pgsql-v9.2-prep-creation-hook-part-1.v2.database.patch
application/octet-stream
Filename: pgsql-v9.2-prep-creation-hook-part-1.v2.database.patch
Type: application/octet-stream
Part: 0
Patch
Same data as JSON:
GET /api/v1/attachments/:id/patch
the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes.
API reference →
Format: unified
Series: patch v9
| File | + | − |
|---|---|---|
| contrib/sepgsql/database.c | 94 | 6 |
| contrib/sepgsql/expected/create.out | 19 | 0 |
| contrib/sepgsql/hooks.c | 69 | 35 |
| contrib/sepgsql/sepgsql.h | 10 | 0 |
| contrib/sepgsql/sql/create.sql | 15 | 0 |
| contrib/sepgsql/test_sepgsql | 1 | 1 |
contrib/sepgsql/database.c | 100 +++++++++++++++++++++++++++++++--
contrib/sepgsql/expected/create.out | 19 ++++++
contrib/sepgsql/hooks.c | 104 +++++++++++++++++++++++------------
contrib/sepgsql/sepgsql.h | 10 +++
contrib/sepgsql/sql/create.sql | 15 +++++
contrib/sepgsql/test_sepgsql | 2 +-
6 files changed, 208 insertions(+), 42 deletions(-)
diff --git a/contrib/sepgsql/database.c b/contrib/sepgsql/database.c
index 7f15d9c..ce5a095 100644
--- a/contrib/sepgsql/database.c
+++ b/contrib/sepgsql/database.c
@@ -10,35 +10,122 @@
*/
#include "postgres.h"
+#include "access/genam.h"
+#include "access/heapam.h"
+#include "access/sysattr.h"
#include "catalog/dependency.h"
#include "catalog/pg_database.h"
+#include "catalog/indexing.h"
+#include "commands/dbcommands.h"
#include "commands/seclabel.h"
+#include "utils/fmgroids.h"
+#include "utils/tqual.h"
#include "sepgsql.h"
+/*
+ * sepgsql_database_get_catalog
+ *
+ * This routine tries to reference pg_database catalog with supplied OID and
+ * SnapshotSelf visibility, then returns a copy of the HeapTuple.
+ */
+static HeapTuple
+sepgsql_database_get_catalog(Oid databaseId)
+{
+ Relation catalog;
+ ScanKeyData skey;
+ SysScanDesc sscan;
+ HeapTuple tuple;
+
+ catalog = heap_open(DatabaseRelationId, AccessShareLock);
+
+ ScanKeyInit(&skey,
+ ObjectIdAttributeNumber,
+ BTEqualStrategyNumber, F_OIDEQ,
+ ObjectIdGetDatum(databaseId));
+
+ sscan = systable_beginscan(catalog, DatabaseOidIndexId, true,
+ SnapshotSelf, 1, &skey);
+
+ tuple = systable_getnext(sscan);
+ if (!HeapTupleIsValid(tuple))
+ elog(ERROR, "catalog lookup failed for database %u", databaseId);
+
+ tuple = heap_copytuple(tuple);
+
+ systable_endscan(sscan);
+ heap_close(catalog, AccessShareLock);
+
+ return tuple;
+}
+
+/*
+ * sepgsql_database_post_create
+ *
+ * This routine assigns a default security label on a newly defined
+ * database, and check permission needed for its creation.
+ */
void
sepgsql_database_post_create(Oid databaseId)
{
char *scontext = sepgsql_get_client_label();
char *tcontext;
char *ncontext;
+ char *dtemplate;
+ char audit_name[NAMEDATALEN + 20];
ObjectAddress object;
+ HeapTuple dattup;
+
+ Assert(sepgsql_context_info.cmdtype == T_CreatedbStmt);
+
+ /*
+ * Because OID of source database is not saved within pg_database
+ * catalog entry, we pick up it from the contextual information
+ * saved on entrypoint of ProcessUtility
+ */
+ dtemplate = sepgsql_context_info.createdb_template;
+ if (!dtemplate)
+ dtemplate = "template0";
+
+ object.classId = DatabaseRelationId;
+ object.objectId = get_database_oid(dtemplate, false);
+ object.objectSubId = 0;
+
+ tcontext = sepgsql_get_label(object.classId,
+ object.objectId,
+ object.objectSubId);
+ /*
+ * check db_database:{getattr} permission
+ */
+ snprintf(audit_name, sizeof(audit_name), "database %s", dtemplate);
+ sepgsql_avc_check_perms_label(tcontext,
+ SEPG_CLASS_DB_DATABASE,
+ SEPG_DB_DATABASE__GETATTR,
+ audit_name,
+ true);
/*
* Compute a default security label of the newly created database
* based on a pair of security label of client and source database.
