Skip to content

Commit 4232c4b

Browse files
robertmhaasrobertmhaas
committed
Userspace access vector cache for contrib/sepgsql.
KaiGai Kohei
1 parent 3d14bd2 commit 4232c4b

File tree

12 files changed

+661
-211
lines changed

12 files changed

+661
-211
lines changed

configure

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -9481,9 +9481,9 @@ fi
94819481
# for contrib/sepgsql
94829482
if test "$with_selinux" = yes; then
94839483

9484-
{ $as_echo "$as_me:$LINENO: checking for selinux_sepgsql_context_path in -lselinux" >&5
9485-
$as_echo_n "checking for selinux_sepgsql_context_path in -lselinux... " >&6; }
9486-
if test "${ac_cv_lib_selinux_selinux_sepgsql_context_path+set}" = set; then
9484+
{ $as_echo "$as_me:$LINENO: checking for selinux_status_open in -lselinux" >&5
9485+
$as_echo_n "checking for selinux_status_open in -lselinux... " >&6; }
9486+
if test "${ac_cv_lib_selinux_selinux_status_open+set}" = set; then
94879487
$as_echo_n "(cached) " >&6
94889488
else
94899489
ac_check_lib_save_LIBS=$LIBS
@@ -9501,11 +9501,11 @@ cat >>conftest.$ac_ext <<_ACEOF
95019501
#ifdef __cplusplus
95029502
extern "C"
95039503
#endif
9504-
char selinux_sepgsql_context_path ();
9504+
char selinux_status_open ();
95059505
int
95069506
main ()
95079507
{
9508-
return selinux_sepgsql_context_path ();
9508+
return selinux_status_open ();
95099509
;
95109510
return 0;
95119511
}
@@ -9531,31 +9531,31 @@ $as_echo "$ac_try_echo") >&5
95319531
test "$cross_compiling" = yes ||
95329532
$as_test_x conftest$ac_exeext
95339533
}; then
9534-
ac_cv_lib_selinux_selinux_sepgsql_context_path=yes
9534+
ac_cv_lib_selinux_selinux_status_open=yes
95359535
else
95369536
$as_echo "$as_me: failed program was:" >&5
95379537
sed 's/^/| /' conftest.$ac_ext >&5
95389538

9539-
ac_cv_lib_selinux_selinux_sepgsql_context_path=no
9539+
ac_cv_lib_selinux_selinux_status_open=no
95409540
fi
95419541

95429542
rm -rf conftest.dSYM
95439543
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
95449544
conftest$ac_exeext conftest.$ac_ext
95459545
LIBS=$ac_check_lib_save_LIBS
95469546
fi
9547-
{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_selinux_sepgsql_context_path" >&5
9548-
$as_echo "$ac_cv_lib_selinux_selinux_sepgsql_context_path" >&6; }
9549-
if test "x$ac_cv_lib_selinux_selinux_sepgsql_context_path" = x""yes; then
9547+
{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_selinux_status_open" >&5
9548+
$as_echo "$ac_cv_lib_selinux_selinux_status_open" >&6; }
9549+
if test "x$ac_cv_lib_selinux_selinux_status_open" = x""yes; then
95509550
cat >>confdefs.h <<_ACEOF
95519551
#define HAVE_LIBSELINUX 1
95529552
_ACEOF
95539553

95549554
LIBS="-lselinux $LIBS"
95559555

95569556
else
9557-
{ { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.0.93 or newer, is required for SELinux support" >&5
9558-
$as_echo "$as_me: error: library 'libselinux', version 2.0.93 or newer, is required for SELinux support" >&2;}
9557+
{ { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&5
9558+
$as_echo "$as_me: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&2;}
95599559
{ (exit 1); exit 1; }; }
95609560
fi
95619561

configure.in

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -964,8 +964,8 @@ fi
964964

965965
# for contrib/sepgsql
966966
if test "$with_selinux" = yes; then
967-
AC_CHECK_LIB(selinux, selinux_sepgsql_context_path, [],
968-
[AC_MSG_ERROR([library 'libselinux', version 2.0.93 or newer, is required for SELinux support])])
967+
AC_CHECK_LIB(selinux, selinux_status_open, [],
968+
[AC_MSG_ERROR([library 'libselinux', version 2.0.99 or newer, is required for SELinux support])])
969969
fi
970970

971971
# for contrib/uuid-ossp

contrib/sepgsql/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# contrib/sepgsql/Makefile
22

