From b7ed2575925a6a94274496ccdf2486bf1ccb637ff2cfbe07a85460a83bd9764f Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.com>
Date: Wed, 30 Sep 2020 01:44:07 +0000
Subject: [PATCH] Accepting request 838619 from home:sndirsch:branches:X11:XOrg

- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
  * replaced by improved version written by Matthias Gerstner of
    our security team
    + simplified the option parsing code a bit
    + changed the "ignore forbidden argument" logic into an "abort
      on forbidden argument" logic. This is safer and avoids
      surprises on the user's end that could occur if the desired
      command line arguments aren't effective but the Xorg server is
      still started.
    + tried to adjust to the coding style present in the file
      (mostly the function name)
    + added some logic to apply the option filtering only to
      non-root users when Xorg is actually started as root. This
      should allow for full flexibility if root calls the wrapper or
      if the Xorg server only runs with user privileges.

- n_xorg-wrapper-rename-Xorg.patch
  * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867)
- change default for needs_root_rights to auto in Xwrapper.config
  (boo#1175867)

- reenabled SUID wrapper for TW (boo#1175867)
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
  * Xserver option whitelist filter (boo#1175867)

OBS-URL: https://build.opensuse.org/request/show/838619
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=779
---
 n_xorg-wrapper-rename-Xorg.patch              | 20 ++++
 ...per-Xserver-Options-Whitelist-Filter.patch | 96 +++++++++++++++++++
 xorg-x11-server.changes                       | 34 +++++++
 xorg-x11-server.spec                          | 49 +++++++---
 4 files changed, 184 insertions(+), 15 deletions(-)
 create mode 100644 n_xorg-wrapper-rename-Xorg.patch
 create mode 100644 u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch

