PostgreSQL Source Code git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
Data Structures | Functions | Variables
label.c File Reference
#include "postgres.h"
#include <selinux/label.h>
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/table.h"
#include "access/xact.h"
#include "catalog/catalog.h"
#include "catalog/dependency.h"
#include "catalog/pg_attribute.h"
#include "catalog/pg_class.h"
#include "catalog/pg_database.h"
#include "catalog/pg_namespace.h"
#include "catalog/pg_proc.h"
#include "commands/seclabel.h"
#include "libpq/auth.h"
#include "libpq/libpq-be.h"
#include "miscadmin.h"
#include "sepgsql.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
#include "utils/rel.h"
Include dependency graph for label.c:

Go to the source code of this file.

Data Structures

struct  pending_label
 

Functions

char * sepgsql_get_client_label (void)
 
static void sepgsql_set_client_label (const char *new_label)
 
static void sepgsql_xact_callback (XactEvent event, void *arg)
 
static void sepgsql_subxact_callback (SubXactEvent event, SubTransactionId mySubid, SubTransactionId parentSubid, void *arg)
 
static void sepgsql_client_auth (Port *port, int status)
 
static bool sepgsql_needs_fmgr_hook (Oid functionId)
 
static void sepgsql_fmgr_hook (FmgrHookEventType event, FmgrInfo *flinfo, Datum *private)
 
void sepgsql_init_client_label (void)
 
char * sepgsql_get_label (Oid classId, Oid objectId, int32 subId)
 
void sepgsql_object_relabel (const ObjectAddress *object, const char *seclabel)
 
 PG_FUNCTION_INFO_V1 (sepgsql_getcon)
 
Datum sepgsql_getcon (PG_FUNCTION_ARGS)
 
 PG_FUNCTION_INFO_V1 (sepgsql_setcon)
 
Datum sepgsql_setcon (PG_FUNCTION_ARGS)
 
 PG_FUNCTION_INFO_V1 (sepgsql_mcstrans_in)
 
Datum sepgsql_mcstrans_in (PG_FUNCTION_ARGS)
 
 PG_FUNCTION_INFO_V1 (sepgsql_mcstrans_out)
 
Datum sepgsql_mcstrans_out (PG_FUNCTION_ARGS)
 
static char * quote_object_name (const char *src1, const char *src2, const char *src3, const char *src4)
 
static void exec_object_restorecon (struct selabel_handle *sehnd, Oid catalogId)
 
 PG_FUNCTION_INFO_V1 (sepgsql_restorecon)
 
Datum sepgsql_restorecon (PG_FUNCTION_ARGS)
 

Variables

static ClientAuthentication_hook_type next_client_auth_hook = NULL
 
static needs_fmgr_hook_type next_needs_fmgr_hook = NULL
 
static fmgr_hook_type next_fmgr_hook = NULL
 
static char * client_label_peer = NULL
 
static Listclient_label_pending = NIL
 
static char * client_label_committed = NULL
 
static char * client_label_func = NULL
 

Function Documentation

◆ exec_object_restorecon()

static void exec_object_restorecon ( struct selabel_handle *  sehnd,
Oid  catalogId 
)
static

Definition at line 677 of file label.c.

