Skip to content

Commit 595a441

Browse files
robertmhaasrobertmhaas
committed
Add missing check on invocation of trusted procedures.
KaiGai Kohei
1 parent a0e50e6 commit 595a441

File tree

4 files changed

+57
-1
lines changed

4 files changed

+57
-1
lines changed

contrib/sepgsql/expected/label.out

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text
2222
END;' LANGUAGE plpgsql;
2323
SECURITY LABEL ON FUNCTION f3()
2424
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
25+
CREATE FUNCTION f4 () RETURNS text
26+
AS 'SELECT sepgsql_getcon()'
27+
LANGUAGE sql;
28+
SECURITY LABEL ON FUNCTION f4()
29+
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
2530
--
2631
-- Tests for default labeling behavior
2732
--
@@ -86,6 +91,8 @@ SELECT f2(); -- trusted procedure
8691

8792
SELECT f3(); -- trusted procedure that raises an error
8893
ERROR: an exception from f3()
94+
SELECT f4(); -- failed on domain transition
95+
ERROR: SELinux: security policy violation
8996
SELECT sepgsql_getcon(); -- client's label must be restored
9097
sepgsql_getcon
9198
-----------------------------------------------------
@@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
107114
DROP FUNCTION IF EXISTS f1() CASCADE;
108115
DROP FUNCTION IF EXISTS f2() CASCADE;
109116
DROP FUNCTION IF EXISTS f3() CASCADE;
117+
DROP FUNCTION IF EXISTS f4() CASCADE;

contrib/sepgsql/hooks.c

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
251251
if (!stack)
252252
{
253253
MemoryContext oldcxt;
254+
const char *cur_label = sepgsql_get_client_label();
254255

255256
oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
256257
stack = palloc(sizeof(*stack));
@@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
260261

261262
MemoryContextSwitchTo(oldcxt);
262263

264+
if (strcmp(cur_label, stack->new_label) != 0)
265+
{
266+
/*
267+
* process:transition permission between old and new
268+
* label, when user tries to switch security label of
269+
* the client on execution of trusted procedure.
270+
*/
271+
sepgsql_check_perms(cur_label, stack->new_label,
272+
SEPG_CLASS_PROCESS,
273+
SEPG_PROCESS__TRANSITION,
274+
NULL, true);
275+
}
276+
263277
*private = PointerGetDatum(stack);
264278
}
265279
Assert(!stack->old_label);

contrib/sepgsql/sepgsql-regtest.te

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
1-
policy_module(sepgsql-regtest, 1.01)
1+
policy_module(sepgsql-regtest, 1.02)
2+
3+
gen_require(`
4+
all_userspace_class_perms
5+
')
26

37
## <desc>
48
## <p>
@@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01)
812
## </desc>
913
gen_tunable(sepgsql_regression_test_mode, false)
1014

15+
#
16+
# Type definitions for regression test
17+
#
18+
type sepgsql_regtest_trusted_proc_exec_t;
19+
postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
20+
1121
#
1222
# Test domains for database administrators
1323
#
@@ -57,3 +67,19 @@ optional_policy(`
5767
role unconfined_r types sepgsql_regtest_user_t;
5868
role unconfined_r types sepgsql_trusted_proc_t;
5969
')
70+
71+
#
72+
# Rule to check
73+
#
74+
optional_policy(`
75+
# These rules intends sepgsql_regtest_user_t domain to translate
76+
# sepgsql_regtest_dba_t on execution of procedures labeled as
77+
# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
78+
# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
79+
#
80+
gen_require(`
81+
attribute sepgsql_client_type;
82+
')
83+
allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
84+
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
85+
')

contrib/sepgsql/sql/label.sql

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text
2727
SECURITY LABEL ON FUNCTION f3()
2828
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
2929

30+
CREATE FUNCTION f4 () RETURNS text
31+
AS 'SELECT sepgsql_getcon()'
32+
LANGUAGE sql;
33+
SECURITY LABEL ON FUNCTION f4()
34+
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
35+
3036
--
3137
-- Tests for default labeling behavior
3238
--
@@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b
5965
SELECT f1(); -- normal procedure
6066
SELECT f2(); -- trusted procedure
6167
SELECT f3(); -- trusted procedure that raises an error
68+
SELECT f4(); -- failed on domain transition
6269
SELECT sepgsql_getcon(); -- client's label must be restored
6370

6471
--
@@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
7178
DROP FUNCTION IF EXISTS f1() CASCADE;
7279
DROP FUNCTION IF EXISTS f2() CASCADE;
7380
DROP FUNCTION IF EXISTS f3() CASCADE;
81+
DROP FUNCTION IF EXISTS f4() CASCADE;

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy