database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-04-21 12:05:57 +03:00
Code

Allow sepgsql labels to depend on object name.

Browse Source 
The main change here is to call security_compute_create_name_raw()
rather than security_compute_create_raw().  This ups the minimum
requirement for libselinux from 2.0.99 to 2.1.10, but it looks
like most distributions will have picked that up before 9.3 is out.

KaiGai Kohei
This commit is contained in:
Robert Haas 2013-03-28 15:38:35 -04:00
parent ae7f1c3ef2
commit 0f05840bf4
13 changed files with 104 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
configure vendored
View File

@ -9710,9 +9710,9 @@ fi
# for contrib/sepgsql # for contrib/sepgsql
if test "$with_selinux" = yes; then if test "$with_selinux" = yes; then
{ $as_echo "$as_me:$LINENO: checking for selinux_status_open in -lselinux" >&5 { $as_echo "$as_me:$LINENO: checking for security_compute_create_name in -lselinux" >&5
$as_echo_n "checking for selinux_status_open in -lselinux... " >&6; } $as_echo_n "checking for security_compute_create_name in -lselinux... " >&6; }
if test "${ac_cv_lib_selinux_selinux_status_open+set}" = set; then if test "${ac_cv_lib_selinux_security_compute_create_name+set}" = set; then
$as_echo_n "(cached) " >&6 $as_echo_n "(cached) " >&6
else else
ac_check_lib_save_LIBS=$LIBS ac_check_lib_save_LIBS=$LIBS
@ -9730,11 +9730,11 @@ cat >>conftest.$ac_ext <<_ACEOF
#ifdef __cplusplus #ifdef __cplusplus
extern "C" extern "C"
#endif #endif
char selinux_status_open (); char security_compute_create_name ();
int int
main () main ()
{ {
return selinux_status_open (); return security_compute_create_name ();
; ;
return 0; return 0;
} }
@ -9760,12 +9760,12 @@ $as_echo "$ac_try_echo") >&5
test "$cross_compiling" = yes || test "$cross_compiling" = yes ||
$as_test_x conftest$ac_exeext $as_test_x conftest$ac_exeext
}; then }; then
ac_cv_lib_selinux_selinux_status_open=yes ac_cv_lib_selinux_security_compute_create_name=yes
else else
$as_echo "$as_me: failed program was:" >&5 $as_echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5 sed 's/^/| /' conftest.$ac_ext >&5
ac_cv_lib_selinux_selinux_status_open=no ac_cv_lib_selinux_security_compute_create_name=no
fi fi
rm -rf conftest.dSYM rm -rf conftest.dSYM
@ -9773,9 +9773,9 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS LIBS=$ac_check_lib_save_LIBS
fi fi
{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_selinux_status_open" >&5 { $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_security_compute_create_name" >&5
$as_echo "$ac_cv_lib_selinux_selinux_status_open" >&6; } $as_echo "$ac_cv_lib_selinux_security_compute_create_name" >&6; }
if test "x$ac_cv_lib_selinux_selinux_status_open" = x""yes; then if test "x$ac_cv_lib_selinux_security_compute_create_name" = x""yes; then
cat >>confdefs.h <<_ACEOF cat >>confdefs.h <<_ACEOF
#define HAVE_LIBSELINUX 1 #define HAVE_LIBSELINUX 1
_ACEOF _ACEOF
@ -9783,8 +9783,8 @@ _ACEOF
LIBS="-lselinux $LIBS" LIBS="-lselinux $LIBS"
else else
{ { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&5 { { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.1.10 or newer, is required for SELinux support" >&5
$as_echo "$as_me: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&2;} $as_echo "$as_me: error: library 'libselinux', version 2.1.10 or newer, is required for SELinux support" >&2;}
{ (exit 1); exit 1; }; } { (exit 1); exit 1; }; }
fi fi

4
configure.in
View File

@ -952,8 +952,8 @@ fi
# for contrib/sepgsql # for contrib/sepgsql
if test "$with_selinux" = yes; then if test "$with_selinux" = yes; then
AC_CHECK_LIB(selinux, selinux_status_open, [], AC_CHECK_LIB(selinux, security_compute_create_name, [],
[AC_MSG_ERROR([library 'libselinux', version 2.0.99 or newer, is required for SELinux support])]) [AC_MSG_ERROR([library 'libselinux', version 2.1.10 or newer, is required for SELinux support])])
fi fi
# for contrib/uuid-ossp # for contrib/uuid-ossp