678{
679 Relation rel;
680 SysScanDesc sscan;
681 HeapTuple tuple;
682 char *database_name = get_database_name(MyDatabaseId);
683 char *namespace_name;
684 Oid namespace_id;
685 char *relation_name;
686
687 /*
688 * Open the target catalog. We don't want to allow writable accesses by
689 * other session during initial labeling.
690 */
691 rel = table_open(catalogId, AccessShareLock);
692
693 sscan = systable_beginscan(rel, InvalidOid, false,
694 NULL, 0, NULL);
695 while (HeapTupleIsValid(tuple = systable_getnext(sscan)))
696 {
697 Form_pg_database datForm;
698 Form_pg_namespace nspForm;
699 Form_pg_class relForm;
700 Form_pg_attribute attForm;
701 Form_pg_proc proForm;
702 char *objname;
703 int objtype = 1234;
704 ObjectAddress object;
705 char *context;
706
707 /*
708 * The way to determine object name depends on object classes. So, any
709 * branches set up `objtype', `objname' and `object' here.
710 */
711 switch (catalogId)
712 {
713 case DatabaseRelationId:
714 datForm = (Form_pg_database) GETSTRUCT(tuple);
715
716 objtype = SELABEL_DB_DATABASE;
717
718 objname = quote_object_name(NameStr(datForm->datname),
719 NULL, NULL, NULL);
720
721 object.classId = DatabaseRelationId;
722 object.objectId = datForm->oid;
723 object.objectSubId = 0;
724 break;
725
726 case NamespaceRelationId:
727 nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
728
729 objtype = SELABEL_DB_SCHEMA;
730
731 objname = quote_object_name(database_name,
732 NameStr(nspForm->nspname),
733 NULL, NULL);
734
735 object.classId = NamespaceRelationId;
736 object.objectId = nspForm->oid;
737 object.objectSubId = 0;
738 break;
739
740 case RelationRelationId:
741 relForm = (Form_pg_class) GETSTRUCT(tuple);
742
743 if (relForm->relkind == RELKIND_RELATION ||
744 relForm->relkind == RELKIND_PARTITIONED_TABLE)
745 objtype = SELABEL_DB_TABLE;
746 else if (relForm->relkind == RELKIND_SEQUENCE)
747 objtype = SELABEL_DB_SEQUENCE;
748 else if (relForm->relkind == RELKIND_VIEW)
749 objtype = SELABEL_DB_VIEW;
750 else
751 continue; /* no need to assign security label */
752
753 namespace_name = get_namespace_name(relForm->relnamespace);
754 objname = quote_object_name(database_name,
755 namespace_name,
756 NameStr(relForm->relname),
757 NULL);
758 pfree(namespace_name);
759
760 object.classId = RelationRelationId;
761 object.objectId = relForm->oid;
762 object.objectSubId = 0;
763 break;
764
765 case AttributeRelationId:
766 attForm = (Form_pg_attribute) GETSTRUCT(tuple);
767
768 if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION &&
769 get_rel_relkind(attForm->attrelid) != RELKIND_PARTITIONED_TABLE)
770 continue; /* no need to assign security label */
771
772 objtype = SELABEL_DB_COLUMN;
773
774 namespace_id = get_rel_namespace(attForm->attrelid);
775 namespace_name = get_namespace_name(namespace_id);
776 relation_name = get_rel_name(attForm->attrelid);
777 objname = quote_object_name(database_name,
778 namespace_name,
779 relation_name,
780 NameStr(attForm->attname));
781 pfree(namespace_name);
782 pfree(relation_name);
783
784 object.classId = RelationRelationId;
785 object.objectId = attForm->attrelid;
786 object.objectSubId = attForm->attnum;
787 break;
788
789 case ProcedureRelationId:
790 proForm = (Form_pg_proc) GETSTRUCT(tuple);
791
792 objtype = SELABEL_DB_PROCEDURE;
793
794 namespace_name = get_namespace_name(proForm->pronamespace);
795 objname = quote_object_name(database_name,
796 namespace_name,
797 NameStr(proForm->proname),
798 NULL);
799 pfree(namespace_name);
800
801 object.classId = ProcedureRelationId;
802 object.objectId = proForm->oid;
803 object.objectSubId = 0;
804 break;
805
806 default:
807 elog(ERROR, "unexpected catalog id: %u", catalogId);
808 objname = NULL; /* for compiler quiet */
809 break;
810 }
811
812 if (selabel_lookup_raw(sehnd, &context, objname, objtype) == 0)
813 {
814 PG_TRY();
815 {
816 /*
817 * Check SELinux permission to relabel the fetched object,
818 * then do the actual relabeling.
819 */
820 sepgsql_object_relabel(&object, context);
821
822 SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, context);
823 }
824 PG_FINALLY();
825 {
826 freecon(context);
827 }
828 PG_END_TRY();
829 }
830 else if (errno == ENOENT)
831 ereport(WARNING,
832 (errmsg("SELinux: no initial label assigned for %s (type=%d), skipping",
833 objname, objtype)));
834 else
835 ereport(ERROR,
836 (errcode(ERRCODE_INTERNAL_ERROR),
837 errmsg("SELinux: could not determine initial security label for %s (type=%d): %m", objname, objtype)));
838
839 pfree(objname);
840 }
841 systable_endscan(sscan);
842
843 table_close(rel, NoLock);
844}
NameStr
#define NameStr(name)
Definition: c.h:755
errcode
int errcode(int sqlerrcode)
Definition: elog.c:863
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:1080
PG_TRY
#define PG_TRY(...)
Definition: elog.h:372
WARNING
#define WARNING
Definition: elog.h:36
PG_END_TRY
#define PG_END_TRY(...)
Definition: elog.h:397
ERROR
#define ERROR
Definition: elog.h:39
elog
#define elog(elevel,...)
Definition: elog.h:226
PG_FINALLY
#define PG_FINALLY(...)
Definition: elog.h:389
ereport
#define ereport(elevel,...)
Definition: elog.h:150
systable_endscan
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:603
systable_getnext
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:514
systable_beginscan
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:388
MyDatabaseId
Oid MyDatabaseId
Definition: globals.c:94
HeapTupleIsValid
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
GETSTRUCT
static void * GETSTRUCT(const HeapTupleData *tuple)
Definition: htup_details.h:728
quote_object_name
static char * quote_object_name(const char *src1, const char *src2, const char *src3, const char *src4)
Definition: label.c:652
sepgsql_object_relabel
void sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
Definition: label.c:481
NoLock
#define NoLock
Definition: lockdefs.h:34
AccessShareLock
#define AccessShareLock
Definition: lockdefs.h:36
get_rel_name
char * get_rel_name(Oid relid)
Definition: lsyscache.c:2095
get_database_name
char * get_database_name(Oid dbid)
Definition: lsyscache.c:1259
get_rel_relkind
char get_rel_relkind(Oid relid)
Definition: lsyscache.c:2170
get_rel_namespace
Oid get_rel_namespace(Oid relid)
Definition: lsyscache.c:2119
get_namespace_name
char * get_namespace_name(Oid nspid)
Definition: lsyscache.c:3533
pfree
void pfree(void *pointer)
Definition: mcxt.c:1594
Form_pg_attribute
FormData_pg_attribute * Form_pg_attribute
Definition: pg_attribute.h:202
Form_pg_class
FormData_pg_class * Form_pg_class
Definition: pg_class.h:156
Form_pg_database
FormData_pg_database * Form_pg_database
Definition: pg_database.h:96
Form_pg_namespace
FormData_pg_namespace * Form_pg_namespace
Definition: pg_namespace.h:52
Form_pg_proc
FormData_pg_proc * Form_pg_proc
Definition: pg_proc.h:136
InvalidOid
#define InvalidOid
Definition: postgres_ext.h:37
Oid
unsigned int Oid
Definition: postgres_ext.h:32
SetSecurityLabel
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:404
SEPGSQL_LABEL_TAG
#define SEPGSQL_LABEL_TAG
Definition: sepgsql.h:23
table_close
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
table_open
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40

