The X protocol specifies four types of messages that can be transferred over
the network.
Requests are sent from the client to the server, and replies, events and errors
are sent from the server to the client.
Replies contain data requested by a client.
Events represent asynchronous activity the client has expressed interest in.
Errors are normally sent in response to malformed requests, but can
occur at any time.
Requests manipulate server side objects,
called resources, referenced by an integer resource ID.
Resources are created by requests, and are freed by requests or when
connections are closed.
Most resources are potentially sharable between applications.
Resources are identified in the X protocol by integers. The
client that creates the resource gives an initial identifier for it.
The X server may change that identifier, usually adding a client id
to the high bits of the integer.
Clients normally get resource identifiers of objects in the X server
by using various query methods.
However, clients can reference unknown resources by guessing the resource
identifier.
Security labels are placed on objects that may be shared, and hence
constitute a communication or control channel through which the system's
security policy might be violated.
Windows are manipulated explicitly by the client application and the
window manager application.
Fonts and cursors are shared automatically across multiple screens, and
colormaps are frequently shared by applications.
Graphic Contexts (GC) are never shared between clients,
and are not labeled and have no control requirements.
Similarly, Fontable object are not labeled.
Any request that takes a Fontable object will check the security information
of the font passed in, or the default font of the graphic context.
The X protocol defines several other primitive types, such as integers of
various sizes, time stamps, enum constants, and atoms.
With the exception of atoms, these types in the X protocol do not represent
objects in the server, and so can not be labeled.
An atom is an integer type that references a string constant.
As such, atoms have no significant role
as objects in the server and are not labeled.
Design
This section describes the design for integrating the Flask security
mechanisms into the X Window system.
It begins with a discussion of the object classes and permissions defined
for the X Window system component.
This is followed by a description of the control requirements for the
X protocol operations used to manage X server objects.
Finally, an extension for security-aware applications is described.
Object Classes
The logical abstractions provided by the X Window system were
studied to determine the set of object classes that need to be labeled and
controlled by the security enhanced X server.
The set of object classes for the X Window system component is shown
in Table 1.
The Drawable object class does not represent a type of
object actually found in the X server, although it is a type recognized
by the X protocol.
X requests that draw to an object currently take either a Pixmap
or a Window as a target, and
the Drawable will represent this object.
For the purposes of defining permissions, the
Drawable object class is defined to be a separate entity.
In the modified X server, whenever a Window or a Pixmap object is created, a Drawable permission class will
be used for permission checks related to draw operations.
Table 1. Object classes for the X Window system component
| Object Class | Description |
|---|
| Drawable | A virtual object for output operations |
| Window | The base input and output object for an application |
| Font | An array of glyphs |
| Colormap | a color index |
| Cursor | cursor graphics |
| Client | An client to the X server |
Server objects other than those listed in Table 1
will be labeled in the secure server. In particular, there will be
labels for a single Server object and the Input object.
Those objects do not have particular permissions, and so are not
listed as object classes here.
Permissions
For each object class, a set of permissions is defined to control access
to objects in that class.
These permissions were identified by studying the services provided by the
X Window system component.
For each service, the objects whose state is observed or modified by the
service were identified, and permissions for the corresponding object
classes were defined.
Client Permissions
While client objects are frequently used as subjects to permission checks,
the Client object class has only one permission, the
permission needed to disconnect a client from the server.
For most other checks, the context of a Window object, or
other resource, will be used for the permission checks.
Table 2. Permissions for the Client object class
| Permission(s) | Description |
|---|
| kill | Close down a client |
Drawable Permissions
Table 3 shows the permissions defined for controlling
access to the Drawable object class.
Window objects and Pixmap objects are the actual
arguments passed to drawing requests.
The context of a Drawable object is derived from the window or
client that created it.
Table 3. Permissions for the Drawable object class
| Permission(s) | Description |
|---|
| create | Create a Drawable object |
| destroy | Destroy a Drawable object |
| draw | Draw into a Drawable object |
| copy | Copy pixels from a Drawable object |
| getattr | Get attributes from a Drawable object |
Window Permissions
Table 4 shows the permissions defined for controlling
access to the Window object class.