*
- * XXX - Right now, this logic uses "template1" as its source, because
- * here is no way to know the Oid of source database.
+ * XXX - uncoming version of libselinux supports to take object
+ * name to handle special treatment on default security label.
*/
- object.classId = DatabaseRelationId;
- object.objectId = TemplateDbOid;
- object.objectSubId = 0;
- tcontext = GetSecurityLabel(&object, SEPGSQL_LABEL_TAG);
+ dattup = sepgsql_database_get_catalog(databaseId);
ncontext = sepgsql_compute_create(scontext, tcontext,
SEPG_CLASS_DB_DATABASE);
/*
+ * check db_database:{create} permission
+ */
+ snprintf(audit_name, sizeof(audit_name), "database %s",
+ NameStr(((Form_pg_database) GETSTRUCT(dattup))->datname));
+ sepgsql_avc_check_perms_label(ncontext,
+ SEPG_CLASS_DB_DATABASE,
+ SEPG_DB_DATABASE__CREATE,
+ audit_name,
+ true);
+ /*
* Assign the default security label on the new database
*/
object.classId = DatabaseRelationId;
@@ -47,6 +134,7 @@ sepgsql_database_post_create(Oid databaseId)
SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
+ heap_freetuple(dattup);
pfree(ncontext);
pfree(tcontext);
}
diff --git a/contrib/sepgsql/expected/create.out b/contrib/sepgsql/expected/create.out
new file mode 100644
index 0000000..cc60118
--- /dev/null
+++ b/contrib/sepgsql/expected/create.out
@@ -0,0 +1,19 @@
+--
+-- Regression Test for Creation of Object Permission Checks
+--
+-- confirm required permissions using audit messages
+SELECT sepgsql_getcon(); -- confirm client privilege
+ sepgsql_getcon
+-------------------------------------------
+ unconfined_u:unconfined_r:unconfined_t:s0
+(1 row)
+
+SET sepgsql.debug_audit = true;
+SET client_min_messages = LOG;
+CREATE DATABASE regtest_sepgsql_test_database;
+LOG: SELinux: allowed { getattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database name="database template0"
+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_db_t:s0 tclass=db_database name="database regtest_sepgsql_test_database"
+--
+-- clean-up
+--
+DROP DATABASE IF EXISTS regtest_sepgsql_test_database;
diff --git a/contrib/sepgsql/hooks.c b/contrib/sepgsql/hooks.c
index 331bbd7..bbc9a82 100644
--- a/contrib/sepgsql/hooks.c
+++ b/contrib/sepgsql/hooks.c
@@ -31,6 +31,7 @@ PG_MODULE_MAGIC;
* Declarations
*/
void _PG_init(void);
+sepgsql_context_info_t sepgsql_context_info;
/*
* Saved hook entries (if stacked)
@@ -308,44 +309,74 @@ sepgsql_utility_command(Node *parsetree,
DestReceiver *dest,
char *completionTag)
{
- if (next_ProcessUtility_hook)
- (*next_ProcessUtility_hook) (parsetree, queryString, params,
- isTopLevel, dest, completionTag);
+ sepgsql_context_info_t saved_context_info = sepgsql_context_info;
+ ListCell *cell;
- /*
- * Check command tag to avoid nefarious operations
- */
- switch (nodeTag(parsetree))
+ PG_TRY();
{
- case T_LoadStmt:
-
- /*
- * We reject LOAD command across the board on enforcing mode,
- * because a binary module can arbitrarily override hooks.
- */
- if (sepgsql_getenforce())
- {
- ereport(ERROR,
- (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
- errmsg("SELinux: LOAD is not permitted")));
- }
- break;
- default:
-
- /*
- * Right now we don't check any other utility commands, because it
- * needs more detailed information to make access control decision
- * here, but we don't want to have two parse and analyze routines
- * individually.