33
MODULE_big = sepgsql
4-
OBJS = hooks.o selinux.o label.o dml.o \
4+
OBJS = hooks.o selinux.o uavc.o label.o dml.o \
55
schema.o relation.o proc.o
66
DATA_built = sepgsql.sql
77

contrib/sepgsql/dml.c

Lines changed: 26 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -150,12 +150,11 @@ check_relation_privileges(Oid relOid,
150150
uint32 required,
151151
bool abort)
152152
{
153-
char relkind = get_rel_relkind(relOid);
154-
char *scontext = sepgsql_get_client_label();
155-
char *tcontext;
153+
ObjectAddress object;
156154
char *audit_name;
157155
Bitmapset *columns;
158156
int index;
157+
char relkind = get_rel_relkind(relOid);
159158
bool result = true;
160159

161160
/*
@@ -184,45 +183,43 @@ check_relation_privileges(Oid relOid,
184183
/*
185184
* Check permissions on the relation
186185
*/
187-
tcontext = sepgsql_get_label(RelationRelationId, relOid, 0);
188-
audit_name = getObjectDescriptionOids(RelationRelationId, relOid);
186+
object.classId = RelationRelationId;
187+
object.objectId = relOid;
188+
object.objectSubId = 0;
189+
audit_name = getObjectDescription(&object);
189190
switch (relkind)
190191
{
191192
case RELKIND_RELATION:
192-
result = sepgsql_check_perms(scontext,
193-
tcontext,
194-
SEPG_CLASS_DB_TABLE,
195-
required,
196-
audit_name,
197-
abort);
193+
result = sepgsql_avc_check_perms(&object,
194+
SEPG_CLASS_DB_TABLE,
195+
required,
196+
audit_name,
197+
abort);
198198
break;
199199

200200
case RELKIND_SEQUENCE:
201201
Assert((required & ~SEPG_DB_TABLE__SELECT) == 0);
202202

203203
if (required & SEPG_DB_TABLE__SELECT)
204-
result = sepgsql_check_perms(scontext,
205-
tcontext,
206-
SEPG_CLASS_DB_SEQUENCE,
207-
SEPG_DB_SEQUENCE__GET_VALUE,
208-
audit_name,
209-
abort);
204+
result = sepgsql_avc_check_perms(&object,
205+
SEPG_CLASS_DB_SEQUENCE,
206+
SEPG_DB_SEQUENCE__GET_VALUE,
207+
audit_name,
208+
abort);
210209
break;
211210

212211
case RELKIND_VIEW:
213-
result = sepgsql_check_perms(scontext,
214-
tcontext,
215-
SEPG_CLASS_DB_VIEW,
216-
SEPG_DB_VIEW__EXPAND,
217-
audit_name,
218-
abort);
212+
result = sepgsql_avc_check_perms(&object,
213+
SEPG_CLASS_DB_VIEW,
214+
SEPG_DB_VIEW__EXPAND,
215+
audit_name,
216+
abort);
219217
break;
220218

221219
default:
222220
/* nothing to be checked */
223221
break;
224222
}
225-
pfree(tcontext);
226223
pfree(audit_name);
227224

228225
/*
@@ -242,7 +239,6 @@ check_relation_privileges(Oid relOid,
242239
{
243240
AttrNumber attnum;
244241
uint32 column_perms = 0;
245-
ObjectAddress object;
246242

247243
if (bms_is_member(index, selected))
248244
column_perms |= SEPG_DB_COLUMN__SELECT;
@@ -258,20 +254,17 @@ check_relation_privileges(Oid relOid,
258254

259255
/* obtain column's permission */
260256
attnum = index + FirstLowInvalidHeapAttributeNumber;
261-
tcontext = sepgsql_get_label(RelationRelationId, relOid, attnum);
262257

263258
object.classId = RelationRelationId;
264259
object.objectId = relOid;
265260
object.objectSubId = attnum;
266261
audit_name = getObjectDescription(&object);
267262

268-
result = sepgsql_check_perms(scontext,
269-
tcontext,
270-
SEPG_CLASS_DB_COLUMN,
271-
column_perms,
272-
audit_name,
273-
abort);
274-
pfree(tcontext);
263+
result = sepgsql_avc_check_perms(&object,
264+
SEPG_CLASS_DB_COLUMN,
265+
column_perms,
266+
audit_name,
267+
abort);
275268
pfree(audit_name);
276269

277270
if (!result)

contrib/sepgsql/hooks.c

Lines changed: 28 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -184,9 +184,7 @@ sepgsql_exec_check_perms(List *rangeTabls, bool abort)
184184
static bool
185185
sepgsql_needs_fmgr_hook(Oid functionId)
186186
{
187-
char *old_label;
188-
char *new_label;
189-
char *function_label;
187+
ObjectAddress object;
190188

