open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add missing check on invocation of trusted procedures.

Browse Source 
KaiGai Kohei
pull/1/head
Robert Haas 15 years ago
parent a0e50e698b
commit 595a441ae9
4 changed files with 57 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 8
      contrib/sepgsql/expected/label.out
  2. 14
      contrib/sepgsql/hooks.c
  3. 28
      contrib/sepgsql/sepgsql-regtest.te
  4. 8
      contrib/sepgsql/sql/label.sql

8
contrib/sepgsql/expected/label.out
Unescape View File

@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text
END;' LANGUAGE plpgsql; END;' LANGUAGE plpgsql;
SECURITY LABEL ON FUNCTION f3() SECURITY LABEL ON FUNCTION f3()
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0'; IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
CREATE FUNCTION f4 () RETURNS text
AS 'SELECT sepgsql_getcon()'
LANGUAGE sql;
SECURITY LABEL ON FUNCTION f4()
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
-- --
-- Tests for default labeling behavior -- Tests for default labeling behavior
-- --
@ -86,6 +91,8 @@ SELECT f2(); -- trusted procedure
SELECT f3(); -- trusted procedure that raises an error SELECT f3(); -- trusted procedure that raises an error
ERROR: an exception from f3() ERROR: an exception from f3()
SELECT f4(); -- failed on domain transition
ERROR: SELinux: security policy violation
SELECT sepgsql_getcon(); -- client's label must be restored SELECT sepgsql_getcon(); -- client's label must be restored
sepgsql_getcon sepgsql_getcon
----------------------------------------------------- -----------------------------------------------------
@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE;
DROP FUNCTION IF EXISTS f4() CASCADE;

14
contrib/sepgsql/hooks.c
Unescape View File

@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
if (!stack) if (!stack)
{ {
MemoryContext oldcxt; MemoryContext oldcxt;
const char *cur_label = sepgsql_get_client_label();
oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt); oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
stack = palloc(sizeof(*stack)); stack = palloc(sizeof(*stack));
@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
MemoryContextSwitchTo(oldcxt); MemoryContextSwitchTo(oldcxt);
if (strcmp(cur_label, stack->new_label) != 0)
{
/*
* process:transition permission between old and new
* label, when user tries to switch security label of
* the client on execution of trusted procedure.
*/
sepgsql_check_perms(cur_label, stack->new_label,
SEPG_CLASS_PROCESS,
SEPG_PROCESS__TRANSITION,
NULL, true);
}
*private = PointerGetDatum(stack); *private = PointerGetDatum(stack);
} }
Assert(!stack->old_label); Assert(!stack->old_label);

28
contrib/sepgsql/sepgsql-regtest.te
Unescape View File

@ -1,4 +1,8 @@
policy_module(sepgsql-regtest, 1.01) policy_module(sepgsql-regtest, 1.02)
gen_require(`
all_userspace_class_perms
')
## <desc> ## <desc>
## <p> ## <p>
@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01)
## </desc> ## </desc>
gen_tunable(sepgsql_regression_test_mode, false) gen_tunable(sepgsql_regression_test_mode, false)
#
# Type definitions for regression test
#
type sepgsql_regtest_trusted_proc_exec_t;
postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
# #
# Test domains for database administrators # Test domains for database administrators
# #
@ -57,3 +67,19 @@ optional_policy(`
role unconfined_r types sepgsql_regtest_user_t; role unconfined_r types sepgsql_regtest_user_t;
role unconfined_r types sepgsql_trusted_proc_t; role unconfined_r types sepgsql_trusted_proc_t;
') ')
#
# Rule to check
#
optional_policy(`
# These rules intends sepgsql_regtest_user_t domain to translate
# sepgsql_regtest_dba_t on execution of procedures labeled as
# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
#
gen_require(`
attribute sepgsql_client_type;
')
allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
')

8
contrib/sepgsql/sql/label.sql
Unescape View File

@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text
SECURITY LABEL ON FUNCTION f3() SECURITY LABEL ON FUNCTION f3()
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0'; IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
CREATE FUNCTION f4 () RETURNS text
AS 'SELECT sepgsql_getcon()'
LANGUAGE sql;
SECURITY LABEL ON FUNCTION f4()
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
-- --
-- Tests for default labeling behavior -- Tests for default labeling behavior
-- --
@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b
SELECT f1(); -- normal procedure SELECT f1(); -- normal procedure
SELECT f2(); -- trusted procedure SELECT f2(); -- trusted procedure
SELECT f3(); -- trusted procedure that raises an error SELECT f3(); -- trusted procedure that raises an error
SELECT f4(); -- failed on domain transition
SELECT sepgsql_getcon(); -- client's label must be restored SELECT sepgsql_getcon(); -- client's label must be restored
-- --
@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE;
DROP FUNCTION IF EXISTS f4() CASCADE;

Write Preview
Loading…
Cancel
Save