- */
- break;
+ /*
+ * Check command tag to avoid nefarious operations, and save the
+ * current contextual information to determine whether we should
+ * apply permission checks here, or not.
+ */
+ sepgsql_context_info.cmdtype = nodeTag(parsetree);
+
+ switch (nodeTag(parsetree))
+ {
+ case T_CreatedbStmt:
+ /*
+ * We hope to reference name of the source database, but it
+ * does not appear in system catalog. So, we save it here.
+ */
+ foreach (cell, ((CreatedbStmt *) parsetree)->options)
+ {
+ DefElem *defel = (DefElem *) lfirst(cell);
+
+ if (strcmp(defel->defname, "template") == 0)
+ {
+ sepgsql_context_info.createdb_template
+ = strVal(defel->arg);
+ break;
+ }
+ }
+ break;
+
+ case T_LoadStmt:
+ /*
+ * We reject LOAD command across the board on enforcing mode,
+ * because a binary module can arbitrarily override hooks.
+ */
+ if (sepgsql_getenforce())
+ {
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("SELinux: LOAD is not permitted")));
+ }
+ break;
+ default:
+ /*
+ * Right now we don't check any other utility commands,
+ * because it needs more detailed information to make access
+ * control decision here, but we don't want to have two parse
+ * and analyze routines individually.
+ */
+ break;
+ }
+
+ if (next_ProcessUtility_hook)
+ (*next_ProcessUtility_hook) (parsetree, queryString, params,
+ isTopLevel, dest, completionTag);
+ else
+ standard_ProcessUtility(parsetree, queryString, params,
+ isTopLevel, dest, completionTag);
}
-
- /*
- * Original implementation
- */
- standard_ProcessUtility(parsetree, queryString, params,
- isTopLevel, dest, completionTag);
+ PG_CATCH();
+ {
+ sepgsql_context_info = saved_context_info;
+ PG_RE_THROW();
+ }
+ PG_END_TRY();
+ sepgsql_context_info = saved_context_info;
}
/*
@@ -456,4 +487,7 @@ _PG_init(void)
/* ProcessUtility hook */
next_ProcessUtility_hook = ProcessUtility_hook;
ProcessUtility_hook = sepgsql_utility_command;
+
+ /* init contextual info */
+ memset(&sepgsql_context_info, 0, sizeof(sepgsql_context_info));
}
diff --git a/contrib/sepgsql/sepgsql.h b/contrib/sepgsql/sepgsql.h
index b4c1dfd..f192fd4 100644
--- a/contrib/sepgsql/sepgsql.h
+++ b/contrib/sepgsql/sepgsql.h
@@ -213,6 +213,16 @@
/*
* hooks.c
*/
+typedef struct
+{
+ NodeTag cmdtype;
+
+ /* User given template database on CREATE DATABASE, elsewhere NULL */
+ char *createdb_template;
+} sepgsql_context_info_t;
+
+extern sepgsql_context_info_t sepgsql_context_info;
+
extern bool sepgsql_get_permissive(void);
extern bool sepgsql_get_debug_audit(void);
diff --git a/contrib/sepgsql/sql/create.sql b/contrib/sepgsql/sql/create.sql
new file mode 100644
index 0000000..6cd5656
--- /dev/null
+++ b/contrib/sepgsql/sql/create.sql
@@ -0,0 +1,15 @@
+--
+-- Regression Test for Creation of Object Permission Checks
+--
+
+-- confirm required permissions using audit messages
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0
+SET sepgsql.debug_audit = true;
+SET client_min_messages = LOG;
+
+CREATE DATABASE regtest_sepgsql_test_database;
+
+--
+-- clean-up
+--
+DROP DATABASE IF EXISTS regtest_sepgsql_test_database;
diff --git a/contrib/sepgsql/test_sepgsql b/contrib/sepgsql/test_sepgsql
index 9b7262a..52237e6 100755
--- a/contrib/sepgsql/test_sepgsql
+++ b/contrib/sepgsql/test_sepgsql
@@ -259,6 +259,6 @@ echo "found ${NUM}"
echo
echo "============== running sepgsql regression tests =============="
-make REGRESS="label dml misc" REGRESS_OPTS="--launcher ./launcher" installcheck
+make REGRESS="label dml create misc" REGRESS_OPTS="--launcher ./launcher" installcheck
# exit with the exit code provided by "make"