A window is a rectangular area on the screen into which a client can draw.
Windows are frequently nested and overlap. For example, a top-level window
for Mozilla could have 20 or 30 windows inside of it.
When a top-level window is created, it is assigned a context derived from the
client that created it.
When a child window is created, it is assigned a context derived from its
parent.
Since windows are considered Drawable objects,
and passed into drawing functions, the create
permission of the Drawable is checked when a Window is created if the window is defined as an input/output
window.
The context of a new Drawable is derived from the
context of the associated window, and thus from the context of the
client.
The context of the Drawable will be used for the checks for drawing functions.
A window also has a collection of properties.
Properties are named bits of data, usually in the form of text strings.
Example properties include window manager hints and cut-and-paste messages.
Since the name is arbitrary, both the name of the property and the value
of the property could be used to transmit information between clients.
Certain common property names are used by convention and are frequently
set and queried. It would be useful for a policy to be able to differentiate
between properties by name, but, without any initial labeling step, it may
not be possible.
It is possible to avoid labeling property objects, instead relying on
a less fine-grained permission to change any window property.
While there is sufficient state contained in a property object to justify
labeling it, there does not appear to be any way to meaningfully distinguish
between properties.
Table 4. Permissions for the Window object class
| Permission(s) | Description |
|---|
| addchild | Create a new window |
| create | Create a new window |
| destroy | Destroy a window |
| map | Map a window |
| unmap | Unmap a window |
| chstack | Change stacking order |
| chproplist | Change properly lists |
| chprop | Change a properly |
| listprop | Query properties |
| getattr | Get window attributes |
| setattr | Set window attributes |
| move | Move window |
| chselection | Change selection |
| chparent | Change parent |
| ctrllife | Control lifetime |
| enumerate | List child windows |
| clientcomevent | | inputevent | | drawevent | | windowchangeevent | | windowchangerequest | | serverchangeevent |
| Send an Event |
Font Permissions
Table 5 shows the permissions defined for controlling
access to the Font object class.
See Table 15 in the Section called Control Requirements for Fonts and Text for the control requirements.
Increasingly, fewer applications use X server provided fonts objects.
The anti-aliased font support from the Xft library actually loads the font
metrics on the client, then uses the RENDER extension to draw them with
transparency support.
Mediation on font objects may not be needed except for legacy applications.
Table 5. Permissions for the Font object class
| Permission(s) | Description |
|---|
| load | Load a font |
| free | Free (dereference) a font |
| getattr | Obtain font names, path, etc. |
| use | Use a font for drawing |
Color and Colormap Permissions
Table 6 shows the permissions defined for controlling
access to the Color object class.
As with colormaps (below), it may be possible to assume static, high color
displays, eliminating the need to track Color objects.
Table 6. Permissions for the Color object class
| Permission(s) | Description |
|---|
| create | Create a new Color |
| free | Free a Color |
| lookup | Look up string name of color |
Table 7 shows the permissions defined for controlling
access to the Colormap object class.
A colormap is a color lookup table.
It is simply an array of colors in any order.
The color of a given pixel
is obtained by combining the pixel values with the colormap.
Colormaps are associated with windows. Before the colors of a given colormap
are reflected on the screen, the colormap must be
installed.
Colormaps only have meaning in relation to Visuals.
Visuals can be grey-scale or color, static or dynamic.
The most frequently used Visuals under Linux are
PseudoColor and TrueColor.
On a PseudoColor screen, pixel values index into a
changeable colormap of red, green, and blue values.
PseudoColor is usually used for 8-bit-per-plane color
displays.
On a TrueColor screen, pixel values are decomposed into
separate red, green, and blue fields.
Each component is then used as an index into a pre-defined fixed color lookup
table.
TrueColor is usually used for 24-bit-per-plane color displays.
Applications can share colormaps.
Windows inherit the colormap of their parent, and most applications inherit
the colormap of the root window.
The standard dynamic colormap starts with just black and white defined, with
other colors being defined as applications need them.
An application that wants more control over the colormap can create its own
colormap and then alter it.
A security policy needs to control colormaps both to prevent unwanted
communication between client applications and to protect
client applications from modifying the display of other applications.
