Skip to content

Commit 595a441

Browse files
robertmhaasrobertmhaas
committed
Add missing check on invocation of trusted procedures.
KaiGai Kohei
1 parent a0e50e6 commit 595a441

File tree

4 files changed

+57
-1
lines changed

4 files changed

+57
-1
lines changed

contrib/sepgsql/expected/label.out

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text
2222
END;' LANGUAGE plpgsql;
2323
SECURITY LABEL ON FUNCTION f3()
2424
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
25+
CREATE FUNCTION f4 () RETURNS text
26+
AS 'SELECT sepgsql_getcon()'
27+
LANGUAGE sql;
28+
SECURITY LABEL ON FUNCTION f4()
29+
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
2530
--
2631
-- Tests for default labeling behavior
2732
--
@@ -86,6 +91,8 @@ SELECT f2(); -- trusted procedure
8691

8792
SELECT f3(); -- trusted procedure that raises an error
8893
ERROR: an exception from f3()
94+
SELECT f4(); -- failed on domain transition
95+
ERROR: SELinux: security policy violation
8996
SELECT sepgsql_getcon(); -- client's label must be restored
9097
sepgsql_getcon
9198
-----------------------------------------------------
@@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
107114
DROP FUNCTION IF EXISTS f1() CASCADE;
108115
DROP FUNCTION IF EXISTS f2() CASCADE;
109116
DROP FUNCTION IF EXISTS f3() CASCADE;
117+
DROP FUNCTION IF EXISTS f4() CASCADE;

contrib/sepgsql/hooks.c

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
251251
if (!stack)
252252
{
253253
MemoryContext oldcxt;
254+
const char *cur_label = sepgsql_get_client_label();
254255

255256
oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
256257
stack = palloc(sizeof(*stack));
@@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
260261

261262
MemoryContextSwitchTo(oldcxt);
262263

264+
if (strcmp(cur_label, stack->new_label) != 0)
265+
{
266+
/*
267+
* process:transition permission between old and new
268+
* label, when user tries to switch security label of
269+
* the client on execution of trusted procedure.
270+
*/
271+
sepgsql_check_perms(cur_label, stack->new_label,
272+
SEPG_CLASS_PROCESS,
273+
SEPG_PROCESS__TRANSITION,
274+
NULL, true);
275+
}
276+
263277
*private = PointerGetDatum(stack);
264278
}
265279
Assert(!stack->old_label);

contrib/sepgsql/sepgsql-regtest.te

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
1-
policy_module(sepgsql-regtest, 1.01)
1+
policy_module(sepgsql-regtest, 1.02)
2+
3+
gen_require(`
4+
all_userspace_class_perms
5+
')
26

37
## <desc>
48
## <p>
@@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01)
812
## </desc>
913
gen_tunable(sepgsql_regression_test_mode, false)
1014

15+
#
16+
# Type definitions for regression test
17+
#
18+
type sepgsql_regtest_trusted_proc_exec_t;
19+
postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
20+
1121
#
1222
# Test domains for database administrators
1323
#
@@ -57,3 +67,19 @@ optional_policy(`
5767
role unconfined_r types sepgsql_regtest_user_t;
5868
role unconfined_r types sepgsql_trusted_proc_t;
5969
')
70+
71+
#
72+
# Rule to check
73+
#
74+
optional_policy(`
75+
# These rules intends sepgsql_regtest_user_t domain to translate
76+
# sepgsql_regtest_dba_t on execution of procedures labeled as
77+
# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
78+
# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
79+
#
80+
gen_require(`
81+
attribute sepgsql_client_type;
82+
')
83+
allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
84+
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
85+
')

contrib/sepgsql/sql/label.sql

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text
2727
SECURITY LABEL ON FUNCTION f3()
2828
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
2929

30+
CREATE FUNCTION f4 () RETURNS text
31+
AS 'SELECT sepgsql_getcon()'
32+
LANGUAGE sql;
33+
SECURITY LABEL ON FUNCTION f4()
34+
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
35+
3036
--
3137
-- Tests for default labeling behavior
3238
--
@@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b
5965
SELECT f1(); -- normal procedure
6066
SELECT f2(); -- trusted procedure
6167
SELECT f3(); -- trusted procedure that raises an error
68+
SELECT f4(); -- failed on domain transition
6269
SELECT sepgsql_getcon(); -- client's label must be restored
6370

6471
--
@@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
7178
DROP FUNCTION IF EXISTS f1() CASCADE;
7279
DROP FUNCTION IF EXISTS f2() CASCADE;
7380
DROP FUNCTION IF EXISTS f3() CASCADE;
81+
DROP FUNCTION IF EXISTS f4() CASCADE;

0 commit comments

Comments
 (0)