diff --git a/contrib/sepgsql/expected/label.out b/contrib/sepgsql/expected/label.out index daf8d08eb2..bac169f37b 100644 --- a/contrib/sepgsql/expected/label.out +++ b/contrib/sepgsql/expected/label.out @@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text END;' LANGUAGE plpgsql; SECURITY LABEL ON FUNCTION f3() IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0'; +CREATE FUNCTION f4 () RETURNS text + AS 'SELECT sepgsql_getcon()' + LANGUAGE sql; +SECURITY LABEL ON FUNCTION f4() + IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0'; -- -- Tests for default labeling behavior -- @@ -86,6 +91,8 @@ SELECT f2(); -- trusted procedure SELECT f3(); -- trusted procedure that raises an error ERROR: an exception from f3() +SELECT f4(); -- failed on domain transition +ERROR: SELinux: security policy violation SELECT sepgsql_getcon(); -- client's label must be restored sepgsql_getcon ----------------------------------------------------- @@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE; +DROP FUNCTION IF EXISTS f4() CASCADE; diff --git a/contrib/sepgsql/hooks.c b/contrib/sepgsql/hooks.c index 83a505ec18..27e85d25b1 100644 --- a/contrib/sepgsql/hooks.c +++ b/contrib/sepgsql/hooks.c @@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event, if (!stack) { MemoryContext oldcxt; + const char *cur_label = sepgsql_get_client_label(); oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt); stack = palloc(sizeof(*stack)); @@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event, MemoryContextSwitchTo(oldcxt); + if (strcmp(cur_label, stack->new_label) != 0) + { + /* + * process:transition permission between old and new + * label, when user tries to switch security label of + * the client on execution of trusted procedure. + */ + sepgsql_check_perms(cur_label, stack->new_label, + SEPG_CLASS_PROCESS, + SEPG_PROCESS__TRANSITION, + NULL, true); + } + *private = PointerGetDatum(stack); } Assert(!stack->old_label); diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te index 66666d0c38..3b1def75a5 100644 --- a/contrib/sepgsql/sepgsql-regtest.te +++ b/contrib/sepgsql/sepgsql-regtest.te @@ -1,4 +1,8 @@ -policy_module(sepgsql-regtest, 1.01) +policy_module(sepgsql-regtest, 1.02) + +gen_require(` + all_userspace_class_perms +') ## ##

@@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01) ## gen_tunable(sepgsql_regression_test_mode, false) +# +# Type definitions for regression test +# +type sepgsql_regtest_trusted_proc_exec_t; +postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t) + # # Test domains for database administrators # @@ -57,3 +67,19 @@ optional_policy(` role unconfined_r types sepgsql_regtest_user_t; role unconfined_r types sepgsql_trusted_proc_t; ') + +# +# Rule to check +# +optional_policy(` + # These rules intends sepgsql_regtest_user_t domain to translate + # sepgsql_regtest_dba_t on execution of procedures labeled as + # sepgsql_regtest_trusted_proc_exec_t, but does not allow transition + # permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t. + # + gen_require(` + attribute sepgsql_client_type; + ') + allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install }; + type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; +') diff --git a/contrib/sepgsql/sql/label.sql b/contrib/sepgsql/sql/label.sql index 1100fcb35a..2b1841281c 100644 --- a/contrib/sepgsql/sql/label.sql +++ b/contrib/sepgsql/sql/label.sql @@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text SECURITY LABEL ON FUNCTION f3() IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0'; +CREATE FUNCTION f4 () RETURNS text + AS 'SELECT sepgsql_getcon()' + LANGUAGE sql; +SECURITY LABEL ON FUNCTION f4() + IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0'; + -- -- Tests for default labeling behavior -- @@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b SELECT f1(); -- normal procedure SELECT f2(); -- trusted procedure SELECT f3(); -- trusted procedure that raises an error +SELECT f4(); -- failed on domain transition SELECT sepgsql_getcon(); -- client's label must be restored -- @@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE; +DROP FUNCTION IF EXISTS f4() CASCADE;