Date: Tue, 09 Apr 2024 11:37:09 +0200 From: Jan Beich <jbeich@FreeBSD.org> To: Emmanuel Vadot <manu@bidouilliste.com> Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes Message-ID: <frvu-yj0a-wny@FreeBSD.org> In-Reply-To: <20240409094402.147972b37e03f594f3d7f588@bidouilliste.com> (Emmanuel Vadot's message of "Tue, 9 Apr 2024 09:44:02 %2B0200") References: <202404040955.4349tDrM089062@gitrepo.freebsd.org> <20240404125743.1e52876a69053b726cb456e4@bidouilliste.com> <8r1t-ny0j-wny@FreeBSD.org> <20240404141239.35d54535539b66cd6336ee5b@bidouilliste.com> <7chd-l2ru-wny@FreeBSD.org> <20240404151554.04340786db8562e522f7b1a8@bidouilliste.com> <wmpd-fdbs-wny@FreeBSD.org> <20240405104111.9d9263dfe7ce99a01d620ab3@bidouilliste.com> <o7am-stbh-wny@FreeBSD.org> <20240409094402.147972b37e03f594f3d7f588@bidouilliste.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Emmanuel Vadot <manu@bidouilliste.com> writes: >> > xcsecurity is disabled by default in xorg-server upstream (in meson) >> > and I think that we should do the same (granted that XACE works >> > correctly). >> >> From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59 >> # X-ACE extension: provides hooks for building security policy extensions >> # like XC-Security, X-SELinux & XTSol >> >> X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left >> with the legacy XC-Security (trusted/untrusted) or nothing. > > No, We build with X-ACE currently and this isn't what the doc is > saying. It just says that X-ACE is somewhat what X-SELinux and XTSol is. > In fact it seems that XCSECURITY imply X-ACE, I haven't looked > at the code but it's possible that the XCSECURITY code is using X-ACE > as the backend. X-ACE is not an extension by itself like pfil(9) is not a firewall by itself. xdpyinfo(1) doesn't list ACE unlike SECURITY, and X-ACE lacks public API. X-ACE is enabled by default because X-SElinux is (in Meson unlike autotools). Out-of-tree vendors were probably meant to use X-ACE via dynamically loaded extensions[1] (thus need X-ACE by default) or as an open source base in proprietary forks. [1] Plugins under /usr/local/lib/xorg/modules/extensions/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?frvu-yj0a-wny>