References AccessShareLock, elog, ereport, errcode(), errmsg(), ERROR, get_database_name(), get_namespace_name(), get_rel_name(), get_rel_namespace(), get_rel_relkind(), GETSTRUCT(), HeapTupleIsValid, InvalidOid, MyDatabaseId, NameStr, NoLock, pfree(), PG_END_TRY, PG_FINALLY, PG_TRY, quote_object_name(), SEPGSQL_LABEL_TAG, sepgsql_object_relabel(), SetSecurityLabel(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and WARNING.

Referenced by sepgsql_restorecon().

◆ PG_FUNCTION_INFO_V1() [1/5]

PG_FUNCTION_INFO_V1 ( sepgsql_getcon  )

◆ PG_FUNCTION_INFO_V1() [2/5]

PG_FUNCTION_INFO_V1 ( sepgsql_mcstrans_in  )

◆ PG_FUNCTION_INFO_V1() [3/5]

PG_FUNCTION_INFO_V1 ( sepgsql_mcstrans_out  )

◆ PG_FUNCTION_INFO_V1() [4/5]

PG_FUNCTION_INFO_V1 ( sepgsql_restorecon  )

◆ PG_FUNCTION_INFO_V1() [5/5]

PG_FUNCTION_INFO_V1 ( sepgsql_setcon  )

◆ quote_object_name()

static char * quote_object_name ( const char *  src1,
const char *  src2,
const char *  src3,
const char *  src4 
)
static

Definition at line 652 of file label.c.

