Date: Tue, 9 Apr 2024 11:56:53 +0200 From: Emmanuel Vadot <manu@bidouilliste.com> To: Jan Beich <jbeich@FreeBSD.org> Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes Message-ID: <20240409115653.c0377095e67f14f8c1d0c718@bidouilliste.com> In-Reply-To: <frvu-yj0a-wny@FreeBSD.org> References: <202404040955.4349tDrM089062@gitrepo.freebsd.org> <20240404125743.1e52876a69053b726cb456e4@bidouilliste.com> <8r1t-ny0j-wny@FreeBSD.org> <20240404141239.35d54535539b66cd6336ee5b@bidouilliste.com> <7chd-l2ru-wny@FreeBSD.org> <20240404151554.04340786db8562e522f7b1a8@bidouilliste.com> <wmpd-fdbs-wny@FreeBSD.org> <20240405104111.9d9263dfe7ce99a01d620ab3@bidouilliste.com> <o7am-stbh-wny@FreeBSD.org> <20240409094402.147972b37e03f594f3d7f588@bidouilliste.com> <frvu-yj0a-wny@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 09 Apr 2024 11:37:09 +0200 Jan Beich <jbeich@FreeBSD.org> wrote: > Emmanuel Vadot <manu@bidouilliste.com> writes: > > >> > xcsecurity is disabled by default in xorg-server upstream (in meson) > >> > and I think that we should do the same (granted that XACE works > >> > correctly). > >> > >> From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59 > >> # X-ACE extension: provides hooks for building security policy extensions > >> # like XC-Security, X-SELinux & XTSol > >> > >> X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left > >> with the legacy XC-Security (trusted/untrusted) or nothing. > > > > No, We build with X-ACE currently and this isn't what the doc is > > saying. It just says that X-ACE is somewhat what X-SELinux and XTSol is. > > In fact it seems that XCSECURITY imply X-ACE, I haven't looked > > at the code but it's possible that the XCSECURITY code is using X-ACE > > as the backend. > > X-ACE is not an extension by itself like pfil(9) is not a firewall by itself. > xdpyinfo(1) doesn't list ACE unlike SECURITY, and X-ACE lacks public API. > > X-ACE is enabled by default because X-SElinux is (in Meson unlike autotools). I think it's more complex than than, x-ace is needed when xcsecurity is enabled too, see https://gitlab.freedesktop.org/xorg/xserver/-/blob/master/meson.build?ref_type=heads#L543 > Out-of-tree vendors were probably meant to use X-ACE via dynamically > loaded extensions[1] (thus need X-ACE by default) or as an open source > base in proprietary forks. > > [1] Plugins under /usr/local/lib/xorg/modules/extensions/ Could be, I honestly don't care much about Xorg :) Anyway, xcsecurity seems to be required for ssh -X, looks like nothing else can be used. That doesn't explain why it's not enabled by default in xorg-server upstream but explain why everyone enables it, so I'll switch it to enabled for x11-servers/xwayland. -- Emmanuel Vadot <manu@bidouilliste.com> <manu@freebsd.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240409115653.c0377095e67f14f8c1d0c718>