sepgsql: Enforce db_procedure:{execute} permission.

To do this, we add an additional object access hook type, OAT_FUNCTION_EXECUTE. KaiGai Kohei
2025-07-27 12:41:57 +03:00 · 2013-04-12 08:55:56 -04:00
parent d017bf41a3
commit f8a54e936b
16 changed files with 220 additions and 21 deletions
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@ -303,7 +303,8 @@ sepgsql_needs_fmgr_hook(Oid functionId)
 	object.objectSubId = 0;
 	if (!sepgsql_avc_check_perms(&object,
 								 SEPG_CLASS_DB_PROCEDURE,
-								 SEPG_DB_PROCEDURE__EXECUTE,
+								 SEPG_DB_PROCEDURE__EXECUTE |
+								 SEPG_DB_PROCEDURE__ENTRYPOINT,
 								 SEPGSQL_AVC_NOAUDIT, false))
 		return true;

@ -347,13 +348,31 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
 				 * process:transition permission between old and new label,
 				 * when user tries to switch security label of the client on
 				 * execution of trusted procedure.
+				 *
+				 * Also, db_procedure:entrypoint permission should be checked
+				 * whether this procedure can perform as an entrypoint of the
+				 * trusted procedure, or not.
+				 * Note that db_procedure:execute permission shall be checked
+				 * individually.
 				 */
 				if (stack->new_label)
+				{
+					ObjectAddress object;
+
+					object.classId = ProcedureRelationId;
+					object.objectId = flinfo->fn_oid;
+					object.objectSubId = 0;
+					sepgsql_avc_check_perms(&object,
+											SEPG_CLASS_DB_PROCEDURE,
+											SEPG_DB_PROCEDURE__ENTRYPOINT,
+											getObjectDescription(&object),
+											true);
+
 					sepgsql_avc_check_perms_label(stack->new_label,
 												  SEPG_CLASS_PROCESS,
 												  SEPG_PROCESS__TRANSITION,
 												  NULL, true);
-
+				}
 				*private = PointerGetDatum(stack);
 			}
 			Assert(!stack->old_label);