654{
655 StringInfoData result;
656
657 initStringInfo(&result);
658 if (src1)
659 appendStringInfoString(&result, quote_identifier(src1));
660 if (src2)
661 appendStringInfo(&result, ".%s", quote_identifier(src2));
662 if (src3)
663 appendStringInfo(&result, ".%s", quote_identifier(src3));
664 if (src4)
665 appendStringInfo(&result, ".%s", quote_identifier(src4));
666 return result.data;
667}
quote_identifier
const char * quote_identifier(const char *ident)
Definition: ruleutils.c:13062
appendStringInfo
void appendStringInfo(StringInfo str, const char *fmt,...)
Definition: stringinfo.c:145
appendStringInfoString
void appendStringInfoString(StringInfo str, const char *s)
Definition: stringinfo.c:230
initStringInfo
void initStringInfo(StringInfo str)
Definition: stringinfo.c:97

References appendStringInfo(), appendStringInfoString(), StringInfoData::data, initStringInfo(), and quote_identifier().

Referenced by exec_object_restorecon().

◆ sepgsql_client_auth()

static void sepgsql_client_auth ( Port port,
int  status 
)
static

Definition at line 229 of file label.c.

230{
231 if (next_client_auth_hook)
232 (*next_client_auth_hook) (port, status);
233
234 /*
235 * In the case when authentication failed, the supplied socket shall be
236 * closed soon, so we don't need to do anything here.
237 */
238 if (status != STATUS_OK)
239 return;
240
241 /*
242 * Getting security label of the peer process using API of libselinux.
243 */
244 if (getpeercon_raw(port->sock, &client_label_peer) < 0)
245 ereport(FATAL,
246 (errcode(ERRCODE_INTERNAL_ERROR),
247 errmsg("SELinux: unable to get peer label: %m")));
248
249 /*
250 * Switch the current performing mode from INTERNAL to either DEFAULT or
251 * PERMISSIVE.
252 */
253 if (sepgsql_get_permissive())
254 sepgsql_set_mode(SEPGSQL_MODE_PERMISSIVE);
255 else
256 sepgsql_set_mode(SEPGSQL_MODE_DEFAULT);
257}
STATUS_OK
#define STATUS_OK
Definition: c.h:1172
FATAL
#define FATAL
Definition: elog.h:41
sepgsql_get_permissive
bool sepgsql_get_permissive(void)
Definition: hooks.c:66
client_label_peer
static char * client_label_peer
Definition: label.c:58
next_client_auth_hook
static ClientAuthentication_hook_type next_client_auth_hook
Definition: label.c:41
port
static int port
Definition: pg_regress.c:115
sepgsql_set_mode
int sepgsql_set_mode(int new_mode)
Definition: selinux.c:634
SEPGSQL_MODE_DEFAULT
#define SEPGSQL_MODE_DEFAULT
Definition: sepgsql.h:28
SEPGSQL_MODE_PERMISSIVE
#define SEPGSQL_MODE_PERMISSIVE
Definition: sepgsql.h:29

References client_label_peer, ereport, errcode(), errmsg(), FATAL, next_client_auth_hook, port, sepgsql_get_permissive(), SEPGSQL_MODE_DEFAULT, SEPGSQL_MODE_PERMISSIVE, sepgsql_set_mode(), and STATUS_OK.

Referenced by sepgsql_init_client_label().

◆ sepgsql_fmgr_hook()

static void sepgsql_fmgr_hook ( FmgrHookEventType  event,
FmgrInfo flinfo,
Datum private 
)
static

Definition at line 310 of file label.c.