For example, a malicious application can blank out a terminal emulator window
by setting the
foreground and background colors in that window's colormap to be the same.
In recent years, the trend has been toward 24-bit-per-plane and higher
displays, usually running the TrueColor visual.
On displays with only static colormaps, the Color objects in the
Colormap can not be changed by client applications, thereby
reducing mischief.
Control requirements for the full set of colormap definitions are provided
in the Section called Control Requirements for Colors and Colormaps.
Table 7. Permissions for the Colormap object class
| Permission(s) | Description |
|---|
| create | Create a new Colormap |
| free | Free a Colormap |
| install | Copy a virtual colormap into the display hardware |
| uninstall | Remove a virtual colormap from the display hardware |
| list | List installed colormaps |
| read | Read color cells of colormap |
| store | Change color cells in colormap |
| getattr | Get the color gamut of a screen |
| setattr | Set aspects of color conversion |
Cursor Permissions
Table 8 shows the permissions defined for controlling
access to the Cursor object class.
Cursor objects are constructed with the CreateCursor request from a bitmap object, or more commonly created
with CreateGlyphCursor from a font glyph.
Normally the cursor is created from a standard cursor font.
Cursor objects, particularly ones created from the standard cursor
font, are logically local to a single client, but in practice are shared
for the whole server.
Cursor objects are associated with windows, and set via the
CreateWindow request.
Table 8. Permissions for the Cursor object class
| Permission(s) | Description |
|---|
| create | Create an arbitrary cursor object |
| createglyph | Create a cursor object from a font |
| assign | Associate a cursor object with a window |
| setattr | Set attributes of the cursor |
Input and Server Permissions
Table 9 shows the permissions defined for controlling
access to the Input object class.
The mousemotion permission is listed here for
detailed mouse motion events.
However, there are no explicit permissions for normal mouse and keyboard input,
as nearly all applications receive these events.
If an application should not receive any input events, the policy can
restrict the applications access to input events by controlling the
inputevent permission in the Window
Object class.
The permission to relabel the input device will be used by a trusted
window manager to help properly direct input.
See Table 19 in the Section called Extensions for the relevant control requirements.
Table 9. Permissions for the Input object classes
| Permission(s) | Description |
|---|
| getattr | Get input device attributes, such as keyboard mapping, pointer controls, etc. |
| setattr | Set input device attributes |
| grab | Grab server input, mouse or keyboard |
| passivegrab | Arrange to Grab server input, mouse or keyboard |
| bell | Ring the bell |
| mousemotion | Get Mouse Motion Events |
| relabelinput | Relabel the Input Stream |
Table 10 shows the permissions defined for controlling
access to the Server object class.
Few applications need these permissions, generally only system configuration
tools.
Usually the objects protected by these permissions will receive their initial
values during the X server startup process, and not be modified again.
Table 10. Permissions for the Server object classes
| Permission(s) | Description |
|---|
| screensaver | Manage the screen saver |
| hostcontrol | Control host access |
| setfontpath | Set the font search path |
| getext | Query or list extensions |
| getattr | Get attributes of the server |
Control Requirements
In this section control requirements are now defined for each X protocol
request that manipulates the objects managed by the X server.
The control requirements specify the permissions that must be granted for
the request to successfully execute.
In the following tables, the control requirements for each request are
specified, where each control requirement is described by the class,
permissions, source SID (SSID), and target SID (TSID) used in a permission
check.
Since multiple requests may have the same requirements, more than one request
may be listed in the leftmost column of a single table entry.
In this case, all of the requirements in that table entry apply to all of
the requests.
Control Requirements for Drawables
The requests that reference objects of the Drawable object class
are mostly draw functions.
The only permission that they need to checked is the
permission to draw to that object.
The CopyArea, CopyPlane, and
GetImage requests can also copy the contents of
a Drawable, so these methods will also check for this permission.
The GetGeometry request returns the geometry of the
Drawable, which could have been either a Window
or a Pixmap.
The X server will only check the permissions relevant to the
actual object type.
The PolyText8, PolyText16,
ImageText8, and ImageText16, requests
are listed in Table 15 in the Section called Control Requirements for Fonts and Text with other font requests.
