Commit 595a441a authored by Robert Haas's avatar Robert Haas

Add missing check on invocation of trusted procedures.

KaiGai Kohei
parent a0e50e69
...@@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text ...@@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text
END;' LANGUAGE plpgsql; END;' LANGUAGE plpgsql;
SECURITY LABEL ON FUNCTION f3() SECURITY LABEL ON FUNCTION f3()
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0'; IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
CREATE FUNCTION f4 () RETURNS text
AS 'SELECT sepgsql_getcon()'
LANGUAGE sql;
SECURITY LABEL ON FUNCTION f4()
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
-- --
-- Tests for default labeling behavior -- Tests for default labeling behavior
-- --
...@@ -86,6 +91,8 @@ SELECT f2(); -- trusted procedure ...@@ -86,6 +91,8 @@ SELECT f2(); -- trusted procedure
SELECT f3(); -- trusted procedure that raises an error SELECT f3(); -- trusted procedure that raises an error
ERROR: an exception from f3() ERROR: an exception from f3()
SELECT f4(); -- failed on domain transition
ERROR: SELinux: security policy violation
SELECT sepgsql_getcon(); -- client's label must be restored SELECT sepgsql_getcon(); -- client's label must be restored
sepgsql_getcon sepgsql_getcon
----------------------------------------------------- -----------------------------------------------------
...@@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE; ...@@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE;
DROP FUNCTION IF EXISTS f4() CASCADE;
...@@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event, ...@@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
if (!stack) if (!stack)
{ {
MemoryContext oldcxt; MemoryContext oldcxt;
const char *cur_label = sepgsql_get_client_label();
oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt); oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
stack = palloc(sizeof(*stack)); stack = palloc(sizeof(*stack));
...@@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event, ...@@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
MemoryContextSwitchTo(oldcxt); MemoryContextSwitchTo(oldcxt);
if (strcmp(cur_label, stack->new_label) != 0)
{
/*
* process:transition permission between old and new
* label, when user tries to switch security label of
* the client on execution of trusted procedure.
*/
sepgsql_check_perms(cur_label, stack->new_label,
SEPG_CLASS_PROCESS,
SEPG_PROCESS__TRANSITION,
NULL, true);
}
*private = PointerGetDatum(stack); *private = PointerGetDatum(stack);
} }
Assert(!stack->old_label); Assert(!stack->old_label);
......
policy_module(sepgsql-regtest, 1.01) policy_module(sepgsql-regtest, 1.02)
gen_require(`
all_userspace_class_perms
')
## <desc> ## <desc>
## <p> ## <p>
...@@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01) ...@@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01)
## </desc> ## </desc>
gen_tunable(sepgsql_regression_test_mode, false) gen_tunable(sepgsql_regression_test_mode, false)
#
# Type definitions for regression test
#
type sepgsql_regtest_trusted_proc_exec_t;
postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
# #
# Test domains for database administrators # Test domains for database administrators
# #
...@@ -57,3 +67,19 @@ optional_policy(` ...@@ -57,3 +67,19 @@ optional_policy(`
role unconfined_r types sepgsql_regtest_user_t; role unconfined_r types sepgsql_regtest_user_t;
role unconfined_r types sepgsql_trusted_proc_t; role unconfined_r types sepgsql_trusted_proc_t;
') ')
#
# Rule to check
#
optional_policy(`
# These rules intends sepgsql_regtest_user_t domain to translate
# sepgsql_regtest_dba_t on execution of procedures labeled as
# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
#
gen_require(`
attribute sepgsql_client_type;
')
allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
')
...@@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text ...@@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text
SECURITY LABEL ON FUNCTION f3() SECURITY LABEL ON FUNCTION f3()
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0'; IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
CREATE FUNCTION f4 () RETURNS text
AS 'SELECT sepgsql_getcon()'
LANGUAGE sql;
SECURITY LABEL ON FUNCTION f4()
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
-- --
-- Tests for default labeling behavior -- Tests for default labeling behavior
-- --
...@@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b ...@@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b
SELECT f1(); -- normal procedure SELECT f1(); -- normal procedure
SELECT f2(); -- trusted procedure SELECT f2(); -- trusted procedure
SELECT f3(); -- trusted procedure that raises an error SELECT f3(); -- trusted procedure that raises an error
SELECT f4(); -- failed on domain transition
SELECT sepgsql_getcon(); -- client's label must be restored SELECT sepgsql_getcon(); -- client's label must be restored
-- --
...@@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE; ...@@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE;
DROP FUNCTION IF EXISTS f4() CASCADE;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment