Application of the Flask Architecture to the X Window System Server
Eamon Walsh (National Security Agency)
This paper will outline the progress that has been made on extending the coverage of Security-Enhanced Linux access controls to the X Window System server, a major component of the Linux desktop. This has been accomplished by applying the Flask architecture to the X server and extending the reach of SELinux policy to cover X server objects. Modifications have been made to both SELinux library and the X.Org X server implementation in support of this goal. In the SELinux library, improved capabilities for obtaining policy decisions from the kernel were added. In the X server, a set of general security hooks was added, followed by a Flask module which makes use of them. This module extends the enforcement of kernel-based security policy to the X server in userspace, providing fine-grained access and information flow control to this vital desktop component using the existing SELinux policy store and toolchain.
The paper appears in the Proceedings of the 2007 SELinux Symposium and is also available here in PDF format.
The 2007 SELinux Symposium presentation slides are available here in PDF format.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.