Table 11. X Server Drawable Object Control Requirements
| Operation | Class | Permission | Source SID | Target SID |
|---|
| ClearArea | | FillPoly | | PolyArc | | PolyFillArc | | PolyFillRectangle | | PolyLine | | PolyPoint | | PolyRectangle | | PolySegment | | PutImage |
| Drawable | draw | client | window.drawable |
| Drawable | | client | |
| GetImage | Drawable | copy | client | drawable |
| GetGeometry | | | client | drawable |
Control Requirements for Windows
As windows are the base input and output object for most X applications,
the control requirements for the Window object class are
extensive.
The entry in the control table for CreateWindow
is abbreviated.
The CreateWindow request takes an array of attributes
which it uses to set the initial values for the window.
This array is the same array that is passed to
ConfigureWindow, and so the same permission checks
will need to be performed.
Table 12 covers many of the situations in which event
permissions will be checked, but not all of them.
The event permissions will be checked whenever an event of the appropriate
type is sent to the client.
This may be as direct result of a client request, in which case
the permissions are listed with the request, or it may be more indirect.
If the event was spawned directly from a client request, as in the case
of the SendEvent and the
SelectionClear requests, the SSID will be the SID of
the client.
Otherwise, the SSID will be the SID of the X server.
For input events, the SID will be the SID of the Input object, a
second virtual singleton object.
The label of the Input object will initially
be the same as the server's SID, but may be changed by a trusted
window manager.
The target SID checked is the SID of the window which is nominally
the target of the event.
Table 12. X Server Window object Control Requirements
| Operation | Class | Permission | Source SID | Target SID |
|---|
| ChangeProperty | Window | | | |
| ChangeSaveSet | Window | | | |
| ChangeWindowAttributes | Window | | client | window |
| CirculateWindow | Window | chstack | client | window |
| | Window | | Window | | Window | | Window | | Window | | Window | | Cursor |
| | setattr | | move | | chstack | | windowchangeevent | | windowchangeevent | | windowchangerequest | | assign |
| | client | | client | | client | | client | | client | | client | | client |
| | window | | window | | window | | window | | window.parent | | window.parent | | cursor |
|
| ConvertSelection | Window | | | |
| CreateWindow | | Window | | Window | | Window | | Window | | Window | | Window | | Drawable |
| | create | | setattr | | chstack | | move | | addchild | | windowchangeevent | | create |
| | client | | client | | client | | client | | client | | client | | client |
| | window | | window | | parent | | window | | parent | | parent | | window |
|
| DeleteProperty | Window | | | |
| DestroyWindow | | DestroySubwindows |
| | Window | | Window | | Window | | Drawable | | Window |
| | enumerate | | unmap | | destroy | | destroy | | windowchangeevent |
| | client | | client | | client | | client | | client |
| | window | | twindow | | twindow | | twindow.drawable | | twindow |
|
| GetMotionEvents | Input | mousemotion | client | window |
| GetProperty | Window | listprop | client | window |
| GetWindowAttributes | Window | getattr | client | window |
| KillClient | Client | kill | client | resource.owner |
| ListProperties | Window | listprop | client | window |
| MapWindow | | Window | | Window | | Window | | Window | | Drawable |
| | getattr | | windowchangeevent | | windowchangeevent | | drawevent | | copy |
| | client | | client | | client | | client | | client |
| | window | | window | | window.parent | | window | | coveredwindow |
|
| MapSubwindows | | Window | | Window | | Window | | Window | | Window | | Drawable |
| | enumerate | | getattr | | windowchangeevent | | windowchangeevent | | drawevent | | copy |
| | client | | client | | client | | client | | client |
| | window | | window.child | | window.child | | window | | window | | window.child | | coveredwindow |
|
| QueryTree | Window | | | |
| RotateProperties | Window | | chproplist | | windowchangeevent |
| | |
| ReparentWindow | Window | | addchild | | chparent | | move | | windowchangeevent | | windowchangeevent | | windowchangeevent |
| | client | | client | | client | | client | | client | | client |
| | parent | | window | | window | | window | | parent | | event |
|
| SendEvent | Window | | clientcomevent | | inputevent | | drawevent | | windowchangeevent | | windowchangerequest | | serverchangeevent |
| client | window |
| SetInputFocus | | | | |
| SetSelectionOwner | Window | | chselection | | chselection | | clientcomevent |
| | | selection.window | | window | | selection.window |
|
| TranslateCoordinates | Window | | | |
| UnmapWindow | | UnmapSubwindows |
| Window | | enumerate | | getattr | | windowchangeevent | | windowchangeevent |
| | | window | | window | | window | | window.parent |
|
| WarpPointer | | | grab | | inputevent | | inputevent | | getattr |
| | | input | | srcwindow | | destwindow | | srcwindow |
|
Control Requirements for Input
Sometimes an X client wishes to prevent other clients from receiving
input from the keyboard or the mouse.
