xselinux: switch from x_device to separate x_pointer and x_keyboard classes.

This will allow separate controls over pointer and keyboard without having
to relabel the devices to separate types.

[Backport to 1.6]

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Keith Packard <keithp@keithp.com>

Xext/xselinux.c

@@ -147,7 +147,8 @@ static struct security_class_mapping map[] = {
     { "x_selection", { "read", "", "", "setattr", "getattr", "setattr", NULL }},
     { "x_cursor", { "read", "write", "destroy", "create", "getattr", "setattr", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "use", NULL }},
     { "x_client", { "", "", "destroy", "", "getattr", "setattr", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "manage", NULL }},
-    { "x_device", { "read", "write", "", "", "getattr", "setattr", "", "", "", "getfocus", "setfocus", "", "", "", "", "", "", "grab", "freeze", "force_cursor", "", "", "", "", "use", "manage", "", "bell", NULL }},
+    { "x_pointer", { "read", "write", "", "", "getattr", "setattr", "", "", "", "getfocus", "setfocus", "", "", "", "", "", "", "grab", "freeze", "force_cursor", "", "", "", "", "use", "manage", "", "bell", NULL }},
+    { "x_keyboard", { "read", "write", "", "", "getattr", "setattr", "", "", "", "getfocus", "setfocus", "", "", "", "", "", "", "grab", "freeze", "force_cursor", "", "", "", "", "use", "manage", "", "bell", NULL }},
     { "x_server", { "record", "", "", "", "getattr", "setattr", "", "", "", "", "", "", "", "", "", "", "", "grab", "", "", "", "", "", "", "", "manage", "debug", NULL }},
     { "x_extension", { "", "", "", "", "query", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "use", NULL }},
     { "x_event", { "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "send", "receive", NULL }},
@@ -690,6 +691,7 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
     SELinuxSubjectRec *subj;
     SELinuxObjectRec *obj;
     SELinuxAuditRec auditdata = { .client = rec->client, .dev = rec->dev };
+    security_class_t cls;
     int rc;
 
     subj = dixLookupPrivate(&rec->client->devPrivates, subjectKey);
@@ -714,8 +716,8 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 	}
     }
 
-    rc = SELinuxDoCheck(subj, obj, SECCLASS_X_DEVICE, rec->access_mode,
-			&auditdata);
+    cls = IsPointerDevice(rec->dev) ? SECCLASS_X_POINTER : SECCLASS_X_KEYBOARD;
+    rc = SELinuxDoCheck(subj, obj, cls, rec->access_mode, &auditdata);
     if (rc != Success)
 	rec->status = rc;
 }

Xext/xselinux.h

@@ -149,11 +149,12 @@ typedef struct {
 #define SECCLASS_X_SELECTION		7
 #define SECCLASS_X_CURSOR		8
 #define SECCLASS_X_CLIENT		9
-#define SECCLASS_X_DEVICE		10
-#define SECCLASS_X_SERVER		11
-#define SECCLASS_X_EXTENSION		12
-#define SECCLASS_X_EVENT		13
-#define SECCLASS_X_FAKEEVENT		14
-#define SECCLASS_X_RESOURCE		15
+#define SECCLASS_X_POINTER		10
+#define SECCLASS_X_KEYBOARD		11
+#define SECCLASS_X_SERVER		12
+#define SECCLASS_X_EXTENSION		13
+#define SECCLASS_X_EVENT		14
+#define SECCLASS_X_FAKEEVENT		15
+#define SECCLASS_X_RESOURCE		16
 
 #endif /* _XSELINUX_H */

include/dix.h

@@ -602,8 +602,8 @@ typedef struct {
 
 extern int XItoCoreType(int xi_type);
 extern Bool DevHasCursor(DeviceIntPtr pDev);
-extern Bool IsPointerDevice( DeviceIntPtr dev);
-extern Bool IsKeyboardDevice(DeviceIntPtr dev);
+extern _X_EXPORT Bool IsPointerDevice( DeviceIntPtr dev);
+extern _X_EXPORT Bool IsKeyboardDevice(DeviceIntPtr dev);
 extern Bool IsPointerEvent(xEvent* xE);
 
 /*