191189
if (next_needs_fmgr_hook &&
192190
(*next_needs_fmgr_hook) (functionId))
@@ -198,32 +196,24 @@ sepgsql_needs_fmgr_hook(Oid functionId)
198196
* functions as trusted-procedure, if the security policy has a rule that
199197
* switches security label of the client on execution.
200198
*/
201-
old_label = sepgsql_get_client_label();
202-
new_label = sepgsql_proc_get_domtrans(functionId);
203-
if (strcmp(old_label, new_label) != 0)
204-
{
205-
pfree(new_label);
199+
if (sepgsql_avc_trusted_proc(functionId) != NULL)
206200
return true;
207-
}
208-
pfree(new_label);
209201

210202
/*
211203
* Even if not a trusted-procedure, this function should not be inlined
212204
* unless the client has db_procedure:{execute} permission. Please note
213205
* that it shall be actually failed later because of same reason with
214206
* ACL_EXECUTE.
215207
*/
216-
function_label = sepgsql_get_label(ProcedureRelationId, functionId, 0);
217-
if (sepgsql_check_perms(sepgsql_get_client_label(),
218-
function_label,
219-
SEPG_CLASS_DB_PROCEDURE,
220-
SEPG_DB_PROCEDURE__EXECUTE,
221-
NULL, false) != true)
222-
{
223-
pfree(function_label);
208+
object.classId = ProcedureRelationId;
209+
object.objectId = functionId;
210+
object.objectSubId = 0;
211+
if (!sepgsql_avc_check_perms(&object,
212+
SEPG_CLASS_DB_PROCEDURE,
213+
SEPG_DB_PROCEDURE__EXECUTE,
214+
SEPGSQL_AVC_NOAUDIT, false))
224215
return true;
225-
}
226-
pfree(function_label);
216+
227217
return false;
228218
}
229219

@@ -251,33 +241,31 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
251241
if (!stack)
252242
{
253243
MemoryContext oldcxt;
254-
const char *cur_label = sepgsql_get_client_label();
255244

256245
oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
257246
stack = palloc(sizeof(*stack));
258247
stack->old_label = NULL;
259-
stack->new_label = sepgsql_proc_get_domtrans(flinfo->fn_oid);
248+
stack->new_label = sepgsql_avc_trusted_proc(flinfo->fn_oid);
260249
stack->next_private = 0;
261250

262251
MemoryContextSwitchTo(oldcxt);
263252

264-
if (strcmp(cur_label, stack->new_label) != 0)
265-
{
266-
/*
267-
* process:transition permission between old and new
268-
* label, when user tries to switch security label of the
269-
* client on execution of trusted procedure.
270-
*/
271-
sepgsql_check_perms(cur_label, stack->new_label,
272-
SEPG_CLASS_PROCESS,
273-
SEPG_PROCESS__TRANSITION,
274-
NULL, true);
275-
}
253+
/*
254+
* process:transition permission between old and new label,
255+
* when user tries to switch security label of the client
256+
* on execution of trusted procedure.
257+
*/
258+
if (stack->new_label)
259+
sepgsql_avc_check_perms_label(stack->new_label,
260+
SEPG_CLASS_PROCESS,
261+
SEPG_PROCESS__TRANSITION,
262+
NULL, true);
276263

277264
*private = PointerGetDatum(stack);
278265
}
279266
Assert(!stack->old_label);
280-
stack->old_label = sepgsql_set_client_label(stack->new_label);
267+
if (stack->new_label)
268+
stack->old_label = sepgsql_set_client_label(stack->new_label);
281269

282270
if (next_fmgr_hook)
283271
(*next_fmgr_hook) (event, flinfo, &stack->next_private);
@@ -290,7 +278,8 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
290278
if (next_fmgr_hook)
291279
(*next_fmgr_hook) (event, flinfo, &stack->next_private);
292280

293-
sepgsql_set_client_label(stack->old_label);
281+
if (stack->old_label)
282+
sepgsql_set_client_label(stack->old_label);
294283
stack->old_label = NULL;
295284
break;
296285

@@ -433,6 +422,9 @@ _PG_init(void)
433422
errmsg("SELinux: failed to get server security label: %m")));
434423
sepgsql_set_client_label(context);
435424

425+
/* Initialize userspace access vector cache */
426+
sepgsql_avc_init();
427+
436428
/* Security label provider hook */
437429
register_label_provider(SEPGSQL_LABEL_TAG,
438430
sepgsql_object_relabel);

0 commit comments

Comments
 (0)