312{
313 struct
314 {
315 char *old_label;
316 char *new_label;
317 Datum next_private;
318 } *stack;
319
320 switch (event)
321 {
322 case FHET_START:
323 stack = (void *) DatumGetPointer(*private);
324 if (!stack)
325 {
326 MemoryContext oldcxt;
327
328 oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
329 stack = palloc(sizeof(*stack));
330 stack->old_label = NULL;
331 stack->new_label = sepgsql_avc_trusted_proc(flinfo->fn_oid);
332 stack->next_private = 0;
333
334 MemoryContextSwitchTo(oldcxt);
335
336 /*
337 * process:transition permission between old and new label,
338 * when user tries to switch security label of the client on
339 * execution of trusted procedure.
340 *
341 * Also, db_procedure:entrypoint permission should be checked
342 * whether this procedure can perform as an entrypoint of the
343 * trusted procedure, or not. Note that db_procedure:execute
344 * permission shall be checked individually.
345 */
346 if (stack->new_label)
347 {
348 ObjectAddress object;
349
350 object.classId = ProcedureRelationId;
351 object.objectId = flinfo->fn_oid;
352 object.objectSubId = 0;
353 sepgsql_avc_check_perms(&object,
354 SEPG_CLASS_DB_PROCEDURE,
355 SEPG_DB_PROCEDURE__ENTRYPOINT,
356 getObjectDescription(&object, false),
357 true);
358
359 sepgsql_avc_check_perms_label(stack->new_label,
360 SEPG_CLASS_PROCESS,
361 SEPG_PROCESS__TRANSITION,
362 NULL, true);
363 }
364 *private = PointerGetDatum(stack);
365 }
366 Assert(!stack->old_label);
367 if (stack->new_label)
368 {
369 stack->old_label = client_label_func;
370 client_label_func = stack->new_label;
371 }
372 if (next_fmgr_hook)
373 (*next_fmgr_hook) (event, flinfo, &stack->next_private);
374 break;
375
376 case FHET_END:
377 case FHET_ABORT:
378 stack = (void *) DatumGetPointer(*private);
379
380 if (next_fmgr_hook)
381 (*next_fmgr_hook) (event, flinfo, &stack->next_private);
382
383 if (stack->new_label)
384 {
385 client_label_func = stack->old_label;
386 stack->old_label = NULL;
387 }
388 break;
389
390 default:
391 elog(ERROR, "unexpected event type: %d", (int) event);
392 break;
393 }
394}
FHET_END
@ FHET_END
Definition: fmgr.h:836
FHET_ABORT
@ FHET_ABORT
Definition: fmgr.h:837
FHET_START
@ FHET_START
Definition: fmgr.h:835
Assert
Assert(PointerIsAligned(start, uint64))
next_fmgr_hook
static fmgr_hook_type next_fmgr_hook
Definition: label.c:43
client_label_func
static char * client_label_func
Definition: label.c:63
palloc
void * palloc(Size size)
Definition: mcxt.c:1365
getObjectDescription
char * getObjectDescription(const ObjectAddress *object, bool missing_ok)
Definition: objectaddress.c:2911
MemoryContextSwitchTo
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:124
PointerGetDatum
static Datum PointerGetDatum(const void *X)
Definition: postgres.h:332
Datum
uint64_t Datum
Definition: postgres.h:70
DatumGetPointer
static Pointer DatumGetPointer(Datum X)
Definition: postgres.h:322
sepgsql_avc_trusted_proc
char * sepgsql_avc_trusted_proc(Oid functionId)
Definition: uavc.c:445
sepgsql_avc_check_perms_label
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:337
SEPG_PROCESS__TRANSITION
#define SEPG_PROCESS__TRANSITION
Definition: sepgsql.h:59
SEPG_DB_PROCEDURE__ENTRYPOINT
#define SEPG_DB_PROCEDURE__ENTRYPOINT
Definition: sepgsql.h:167
SEPG_CLASS_DB_PROCEDURE
#define SEPG_CLASS_DB_PROCEDURE
Definition: sepgsql.h:48
SEPG_CLASS_PROCESS
#define SEPG_CLASS_PROCESS
Definition: sepgsql.h:36
sepgsql_avc_check_perms
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:420
FmgrInfo::fn_mcxt
MemoryContext fn_mcxt
Definition: fmgr.h:65
FmgrInfo::fn_oid
Oid fn_oid
Definition: fmgr.h:59

References Assert(), ObjectAddress::classId, client_label_func, DatumGetPointer(), elog, ERROR, FHET_ABORT, FHET_END, FHET_START, FmgrInfo::fn_mcxt, FmgrInfo::fn_oid, getObjectDescription(), MemoryContextSwitchTo(), next_fmgr_hook, palloc(), PointerGetDatum(), SEPG_CLASS_DB_PROCEDURE, SEPG_CLASS_PROCESS, SEPG_DB_PROCEDURE__ENTRYPOINT, SEPG_PROCESS__TRANSITION, sepgsql_avc_check_perms(), sepgsql_avc_check_perms_label(), and sepgsql_avc_trusted_proc().

Referenced by sepgsql_init_client_label().

◆ sepgsql_get_client_label()

char * sepgsql_get_client_label ( void  )

Definition at line 79 of file label.c.