3
contrib/sepgsql/database.c
View File

@ -92,7 +92,8 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)
ncontext = sepgsql_compute_create(sepgsql_get_client_label(), ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
tcontext, tcontext,
SEPG_CLASS_DB_DATABASE); SEPG_CLASS_DB_DATABASE,
NameStr(datForm->datname));
/* /*
* check db_database:{create} permission * check db_database:{create} permission

35
contrib/sepgsql/expected/label.out
View File

@ -64,10 +64,16 @@ SELECT sepgsql_getcon(); -- confirm client privilege
CREATE TABLE t3 (s int, t text); CREATE TABLE t3 (s int, t text);
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu'); INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
SELECT sepgsql_getcon(); -- confirm client privilege
sepgsql_getcon
----------------------------------------------------
unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0
(1 row)
CREATE TABLE t4 (m int, n text);
INSERT INTO t4 VALUES (1,'mmm'), (2,'nnn'), (3,'ooo');
SELECT objtype, objname, label FROM pg_seclabels SELECT objtype, objname, label FROM pg_seclabels
WHERE provider = 'selinux' WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3');
AND objtype in ('table', 'column')
AND objname in ('t1', 't2', 't3');
objtype | objname | label objtype | objname | label
---------+---------+----------------------------------------------- ---------+---------+-----------------------------------------------
table | t1 | unconfined_u:object_r:sepgsql_table_t:s0 table | t1 | unconfined_u:object_r:sepgsql_table_t:s0
@ -75,6 +81,28 @@ SELECT objtype, objname, label FROM pg_seclabels
table | t3 | unconfined_u:object_r:user_sepgsql_table_t:s0 table | t3 | unconfined_u:object_r:user_sepgsql_table_t:s0
(3 rows) (3 rows)
SELECT objtype, objname, label FROM pg_seclabels
WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');
objtype | objname | label
---------+-------------+-----------------------------------------------
column | t3.t | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t3.s | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t3.ctid | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t3.xmin | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t3.cmin | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t3.xmax | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t3.cmax | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t3.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0
column | t4.n | unconfined_u:object_r:sepgsql_table_t:s0
column | t4.m | unconfined_u:object_r:sepgsql_table_t:s0
column | t4.ctid | unconfined_u:object_r:sepgsql_sysobj_t:s0
column | t4.xmin | unconfined_u:object_r:sepgsql_sysobj_t:s0
column | t4.cmin | unconfined_u:object_r:sepgsql_sysobj_t:s0
column | t4.xmax | unconfined_u:object_r:sepgsql_sysobj_t:s0
column | t4.cmax | unconfined_u:object_r:sepgsql_sysobj_t:s0
column | t4.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0
(16 rows)
-- --
-- Tests for SECURITY LABEL -- Tests for SECURITY LABEL
-- --
@ -456,6 +484,7 @@ SELECT sepgsql_getcon(); -- confirm client privilege
DROP TABLE IF EXISTS t1 CASCADE; DROP TABLE IF EXISTS t1 CASCADE;
DROP TABLE IF EXISTS t2 CASCADE; DROP TABLE IF EXISTS t2 CASCADE;
DROP TABLE IF EXISTS t3 CASCADE; DROP TABLE IF EXISTS t3 CASCADE;
DROP TABLE IF EXISTS t4 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE;

3
contrib/sepgsql/proc.c
View File

@ -95,7 +95,8 @@ sepgsql_proc_post_create(Oid functionId)
tcontext = sepgsql_get_label(NamespaceRelationId, tcontext = sepgsql_get_label(NamespaceRelationId,
proForm->pronamespace, 0); proForm->pronamespace, 0);
ncontext = sepgsql_compute_create(scontext, tcontext, ncontext = sepgsql_compute_create(scontext, tcontext,
SEPG_CLASS_DB_PROCEDURE); SEPG_CLASS_DB_PROCEDURE,
NameStr(proForm->proname));
/* /*
* check db_procedure:{create (install)} permission * check db_procedure:{create (install)} permission