For example, an application wishing to see if a click is a click or
a drag will need to compare button press and release events.
This is much easier if it can prevent other applications from receiving
pointer events until drag is finished.
The X server implements ``grab'' functionality to support these applications.
By calling GrabKeyboard or
GrabPointer, the application immediately grabs the input
from the keyboard or the pointer, redirecting all future input to the client
until the grab is released.
The GrabKey and GrabButton calls
specify conditions when a grab will occur.
Pointer grabs are used to generate system modal dialogs, a practice of
declining popularity.
Keyboard grabs are rarely used, but the ssh-ask graphical application for
grabbing the pass-phrase for ssh uses it to prevent keyboard snooping.
A malicious application can currently change the keyboard mappings in order
to disrupt the user.
Changes to the input settings are closely related to user preferences,
so prudent policies will limited these changes to direct action from the user.
As the keyboard keymap is shared by all applications, the context of
the single server object will be used on permission checks.
Like other server parameters, these settings may be changed during
the server initialization, but generally won't be during normal use.
This may not be the case with international users, however.
Both KDE and GNOME come with mini applications to change the
keyboard mappings, primarily targeted at users of international
keyboards.
Applications need to query the state of they keyboard to translate
the keycode in a ButtonDownEvent with the character
that keycode represents.
Very few policies will want to restrict the ability of a client to
query the keyboard state.
Table 13. Input Control Requirements
| Operation | Class | Permission | Source SID | Target SID |
|---|
| Input | passivegrab | client | server |
| Input | grab | client | screen |
| AllowEvents | | UngrabButton | | UngrabKey | | UngrabKeyboard | | UngrabPointer |
| Input | ungrab | client | server |
| GetKeyboardControl | | GetPointerControl | | GetPointerMapping | | GetModifierMapping | | QueryKeymap | | QueryPointer |
| Input | getattr | client | Server |
| ChangeKeyboardControl | | ChangePointerControl | | SetModifierMapping | | SetPointerMapping |
| Input | setattr | client | Server |
Control Requirements for Colors and Colormaps
The control requirements for X protocol operations that manage
Color and Colormaps objects are described in this
section.
Table 14. Color and Colormap Control Requirements
| Operation | Class | Permission | Source SID | Target SID |
|---|
| AllocColor | | | | |
| AllocColorCells | | | | |
| AllocColorPlanes | | | | |
| AllocNamedColor | | | | |
| CopyColormapAndFree | | | | | new colormap | | source colormap | | source colormap |
|
| CreateColormap | | | | |
| FreeColormap | | | | |
| FreeColors | | | | |
| InstallColormap | Colormap | | | |
| ListInstalledColormaps | Colormap | | | |
| LookupColor | Color | | | |
| QueryColors | Colormap | | | |
| StoreColors | Colormap | | | |
| StoreNamedColor | Colormap | | | |
| UninstallColormap | Colormap | | | |
Control Requirements for Fonts and Text
The control requirements for X protocol operations that manage Font objects and text manipulation are described in this section.
The Font objects are centralized in the server for performance
reasons. An application lists the fonts, loads the fonts it wants to use, and
then uses the font to draw into a Drawable.
The SID for a Font object will be derived from the label of the
font source file, allowing the policy to make font-specific decisions.
