rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add missing check on invocation of trusted procedures. 

KaiGai Kohei
This commit is contained in:
Robert Haas 2011-04-04 13:25:42 -04:00
parent a0e50e698b
commit 595a441ae9
4 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
contrib/sepgsql/expected/label.out
View File

@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text
END;' LANGUAGE plpgsql;
SECURITY LABEL ON FUNCTION f3()
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
CREATE FUNCTION f4 () RETURNS text
AS 'SELECT sepgsql_getcon()'
LANGUAGE sql;
SECURITY LABEL ON FUNCTION f4()
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
--
-- Tests for default labeling behavior
--
@ -86,6 +91,8 @@ SELECT f2(); -- trusted procedure
SELECT f3(); -- trusted procedure that raises an error
ERROR: an exception from f3()
SELECT f4(); -- failed on domain transition
ERROR: SELinux: security policy violation
SELECT sepgsql_getcon(); -- client's label must be restored
sepgsql_getcon
-----------------------------------------------------
@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE;
DROP FUNCTION IF EXISTS f4() CASCADE;

14
contrib/sepgsql/hooks.c
View File

@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
if (!stack)
{
MemoryContext oldcxt;
const char *cur_label = sepgsql_get_client_label();
oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
stack = palloc(sizeof(*stack));
@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
MemoryContextSwitchTo(oldcxt);
if (strcmp(cur_label, stack->new_label) != 0)
{
/*
* process:transition permission between old and new
* label, when user tries to switch security label of
* the client on execution of trusted procedure.
*/
sepgsql_check_perms(cur_label, stack->new_label,
SEPG_CLASS_PROCESS,
SEPG_PROCESS__TRANSITION,
NULL, true);
}
*private = PointerGetDatum(stack);
}
Assert(!stack->old_label);

28
contrib/sepgsql/sepgsql-regtest.te
View File

@ -1,4 +1,8 @@
policy_module(sepgsql-regtest, 1.01)
policy_module(sepgsql-regtest, 1.02)
gen_require(`
all_userspace_class_perms
')
## <desc>
## <p>
@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01)
## </desc>
gen_tunable(sepgsql_regression_test_mode, false)
#
# Type definitions for regression test
#
type sepgsql_regtest_trusted_proc_exec_t;
postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
#
# Test domains for database administrators
#
@ -57,3 +67,19 @@ optional_policy(`
role unconfined_r types sepgsql_regtest_user_t;
role unconfined_r types sepgsql_trusted_proc_t;
')
#
# Rule to check
#
optional_policy(`
# These rules intends sepgsql_regtest_user_t domain to translate
# sepgsql_regtest_dba_t on execution of procedures labeled as
# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
#
gen_require(`
attribute sepgsql_client_type;
')
allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
')

8
contrib/sepgsql/sql/label.sql
View File

@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text
SECURITY LABEL ON FUNCTION f3()
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
CREATE FUNCTION f4 () RETURNS text
AS 'SELECT sepgsql_getcon()'
LANGUAGE sql;
SECURITY LABEL ON FUNCTION f4()
IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
--
-- Tests for default labeling behavior
--
@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b
SELECT f1(); -- normal procedure
SELECT f2(); -- trusted procedure
SELECT f3(); -- trusted procedure that raises an error
SELECT f4(); -- failed on domain transition
SELECT sepgsql_getcon(); -- client's label must be restored
--
@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE;
DROP FUNCTION IF EXISTS f4() CASCADE;