com> <20240405104111.9d9263dfe7ce99a01d620ab3@bidouilliste.com> <20240409094402.147972b37e03f594f3d7f588@bidouilliste.com> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: dev-commits-ports-branches+owner@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:12876, ipnet:212.83.128.0/19, country:FR] X-Rspamd-Queue-Id: 4VDLw818zTz4fGg On Tue, 09 Apr 2024 11:37:09 +0200 Jan Beich wrote: > Emmanuel Vadot writes: > > >> > xcsecurity is disabled by default in xorg-server upstream (in meson) > >> > and I think that we should do the same (granted that XACE works > >> > correctly). > >> > >> From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59 > >> # X-ACE extension: provides hooks for building security policy extensions > >> # like XC-Security, X-SELinux & XTSol > >> > >> X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left > >> with the legacy XC-Security (trusted/untrusted) or nothing. > > > > No, We build with X-ACE currently and this isn't what the doc is > > saying. It just says that X-ACE is somewhat what X-SELinux and XTSol is. > > In fact it seems that XCSECURITY imply X-ACE, I haven't looked > > at the code but it's possible that the XCSECURITY code is using X-ACE > > as the backend. > > X-ACE is not an extension by itself like pfil(9) is not a firewall by itself. > xdpyinfo(1) doesn't list ACE unlike SECURITY, and X-ACE lacks public API. > > X-ACE is enabled by default because X-SElinux is (in Meson unlike autotools). I think it's more complex than than, x-ace is needed when xcsecurity is enabled too, see https://gitlab.freedesktop.org/xorg/xserver/-/blob/master/meson.build?ref_type=heads#L543 > Out-of-tree vendors were probably meant to use X-ACE via dynamically > loaded extensions[1] (thus need X-ACE by default) or as an open source > base in proprietary forks. > > [1] Plugins under /usr/local/lib/xorg/modules/extensions/ Could be, I honestly don't care much about Xorg :) Anyway, xcsecurity seems to be required for ssh -X, looks like nothing else can be used. That doesn't explain why it's not enabled by default in xorg-server upstream but explain why everyone enables it, so I'll switch it to enabled for x11-servers/xwayland. -- Emmanuel Vadot