Table 15. Font and Text Control Requirements
| Operation | Class | Permission | Source SID | Target SID |
|---|
| CloseFont | | | | |
| GetFontPath | | | | |
| | | | |
| ListFonts | | ListFontsWithInfo |
| | | | |
| OpenFont | | | | |
| | | | |
| QueryFont | | | | |
| QueryTextExtents | | | | |
Control Requirements for Pixmaps
A Pixmap object is normally used by applications to cache
the results of drawing operations.
The client will initially draw some complex entity to a pixmap,
then copy that pixmap to the target window.
Reading a client's pixmap is therefore equivalent to reading the data
from the client's window, and writing to the pixmap may be equivalent
to writing to the client's window.
While a Window object is more than just a Drawable
object, the same can not be said for a Pixmap;
thus Pixmap object in the server is represented in the
policy only by Drawable objects.
Creating a Pixmap creates a Drawable.
The Drawable's context is derived from the context of the
client that creates it.
Table 16. Pixmap Control Requirements
| Operation | Class | Permission | Source SID | Target SID |
|---|
| CreatePixmap | | | | |
| FreePixmap | Drawable | free | client | pixmap |
| CreateCursor | Drawable | draw | client | pixmap |
Control Requirements for the Cursor object
Cursor objects are associated with windows. When the pointer is
over a window, the Cursor object associated with that window will
be shown as the pointer image.
Most applications create their cursors from a standard cursor font loaded
by the server.
To limit an application to the standard cursors, the policy should deny
the create permission and limit the use of fonts.
Table 17. Control requirements for the cursor
| Operation | Class | Permission | Source SID | Target SID |
|---|
| Cursor | create | client | cursor |
| | | | |
| Cursor | setattr | client | cursor |
Control Requirements for the Server object
The Server object does not represent any object actually managed
by the X server.
Instead, it is a virtual object used to provide a label for properties
of which are global to the X server, and not specific to any one client.
The screen saver requests also need to be enforced on the requests
in the MIT-SCREEN-SAVER extension. Those control
requirements are not listed here, as this paper has not addressed
the control requirements of any extensions.
The host-based access controls secured by the hostcontrol permission have generally been deprecated.
The replacement, MIT magic cookies, are not managed through the
X server, and therefore can not be controlled by X server permissions.
Table 18. Control requirements for the server
| Operation | Class | Permission | Source SID | Target SID |
|---|
| ForceScreenSaver | | GetScreenSaver | | SetScreenSaver |
| Server | screensaver | client | server |
| ChangeHosts | | SetAccessControl |
| Server | hostcontrol | client | server |
| Server | setfontpath | client | server |
| ListExtensions | | QueryExtension |
| Server | getext | client | server |
| Server | getattr | client | server |
Extensions
To permit applications to create objects with a specified label rather than
the default label, an extended form of each of the object creation
requests must be added that accepts an additional context parameter.
To permit clients to obtain the context of an object, an extended form of each
of the object status requests must be added that returns an additional
context parameter.
To permit clients to change the context of an object,
new requests must be added for these security-aware applications
and are shown in Table 19.
For the new requests that are extended forms of existing requests,
the existing set of control requirements apply.
Table 19. Control requirements for relabeling
| Operation | Class | Permission | Source SID | Target SID |
|---|
| RelabelWindow | Window | relabelfrom | client | window |
| RelabelInput | Input | relabelinput | client | input |
Events
Events are sent asynchronously to clients, sometimes as the result
of a request but usually as the result of user actions.
Events include notification that the mouse moved, notification that
a portion of the window needs to be redrawn, or messages passed
between clients. There are 36 different events in the base
X protocol, which are grouped into 6 permissions in the Window object class.
These groups are shown in Table 20.
To avoid duplication, only the permission to send an event is shown in
the table.
The source SID will be the source of the event. For example,
for real input events the source context will be input object.
The target SID will be the owner of the window being targeted
by the event.
While these permissions are listed under SendEvent and
other requests, in fact there are many ways events can be sent to windows.
The control requirements tables list event permissions when a request could
generate an event, but events generated by the server are not listed.
The server will need to be modified to always check for permission to send an
event.
The permission to register for events is not covered by this framework.
Instead the policy is expected to enforce the event permissions.
The type of event is important to any policy.