80{
81 /* trusted procedure client label override */
82 if (client_label_func)
83 return client_label_func;
84
85 /* uncommitted sepgsql_setcon() value */
86 if (client_label_pending)
87 {
88 pending_label *plabel = llast(client_label_pending);
89
90 if (plabel->label)
91 return plabel->label;
92 }
93 else if (client_label_committed)
94 return client_label_committed; /* set by sepgsql_setcon() committed */
95
96 /* default label */
97 Assert(client_label_peer != NULL);
98 return client_label_peer;
99}
client_label_committed
static char * client_label_committed
Definition: label.c:61
client_label_pending
static List * client_label_pending
Definition: label.c:59
llast
#define llast(l)
Definition: pg_list.h:198
pending_label
Definition: label.c:66
pending_label::label
char * label
Definition: label.c:68

References Assert(), client_label_committed, client_label_func, client_label_peer, client_label_pending, pending_label::label, and llast.

Referenced by sepgsql_attribute_post_create(), sepgsql_avc_check_perms_label(), sepgsql_avc_trusted_proc(), sepgsql_database_post_create(), sepgsql_getcon(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), sepgsql_schema_post_create(), and sepgsql_set_client_label().

◆ sepgsql_get_label()

char * sepgsql_get_label ( Oid  classId,
Oid  objectId,
int32  subId 
)

Definition at line 444 of file label.c.

445{
446 ObjectAddress object;
447 char *label;
448
449 object.classId = classId;
450 object.objectId = objectId;
451 object.objectSubId = subId;
452
453 label = GetSecurityLabel(&object, SEPGSQL_LABEL_TAG);
454 if (!label || security_check_context_raw(label))
455 {
456 char *unlabeled;
457
458 if (security_get_initial_context_raw("unlabeled", &unlabeled) < 0)
459 ereport(ERROR,
460 (errcode(ERRCODE_INTERNAL_ERROR),
461 errmsg("SELinux: failed to get initial security label: %m")));
462 PG_TRY();
463 {
464 label = pstrdup(unlabeled);
465 }
466 PG_FINALLY();
467 {
468 freecon(unlabeled);
469 }
470 PG_END_TRY();
471 }
472 return label;
473}
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1759
label
static char * label
Definition: pg_basebackup.c:135
GetSecurityLabel
char * GetSecurityLabel(const ObjectAddress *object, const char *provider)
Definition: seclabel.c:272

References ereport, errcode(), errmsg(), ERROR, GetSecurityLabel(), label, PG_END_TRY, PG_FINALLY, PG_TRY, pstrdup(), and SEPGSQL_LABEL_TAG.

Referenced by sepgsql_attribute_post_create(), sepgsql_database_post_create(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), and sepgsql_schema_post_create().

◆ sepgsql_getcon()

Datum sepgsql_getcon ( PG_FUNCTION_ARGS  )

Definition at line 536 of file label.c.

537{
538 char *client_label;
539
540 if (!sepgsql_is_enabled())
541 PG_RETURN_NULL();
542
543 client_label = sepgsql_get_client_label();
544
545 PG_RETURN_TEXT_P(cstring_to_text(client_label));
546}
PG_RETURN_NULL
#define PG_RETURN_NULL()
Definition: fmgr.h:345
PG_RETURN_TEXT_P
#define PG_RETURN_TEXT_P(x)
Definition: fmgr.h:372
sepgsql_get_client_label
char * sepgsql_get_client_label(void)
Definition: label.c:79
sepgsql_is_enabled
bool sepgsql_is_enabled(void)
Definition: selinux.c:616
cstring_to_text
text * cstring_to_text(const char *s)
Definition: varlena.c:181

References cstring_to_text(), PG_RETURN_NULL, PG_RETURN_TEXT_P, sepgsql_get_client_label(), and sepgsql_is_enabled().

◆ sepgsql_init_client_label()

void sepgsql_init_client_label ( void  )

Definition at line 403 of file label.c.