diff --git a/n_xorg-wrapper-rename-Xorg.patch b/n_xorg-wrapper-rename-Xorg.patch
new file mode 100644
index 0000000..4563665
--- /dev/null
+++ b/n_xorg-wrapper-rename-Xorg.patch
@@ -0,0 +1,20 @@
+--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c.old	2020-09-24 03:16:27.270885000 +0200
++++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c	2020-09-24 03:18:42.047597000 +0200
+@@ -375,7 +375,7 @@ int main(int argc, char *argv[])
+         }
+     }
+ 
+-    snprintf(buf, sizeof(buf), "%s/Xorg", SUID_WRAPPER_DIR);
++    snprintf(buf, sizeof(buf), "%s/Xorg.bin", SUID_WRAPPER_DIR);
+ 
+     /* Check if the server is executable by our real uid */
+     if (access(buf, X_OK) != 0) {
+--- xserver-1.20.9/hw/xfree86/Xorg.sh.in.orig	2020-09-24 03:36:20.690412000 +0200
++++ xserver-1.20.9/hw/xfree86/Xorg.sh.in	2020-09-24 03:36:37.594497000 +0200
+@@ -7,5 +7,5 @@
+ if [ -x "$basedir"/Xorg.wrap ]; then
+ 	exec "$basedir"/Xorg.wrap "$@"
+ else
+-	exec "$basedir"/Xorg "$@"
++	exec "$basedir"/Xorg.bin "$@"
+ fi
diff --git a/u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch b/u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
new file mode 100644
index 0000000..6fb7b47
--- /dev/null
+++ b/u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
@@ -0,0 +1,96 @@
+--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c	
++++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c	2020-09-29 12:52:59.256970275 +0200
+@@ -191,6 +191,60 @@ 
+     return 0;
+ }
+ 
++static int check_vt_range(long int vt)
++{
++    if (vt >= 2 && vt <= 7 ) {
++        return 1;
++    }
++
++    return 0;
++}
++
++/* Xserver option whitelist filter (boo#1175867) */
++static int option_filter(int argc, char* argv[]){
++
++    for(int pos=1; pos<argc; pos++) {
++        const char *arg = argv[pos];
++
++        if (strlen(arg) == 3 && !strncmp(arg,"vt", 2) && check_vt_range(strtol(arg+2, NULL, 10)) == 1) {
++            /* vtX (vt2-vt7) */
++            continue;
++        } else if(!strcmp(arg,"-displayfd") ||
++                  !strcmp(arg,"-auth") ||
++                  !strcmp(arg,"-background") ||
++                  !strcmp(arg,"-verbose") ||
++                  !strcmp(arg,"-listen")) {
++            /* -displayfd x
++               -auth xxxx
++               -backgound none
++               -verbose 7 (7 or 3)
++               -listen tcp
++            */
++            if ((pos+1) < argc) {
++                pos++;
++            } else {
++                fprintf(stderr, "%s: Missing argument for Xserver option \"%s\". Aborting.\n",
++                        progname, arg);
++                return 0;
++            }
++        } else if (!strcmp(arg,"-noreset") ||
++                   !strcmp(arg,"-keeptty") ||
++                   !strcmp(arg,"-core")) {
++            /* -noreset
++               -keeptty
++               -core
++            */
++            continue;
++        } else {
++            fprintf(stderr, "%s: Xserver option \"%s\" invalid or not in whitelist. Aborting.\n",
++                    progname, arg);
++            return 0;
++        }
++    }
++
++    return 1;
++}
++
+ int main(int argc, char *argv[])
+ {
+ #ifdef WITH_LIBDRM
+@@ -250,11 +304,14 @@ 
+ 
+             close(fd);
+         }
++        /* If we've found cards, and all cards support kms, drop root rights */
++        if (total_cards && kms_cards == total_cards) {
++            needs_root_rights = 0;
++        }
+     }
+ #endif
+ 
+-    /* If we've found cards, and all cards support kms, drop root rights */
+-    if (needs_root_rights == 0 || (total_cards && kms_cards == total_cards)) {
++    if (needs_root_rights == 0) {
+         gid_t realgid = getgid();
+         uid_t realuid = getuid();
+         int ngroups = 0;
+@@ -326,6 +383,15 @@ 
+     }
+ 
+     argv[0] = buf;
++
++    if (needs_root_rights == 1 && getuid() != 0)
++    {
++        /* Xserver option whitelist filter (boo#1175867) */
++        if (option_filter(argc, argv) == 0) {
++            exit(1);
++        }
++    }
++
+     if (getuid() == geteuid())
+         (void) execv(argv[0], argv);
+     else
diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes
index 3d8f086..0ef5cee 100644
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Tue Sep 29 14:47:48 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
+
+- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
+  * replaced by improved version written by Matthias Gerstner of
+    our security team
+    + simplified the option parsing code a bit
+    + changed the "ignore forbidden argument" logic into an "abort
+      on forbidden argument" logic. This is safer and avoids 
+      surprises on the user's end that could occur if the desired
+      command line arguments aren't effective but the Xorg server is
+      still started.
+    + tried to adjust to the coding style present in the file 
+      (mostly the function name)
+    + added some logic to apply the option filtering only to 
+      non-root users when Xorg is actually started as root. This
+      should allow for full flexibility if root calls the wrapper or
+      if the Xorg server only runs with user privileges.
+
 -------------------------------------------------------------------
 Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
 
@@ -7,6 +26,21 @@ Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
   U_Revert-linux-Make-platform-device-probe-less-fragile.patch
   * fix Xserver startup on Raspberry Pi 3 (boo#1176203) 
 
+-------------------------------------------------------------------
+Thu Sep 24 01:40:17 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
+
+- n_xorg-wrapper-rename-Xorg.patch
+  * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867)
+- change default for needs_root_rights to auto in Xwrapper.config
+  (boo#1175867)
+
+-------------------------------------------------------------------
+Wed Sep 16 10:54:32 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
+
+- reenabled SUID wrapper for TW (boo#1175867)
+- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
+  * Xserver option whitelist filter (boo#1175867) 
+
 -------------------------------------------------------------------
 Wed Sep  9 18:50:37 UTC 2020 - Michael Gorse <mgorse@suse.com>
 
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index d94788e..04a6743 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -26,19 +26,18 @@
 %define have_wayland 1
 %endif
 