A well-behaved client that claims the clipboard will need to be able to send
a SelectionClear event, to let the client that currently
owns the clipboard know about the change.
However, no well-behaved client will send a KeyPress event.
Policies that seek to enforce good behavior should limit the types
of events that clients can generate.
Table 20. Event Permissions
| Events | Event Permission | Description |
|---|
| SelectionClear | | SelectionNotify | | SelectionRequest | | ClientMessage | | PropertyNotify |
| clientcomevent | Events for inter-client communication |
| ButtonPress | | ButtonRelease | | KeyPress | | KeyRelease | | KeymapNotify | | MotionNotify | | EnterNotify | | LeaveNotify | | FocusIn | | FocusOut |
| inputevent | User Input Events |
| Expose | | GraphicsExpose | | NoExpose | | VisibilityNotify |
| drawevent | Events telling the client to redraw |
| CirculateNotify | | ConfigureNotify | | CreateNotify | | DestroyNotify | | MapNotify | | UnmapNotify | | GravityNotify | | ReparentNotify |
| windowchangeevent | Events informing the client of changes to a window |
| CirculateRequest | | ConfigureRequest | | CreateRequest | | DestroyRequest | | MapRequest | | ResizeRequest | | SubStructureNotify |
| windowchangerequest | Events to the Window Manager requesting changes to a window |
| ColormapNotify | | MappingNotify |
| serverchangeevent | Events telling the client about global server changes |
Client Communication Events
Client communication events exist to enable client communication, and
will be sent by clients to other clients.
While any event can be sent via SendEvent the
expectation is that all other event types are only generated by the server.
The SelectionClear, SelectionNotify, and
SelectionRequest events are used to notify clients of changes
to selection buffers used for cut-and-paste functionality.
When a client wishes to export a selection buffer, it will use the
SetSelectionOwner request, which will generate
the SelectionClear event to the previous owner of the
selection.
When a client wants to get the selection in a different format, it calls
the ConvertSelection request, which causes the server
to send a SelectionRequest event to the owner of the selection.
The owner of the selection is expected to convert the selection to the
requested type, and send a SelectionNotify event to the
requesting client by the SendEvent request.
The ClientMessage event is an arbitrary event. Two clients
who have agreed on the interpretation of data can exchange ClientMessage events. The X server will never generate this
type of event.
The PropertyNotify event is sent to a client when properties
on a window change. Since the server never changes a windows properties,
this event results from client communication.
A policy should only allow clients to send these events to each other,
or cause these events to be sent to each other, if it would otherwise
allow direct communication between the clients.
Input Events
Input events should only be sent by the server.
Input events are generated by the user's interactions with the
input hardware.
They tell the client about input, and alert the client when input will be
directed to the client.
The ButtonPress and ButtonRelease events inform the
client when any buttons on the pointing device have been pressed or released.
The client can also find out the state of the modifier keys on the keyboard
as part of these events.
The MotionNotify event gives the client information
about the motions of the mouse pointer. A MotionNotify event is
guaranteed to be generated only if the motion begins or ends inside the
window.
The KeyPress and KeyRelease events inform the
client when any keys on the keyboard have been pressed or released.
There is no way for a client to select event notification on a subset of the
keyboard.
If the client receives key events it will receive them when
any key on the keyboard is pressed, even the modifier keys.
The KeymapNotify event is reported to clients when a
window acquires keyboard input focus. The event allows the client
to determine which keys were pressed when the input focus was
transfered to the window.
The EnterNotify and LeaveNotify events inform the
client when the mouse pointer has entered or left a window.
The FocusIn and FocusOut events inform the
client when the window has keyboard input focus.
Draw Events
These events alert the client that some portion of its window needs to
be redrawn.
The Expose event gives the client a list of rectangular areas
that need to be redrawn in the given window.
In normal operation this event, like most, will only be generated by the
server.
The VisibilityNotify event can be used to alert
clients that a section of their window is no longer visible. A client
could use this information to avoid updating that portion of their window
when it changes, for example. The event will also be issued when the
window regains visibility.