404{
405 /*
406 * Set up dummy client label.
407 *
408 * XXX - note that PostgreSQL launches background worker process like
409 * autovacuum without authentication steps. So, we initialize sepgsql_mode
410 * with SEPGSQL_MODE_INTERNAL, and client_label with the security context
411 * of server process. Later, it also launches background of user session.
412 * In this case, the process is always hooked on post-authentication, and
413 * we can initialize the sepgsql_mode and client_label correctly.
414 */
415 if (getcon_raw(&client_label_peer) < 0)
416 ereport(ERROR,
417 (errcode(ERRCODE_INTERNAL_ERROR),
418 errmsg("SELinux: failed to get server security label: %m")));
419
420 /* Client authentication hook */
421 next_client_auth_hook = ClientAuthentication_hook;
422 ClientAuthentication_hook = sepgsql_client_auth;
423
424 /* Trusted procedure hooks */
425 next_needs_fmgr_hook = needs_fmgr_hook;
426 needs_fmgr_hook = sepgsql_needs_fmgr_hook;
427
428 next_fmgr_hook = fmgr_hook;
429 fmgr_hook = sepgsql_fmgr_hook;
430
431 /* Transaction/Sub-transaction callbacks */
432 RegisterXactCallback(sepgsql_xact_callback, NULL);
433 RegisterSubXactCallback(sepgsql_subxact_callback, NULL);
434}
ClientAuthentication_hook
ClientAuthentication_hook_type ClientAuthentication_hook
Definition: auth.c:223
needs_fmgr_hook
PGDLLIMPORT needs_fmgr_hook_type needs_fmgr_hook
Definition: fmgr.c:40
fmgr_hook
PGDLLIMPORT fmgr_hook_type fmgr_hook
Definition: fmgr.c:41
sepgsql_fmgr_hook
static void sepgsql_fmgr_hook(FmgrHookEventType event, FmgrInfo *flinfo, Datum *private)
Definition: label.c:310
next_needs_fmgr_hook
static needs_fmgr_hook_type next_needs_fmgr_hook
Definition: label.c:42
sepgsql_subxact_callback
static void sepgsql_subxact_callback(SubXactEvent event, SubTransactionId mySubid, SubTransactionId parentSubid, void *arg)
Definition: label.c:203
sepgsql_client_auth
static void sepgsql_client_auth(Port *port, int status)
Definition: label.c:229
sepgsql_xact_callback
static void sepgsql_xact_callback(XactEvent event, void *arg)
Definition: label.c:164
sepgsql_needs_fmgr_hook
static bool sepgsql_needs_fmgr_hook(Oid functionId)
Definition: label.c:267
RegisterXactCallback
void RegisterXactCallback(XactCallback callback, void *arg)
Definition: xact.c:3822
RegisterSubXactCallback
void RegisterSubXactCallback(SubXactCallback callback, void *arg)
Definition: xact.c:3882

References client_label_peer, ClientAuthentication_hook, ereport, errcode(), errmsg(), ERROR, fmgr_hook, needs_fmgr_hook, next_client_auth_hook, next_fmgr_hook, next_needs_fmgr_hook, RegisterSubXactCallback(), RegisterXactCallback(), sepgsql_client_auth(), sepgsql_fmgr_hook(), sepgsql_needs_fmgr_hook(), sepgsql_subxact_callback(), and sepgsql_xact_callback().

Referenced by _PG_init().

◆ sepgsql_mcstrans_in()

Datum sepgsql_mcstrans_in ( PG_FUNCTION_ARGS  )

Definition at line 577 of file label.c.

578{
579 text *label = PG_GETARG_TEXT_PP(0);
580 char *raw_label;
581 char *result;
582
583 if (!sepgsql_is_enabled())
584 ereport(ERROR,
585 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
586 errmsg("sepgsql is not enabled")));
587
588 if (selinux_trans_to_raw_context(text_to_cstring(label),
589 &raw_label) < 0)
590 ereport(ERROR,
591 (errcode(ERRCODE_INTERNAL_ERROR),
592 errmsg("SELinux: could not translate security label: %m")));
593
594 PG_TRY();
595 {
596 result = pstrdup(raw_label);
597 }
598 PG_FINALLY();
599 {
600 freecon(raw_label);
601 }
602 PG_END_TRY();
603
604 PG_RETURN_TEXT_P(cstring_to_text(result));
605}
PG_GETARG_TEXT_PP
#define PG_GETARG_TEXT_PP(n)
Definition: fmgr.h:309
varlena
Definition: c.h:696
text_to_cstring
char * text_to_cstring(const text *t)
Definition: varlena.c:214

References cstring_to_text(), ereport, errcode(), errmsg(), ERROR, label, PG_END_TRY, PG_FINALLY, PG_GETARG_TEXT_PP, PG_RETURN_TEXT_P, PG_TRY, pstrdup(), sepgsql_is_enabled(), and text_to_cstring().

◆ sepgsql_mcstrans_out()

Datum sepgsql_mcstrans_out ( PG_FUNCTION_ARGS  )

Definition at line 615 of file label.c.

