Add missing check on invocation of trusted procedures.

KaiGai Kohei

Add missing check on invocation of trusted procedures.
KaiGai Kohei
595a441a · Robert Haas · a0e50e69 · 595a441a · 595a441a · 595a441a
Commit 595a441a authored Apr 04, 2011 by Robert Haas
4 changed files
--- a/contrib/sepgsql/expected/label.out
+++ b/contrib/sepgsql/expected/label.out
@@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text
        END;' LANGUAGE plpgsql;
 SECURITY LABEL ON FUNCTION f3()
    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+CREATE FUNCTION f4 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f4()
+    IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
 --
 -- Tests for default labeling behavior
 --
@@ -86,6 +91,8 @@ SELECT f2();			-- trusted procedure

 SELECT f3();			-- trusted procedure that raises an error
 ERROR:  an exception from f3()
+SELECT f4();			-- failed on domain transition
+ERROR:  SELinux: security policy violation
 SELECT sepgsql_getcon();	-- client's label must be restored
                   sepgsql_getcon                    
 -----------------------------------------------------
@@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
 DROP FUNCTION IF EXISTS f1() CASCADE;
 DROP FUNCTION IF EXISTS f2() CASCADE;
 DROP FUNCTION IF EXISTS f3() CASCADE;
+DROP FUNCTION IF EXISTS f4() CASCADE;
--- a/contrib/sepgsql/hooks.c
+++ b/contrib/sepgsql/hooks.c
@@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
 			if (!stack)
 			{
 				MemoryContext	oldcxt;
+				const char	   *cur_label = sepgsql_get_client_label();

 				oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
 				stack = palloc(sizeof(*stack));
@@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event,

 				MemoryContextSwitchTo(oldcxt);

+				if (strcmp(cur_label, stack->new_label) != 0)
+				{
+					/*
+					 * process:transition permission between old and new
+					 * label, when user tries to switch security label of
+					 * the client on execution of trusted procedure.
+					 */
+					sepgsql_check_perms(cur_label, stack->new_label,
+										SEPG_CLASS_PROCESS,
+										SEPG_PROCESS__TRANSITION,
+										NULL, true);
+				}
+
 				*private = PointerGetDatum(stack);
 			}
 			Assert(!stack->old_label);

--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
-policy_module(sepgsql-regtest, 1.01)
+policy_module(sepgsql-regtest, 1.02)
+
+gen_require(`
+	all_userspace_class_perms
+')

 ## <desc>
 ## <p>
@@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01)
 ## </desc>
 gen_tunable(sepgsql_regression_test_mode, false)

+#
+# Type definitions for regression test
+#
+type sepgsql_regtest_trusted_proc_exec_t;
+postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
+
 #
 # Test domains for database administrators
 #
@@ -57,3 +67,19 @@ optional_policy(`
 	role unconfined_r types sepgsql_regtest_user_t;
 	role unconfined_r types sepgsql_trusted_proc_t;
 ')
+
+#
+# Rule to check 
+#
+optional_policy(`
+	# These rules intends sepgsql_regtest_user_t domain to translate
+	# sepgsql_regtest_dba_t on execution of procedures labeled as
+	# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
+	# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
+	#
+	gen_require(`
+		attribute sepgsql_client_type;
+	')
+	allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
+	type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
+')
--- a/contrib/sepgsql/sql/label.sql
+++ b/contrib/sepgsql/sql/label.sql
@@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text
 SECURITY LABEL ON FUNCTION f3()
    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';

+CREATE FUNCTION f4 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f4()
+    IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
+
 --
 -- Tests for default labeling behavior
 --
@@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b
 SELECT f1();			-- normal procedure
 SELECT f2();			-- trusted procedure
 SELECT f3();			-- trusted procedure that raises an error
+SELECT f4();			-- failed on domain transition
 SELECT sepgsql_getcon();	-- client's label must be restored

 --
@@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
 DROP FUNCTION IF EXISTS f1() CASCADE;
 DROP FUNCTION IF EXISTS f2() CASCADE;
 DROP FUNCTION IF EXISTS f3() CASCADE;
+DROP FUNCTION IF EXISTS f4() CASCADE;