The NoExpose and GraphicsExpose events are
generated by CopyArea and CopyPlane
requests. If the copy failed because the source region is obscured, unmapped,
or otherwise unavailable, a GraphicsExpose event will be
generated. Otherwise, a NoExpose event will be generated.
Window Change Events
These events alert a client when the window manager performs various
window operations. They originate only from the X server.
There will rarely be any need to prevent a client from receiving any
of these events, as they only inform the client of operations that
have already occurred.
The majority of these events can be sent to both the window that
was modified, and the parent of that window.
The CirculateNotify event informs a client when the stacking
order has changed. This is normally related to focus changes.
The ConfigureNotify event is sent to the client when a
window has had its configuration changed by ConfigureWindow.
The CreateNotify and DestroyNotify events
are sent to a client when a sub window is created or destroyed.
The MapNotify and UnmapNotify events are sent
to the window being mapped and unmapped.
The GravityNotify event is sent to a window
when it has moved because of a change in size of its parent.
The ReparentNotify event is sent to a window that has
been re-parented.
Window Change Request Events
These events are used by the Window Manager to control certain
window manager functionality. If a client requests an operation that
the Window Manager controls, the X server will send an appropriate event
to the window manager instead of performing the operation.
The Window manager can then determine if the operation should be
performed, and if so, tell the X server to perform the operation.
Only the window manager should be allowed to to select the
StructureRedirectMask events on the root window,
and clients should not be allowed to set the
override_redirect attribute on their top-level windows.
Some older applications may set the attribute for transient windows,
but more recent applications will generally use window hints instead.
Applications which set the attribute will generally work with the
attribute unset.
The different events covered by the windowchangerequest
permission contain the same information, and have the same meaning as the
equivalent event listed under the windowchangeevent
permission. Those permissions are discussed in the Section called Window Change Events.
Server State Change Events
These events are sent to clients when global server state changes.
These events should only be sent from the server, although they will
frequently result directly from client requests.
These events should generally not be quelled by the policy.
The ColormapNotify events is reported to clients when
the colormap attribute of a window is changed, or the currently installed
colormap changes. Clients that wish to correct their colors based on
the currently installed colormap need to receive this event.
The MappingNotify event is reported to all clients when the
mappings for the input devices change. Clients need to receive this event
to keep their model of the keyboard and pointer mappings consistent with
the X server's model.
Event Control Requirements
The control requirements for events generated as the result of client
requests are shown in the client request tables.
Events can also be dispatched directly from the server, particularly in
the case of input events.
Any client can forge any event through the SendEvent.
Events sent through SendEvent will always have the
source SID of the sending client, and the target SID of the target window.
The control requirements for events covered by the clientcomevent are included in Table 12 in the Section called Control Requirements for Windows.
The source SID and target SID used are listed there. The target will always
be the window receiving the event, and the source will be the client
sending the event, or the client that invoked the request that directly
caused the event to be sent.
By itself, applying a policy to the inputevent
permission will not enforce Trusted Path functionality, as there is not
sufficient information to determine the window which has focus.
As previously mentioned, a trusted Window Manager could apply a label
to the input.
The source SID for events covered by the inputevent permission will be that of the input
object.
Applications will also need to carefully grab input when required, and
policies will need to prevent malicious applications from grabbing the
input.
For events covered by the serverchangeevent,
the source SID will be that of the server object, even though these events
happen in response to actions of the client.
Clients need to receive these events to properly understand the state
of the server, yet these events are indirectly generated by clients.
These events allow a high-bandwidth covert channel, and so the permissions
to install colormaps or change keyboard mappings should be tightly regulated.
The events covered by the drawevent permission
are considered to be asynchronous events. The source SID will be that of
the server object. Like the serverchangeevent events,
Expose and VisibilityNotify events can result from
client requests, and so could be used for covert channels.
When the expose event is the result of client
actions the server should modify the information in the event to reduce the
information passed. The server should enlarge the exposed rectangle to
include the entire window.
The events covered by the windowchangerequest permission
should only be sent to the window manager. The events are generated as
the result of client requests, so the source SID will be that of the client, and
the target SID will be that of the window manager. The events covered by
the windowchangeevent permission will use the source SID
of the client performing the operation, which should be that of the
window manager.