9
contrib/sepgsql/relation.c
View File

@ -88,7 +88,8 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
scontext = sepgsql_get_client_label(); scontext = sepgsql_get_client_label();
tcontext = sepgsql_get_label(RelationRelationId, relOid, 0); tcontext = sepgsql_get_label(RelationRelationId, relOid, 0);
ncontext = sepgsql_compute_create(scontext, tcontext, ncontext = sepgsql_compute_create(scontext, tcontext,
SEPG_CLASS_DB_COLUMN); SEPG_CLASS_DB_COLUMN,
NameStr(attForm->attname));
/* /*
* check db_column:{create} permission * check db_column:{create} permission
@ -309,7 +310,8 @@ sepgsql_relation_post_create(Oid relOid)
scontext = sepgsql_get_client_label(); scontext = sepgsql_get_client_label();
tcontext = sepgsql_get_label(NamespaceRelationId, tcontext = sepgsql_get_label(NamespaceRelationId,
classForm->relnamespace, 0); classForm->relnamespace, 0);
rcontext = sepgsql_compute_create(scontext, tcontext, tclass); rcontext = sepgsql_compute_create(scontext, tcontext, tclass,
NameStr(classForm->relname));
/* /*
* check db_xxx:{create} permission * check db_xxx:{create} permission
@ -363,7 +365,8 @@ sepgsql_relation_post_create(Oid relOid)
ccontext = sepgsql_compute_create(scontext, ccontext = sepgsql_compute_create(scontext,
rcontext, rcontext,
SEPG_CLASS_DB_COLUMN); SEPG_CLASS_DB_COLUMN,
NameStr(attForm->attname));
/* /*
* check db_column:{create} permission * check db_column:{create} permission

13
contrib/sepgsql/schema.c
View File

@ -42,6 +42,7 @@ sepgsql_schema_post_create(Oid namespaceId)
char *tcontext; char *tcontext;
char *ncontext; char *ncontext;
char audit_name[NAMEDATALEN + 20]; char audit_name[NAMEDATALEN + 20];
const char *nsp_name;
ObjectAddress object; ObjectAddress object;
Form_pg_namespace nspForm; Form_pg_namespace nspForm;
@ -67,17 +68,21 @@ sepgsql_schema_post_create(Oid namespaceId)
elog(ERROR, "catalog lookup failed for namespace %u", namespaceId); elog(ERROR, "catalog lookup failed for namespace %u", namespaceId);
nspForm = (Form_pg_namespace) GETSTRUCT(tuple); nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
nsp_name = NameStr(nspForm->nspname);
if (strncmp(nsp_name, "pg_temp_", 8) == 0)
nsp_name = "pg_temp";
else if (strncmp(nsp_name, "pg_toast_temp_", 14) == 0)
nsp_name = "pg_toast_temp";
tcontext = sepgsql_get_label(DatabaseRelationId, MyDatabaseId, 0); tcontext = sepgsql_get_label(DatabaseRelationId, MyDatabaseId, 0);
ncontext = sepgsql_compute_create(sepgsql_get_client_label(), ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
tcontext, tcontext,
SEPG_CLASS_DB_SCHEMA); SEPG_CLASS_DB_SCHEMA,
nsp_name);
/* /*
* check db_schema:{create} * check db_schema:{create}
*/ */
snprintf(audit_name, sizeof(audit_name), snprintf(audit_name, sizeof(audit_name), "schema %s", nsp_name);
"schema %s", NameStr(nspForm->nspname));
sepgsql_avc_check_perms_label(ncontext, sepgsql_avc_check_perms_label(ncontext,
SEPG_CLASS_DB_SCHEMA, SEPG_CLASS_DB_SCHEMA,
SEPG_DB_SCHEMA__CREATE, SEPG_DB_SCHEMA__CREATE,

11
contrib/sepgsql/selinux.c
View File

@ -836,7 +836,8 @@ sepgsql_compute_avd(const char *scontext,
char * char *
sepgsql_compute_create(const char *scontext, sepgsql_compute_create(const char *scontext,
const char *tcontext, const char *tcontext,
uint16 tclass) uint16 tclass,
const char *objname)
{ {
security_context_t ncontext; security_context_t ncontext;
security_class_t tclass_ex; security_class_t tclass_ex;
@ -853,9 +854,11 @@ sepgsql_compute_create(const char *scontext,
* Ask SELinux what is the default context for the given object class on a * Ask SELinux what is the default context for the given object class on a
* pair of security contexts * pair of security contexts
*/ */
if (security_compute_create_raw((security_context_t) scontext, if (security_compute_create_name_raw((security_context_t) scontext,
(security_context_t) tcontext, (security_context_t) tcontext,
tclass_ex, &ncontext) < 0) tclass_ex,
objname,
&ncontext) < 0)
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INTERNAL_ERROR), (errcode(ERRCODE_INTERNAL_ERROR),
errmsg("SELinux could not compute a new context: " errmsg("SELinux could not compute a new context: "