-%define build_suid_wrapper 0
-
-%if 0%{!?build_suid_wrapper:1}
-%ifarch s390 s390x
-%define build_suid_wrapper 0
-%else
-%if 0%{?suse_version} >= 1330
 %define build_suid_wrapper 1
-%define suid_wrapper_dir %{_libexecdir}
-%else
-%define build_suid_wrapper 0
-%endif
-%endif
+
+%if 0%{?build_suid_wrapper:1}
+  %ifarch s390 s390x
+    %define build_suid_wrapper 0
+  %else
+    %if 0%{?suse_version} >= 1550
+      %define suid_wrapper_dir %{_bindir}
+    %else
+      %define build_suid_wrapper 0
+    %endif
+  %endif
 %endif
 
 Name:           xorg-x11-server
@@ -213,6 +212,8 @@ Patch6:         N_fix-dpi-values.diff
 Patch7:         N_Install-Avoid-failure-on-wrapper-installation.patch
 Patch8:         u_xorg-wrapper-Drop-supplemental-group-IDs.patch
 Patch9:         u_xorg-wrapper-build-Build-position-independent-code.patch
+Patch10:        u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
+Patch11:        n_xorg-wrapper-rename-Xorg.patch
 Patch100:       u_01-Improved-ConfineToShape.patch
 Patch101:       u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch
 # PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions
@@ -305,8 +306,6 @@ Summary:        Xserver SUID Wrapper
 Group:          System/X11/Servers/XF86_4
 PreReq:         permissions
 Requires:       xorg-x11-server == %{version}
-Provides:       xorg-x11-server-wayland = 7.6_%{version}
-Obsoletes:      xorg-x11-server-wayland < 7.6_%{version}
 
 %description wrapper
 This package contains an SUID wrapper for the Xserver.
@@ -377,6 +376,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
 #
 %patch100 -p1
 #%patch101 -p1
@@ -493,6 +494,12 @@ chmod u-s %{buildroot}%{_bindir}/Xorg
 %__mkdir_p %{buildroot}%{pci_ids_dir}
 install -m 644 %{S:6} %{buildroot}%{pci_ids_dir}
 %endif
+%if 0%{?build_suid_wrapper} == 1
+mv %{buildroot}%{_bindir}/Xorg \
+   %{buildroot}%{_bindir}/Xorg.bin
+mv %{buildroot}%{_bindir}/Xorg.sh \
+   %{buildroot}%{_bindir}/Xorg
+%endif
 ln -snf Xorg %{buildroot}%{_bindir}/X
 %if 0%{?suse_version} > 1120
 %{__install} -m 644 %{S:5} %{buildroot}%{_datadir}/X11/xorg.conf.d
@@ -536,6 +543,16 @@ ln -snf %{_sysconfdir}/alternatives/libglx.so %{buildroot}%{_libdir}/xorg/module
 mkdir -p %{buildroot}/usr/src/xserver
 xargs cp --parents --target-directory=%{buildroot}/usr/src/xserver < source-file-list
 
+%if 0%{?build_suid_wrapper} == 1
+mkdir -p %{buildroot}%{_sysconfdir}/X11
+cat > %{buildroot}%{_sysconfdir}/X11/Xwrapper.config << EOF
+# rootonly, console, anybody
+allowed_users=anybody
+# yes, no, auto
+needs_root_rights=auto
+EOF
+%endif
+
 %post
 %tmpfiles_create xbb.conf
 %ifnarch s390 s390x
@@ -616,7 +633,7 @@ fi
 %ifnarch s390 s390x
 %{_bindir}/Xorg
 %if 0%{?build_suid_wrapper} == 1
-%{suid_wrapper_dir}/Xorg
+%{_bindir}/Xorg.bin
 %endif
 %{_bindir}/X
 
@@ -641,6 +658,8 @@ fi
 %files wrapper
 %defattr(-,root,root)
 %attr(4755,root,root) %{suid_wrapper_dir}/Xorg.wrap
+%dir %{_sysconfdir}/X11
+%attr(0644,root,root) %config %{_sysconfdir}/X11/Xwrapper.config
 %endif
 
 %files extra