17
contrib/sepgsql/sepgsql-regtest.te
View File

@ -1,4 +1,4 @@
policy_module(sepgsql-regtest, 1.04) policy_module(sepgsql-regtest, 1.05)
gen_require(` gen_require(`
all_userspace_class_perms all_userspace_class_perms
@ -43,6 +43,21 @@ allow sepgsql_regtest_dba_t sepgsql_regtest_user_t : process { dyntransition };
allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition }; allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition };
allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition }; allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition };
# special rule for system columns
optional_policy(`
gen_require(`
attribute sepgsql_table_type;
type sepgsql_sysobj_t;
')
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "ctid";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "oid";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmin";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmax";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmin";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmax";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "tableoid";
')
# #
# Dummy domain for unpriv users # Dummy domain for unpriv users
# #

3
contrib/sepgsql/sepgsql.h
View File

@ -239,7 +239,8 @@ extern void sepgsql_compute_avd(const char *scontext,
extern char *sepgsql_compute_create(const char *scontext, extern char *sepgsql_compute_create(const char *scontext,
const char *tcontext, const char *tcontext,
uint16 tclass); uint16 tclass,
const char *objname);
extern bool sepgsql_check_perms(const char *scontext, extern bool sepgsql_check_perms(const char *scontext,
const char *tcontext, const char *tcontext,

11
contrib/sepgsql/sql/label.sql
View File

@ -71,10 +71,14 @@ SECURITY LABEL ON TABLE var_tbl
CREATE TABLE t3 (s int, t text); CREATE TABLE t3 (s int, t text);
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu'); INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0
CREATE TABLE t4 (m int, n text);
INSERT INTO t4 VALUES (1,'mmm'), (2,'nnn'), (3,'ooo');
SELECT objtype, objname, label FROM pg_seclabels SELECT objtype, objname, label FROM pg_seclabels
WHERE provider = 'selinux' WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3');
AND objtype in ('table', 'column') SELECT objtype, objname, label FROM pg_seclabels
AND objname in ('t1', 't2', 't3'); WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');
-- --
-- Tests for SECURITY LABEL -- Tests for SECURITY LABEL
@ -229,6 +233,7 @@ SELECT sepgsql_getcon();
DROP TABLE IF EXISTS t1 CASCADE; DROP TABLE IF EXISTS t1 CASCADE;
DROP TABLE IF EXISTS t2 CASCADE; DROP TABLE IF EXISTS t2 CASCADE;
DROP TABLE IF EXISTS t3 CASCADE; DROP TABLE IF EXISTS t3 CASCADE;
DROP TABLE IF EXISTS t4 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE;

4
contrib/sepgsql/uavc.c
View File

@ -250,10 +250,10 @@ sepgsql_avc_compute(const char *scontext, const char *tcontext, uint16 tclass)
{ {
if (!ucontext) if (!ucontext)
ncontext = sepgsql_compute_create(scontext, tcontext, ncontext = sepgsql_compute_create(scontext, tcontext,
SEPG_CLASS_PROCESS); SEPG_CLASS_PROCESS, NULL);
else else
ncontext = sepgsql_compute_create(scontext, ucontext, ncontext = sepgsql_compute_create(scontext, ucontext,
SEPG_CLASS_PROCESS); SEPG_CLASS_PROCESS, NULL);
if (strcmp(scontext, ncontext) == 0) if (strcmp(scontext, ncontext) == 0)
{ {
pfree(ncontext); pfree(ncontext);

7
doc/src/sgml/sepgsql.sgml
View File

@ -63,7 +63,7 @@
<filename>sepgsql</> can only be used on <productname>Linux</productname> <filename>sepgsql</> can only be used on <productname>Linux</productname>
2.6.28 or higher with <productname>SELinux</productname> enabled. 2.6.28 or higher with <productname>SELinux</productname> enabled.
It is not available on any other platform. You will also need It is not available on any other platform. You will also need
<productname>libselinux</> 2.0.99 or higher and <productname>libselinux</> 2.1.10 or higher and
<productname>selinux-policy</> 3.9.13 or higher (although some <productname>selinux-policy</> 3.9.13 or higher (although some
distributions may backport the necessary rules into older policy distributions may backport the necessary rules into older policy
versions). versions).
@ -326,8 +326,9 @@ $ sudo semodule -r sepgsql-regtest
When <filename>sepgsql</filename> is in use, security labels are When <filename>sepgsql</filename> is in use, security labels are
automatically assigned to supported database objects at creation time. automatically assigned to supported database objects at creation time.
This label is called a default security label, and is decided according This label is called a default security label, and is decided according
to the system security policy, which takes as input the creator's label to the system security policy, which takes as input the creator's label,
and the label assigned to the new object's parent object. the label assigned to the new object's parent object and optionally name
of the constructed object.
</para> </para>
<para> <para>