616{
617 text *label = PG_GETARG_TEXT_PP(0);
618 char *qual_label;
619 char *result;
620
621 if (!sepgsql_is_enabled())
622 ereport(ERROR,
623 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
624 errmsg("sepgsql is not currently enabled")));
625
626 if (selinux_raw_to_trans_context(text_to_cstring(label),
627 &qual_label) < 0)
628 ereport(ERROR,
629 (errcode(ERRCODE_INTERNAL_ERROR),
630 errmsg("SELinux: could not translate security label: %m")));
631
632 PG_TRY();
633 {
634 result = pstrdup(qual_label);
635 }
636 PG_FINALLY();
637 {
638 freecon(qual_label);
639 }
640 PG_END_TRY();
641
642 PG_RETURN_TEXT_P(cstring_to_text(result));
643}

References cstring_to_text(), ereport, errcode(), errmsg(), ERROR, label, PG_END_TRY, PG_FINALLY, PG_GETARG_TEXT_PP, PG_RETURN_TEXT_P, PG_TRY, pstrdup(), sepgsql_is_enabled(), and text_to_cstring().

◆ sepgsql_needs_fmgr_hook()

static bool sepgsql_needs_fmgr_hook ( Oid  functionId)
static

Definition at line 267 of file label.c.

268{
269 ObjectAddress object;
270
271 if (next_needs_fmgr_hook &&
272 (*next_needs_fmgr_hook) (functionId))
273 return true;
274
275 /*
276 * SELinux needs the function to be called via security_definer wrapper,
277 * if this invocation will take a domain-transition. We call these
278 * functions as trusted-procedure, if the security policy has a rule that
279 * switches security label of the client on execution.
280 */
281 if (sepgsql_avc_trusted_proc(functionId) != NULL)
282 return true;
283
284 /*
285 * Even if not a trusted-procedure, this function should not be inlined
286 * unless the client has db_procedure:{execute} permission. Please note
287 * that it shall be actually failed later because of same reason with
288 * ACL_EXECUTE.
289 */
290 object.classId = ProcedureRelationId;
291 object.objectId = functionId;
292 object.objectSubId = 0;
293 if (!sepgsql_avc_check_perms(&object,
294 SEPG_CLASS_DB_PROCEDURE,
295 SEPG_DB_PROCEDURE__EXECUTE |
296 SEPG_DB_PROCEDURE__ENTRYPOINT,
297 SEPGSQL_AVC_NOAUDIT, false))
298 return true;
299
300 return false;
301}
SEPG_DB_PROCEDURE__EXECUTE
#define SEPG_DB_PROCEDURE__EXECUTE
Definition: sepgsql.h:166
SEPGSQL_AVC_NOAUDIT
#define SEPGSQL_AVC_NOAUDIT
Definition: sepgsql.h:250

References ObjectAddress::classId, next_needs_fmgr_hook, SEPG_CLASS_DB_PROCEDURE, SEPG_DB_PROCEDURE__ENTRYPOINT, SEPG_DB_PROCEDURE__EXECUTE, sepgsql_avc_check_perms(), SEPGSQL_AVC_NOAUDIT, and sepgsql_avc_trusted_proc().

Referenced by sepgsql_init_client_label().

◆ sepgsql_object_relabel()

void sepgsql_object_relabel ( const ObjectAddress object,
const char *  seclabel 
)

Definition at line 481 of file label.c.

482{
483 /*
484 * validate format of the supplied security label, if it is security
485 * context of selinux.
486 */
487 if (seclabel &&
488 security_check_context_raw(seclabel) < 0)
489 ereport(ERROR,
490 (errcode(ERRCODE_INVALID_NAME),
491 errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
492
493 /*
494 * Do actual permission checks for each object classes
495 */
496 switch (object->classId)
497 {
498 case DatabaseRelationId:
499 sepgsql_database_relabel(object->objectId, seclabel);
500 break;
501
502 case NamespaceRelationId:
503 sepgsql_schema_relabel(object->objectId, seclabel);
504 break;
505
506 case RelationRelationId:
507 if (object->objectSubId == 0)
508 sepgsql_relation_relabel(object->objectId,
509 seclabel);
510 else
511 sepgsql_attribute_relabel(object->objectId,
512 object->objectSubId,
513 seclabel);
514 break;
515
516 case ProcedureRelationId:
517 sepgsql_proc_relabel(object->objectId, seclabel);
518 break;
519
520 default:
521 ereport(ERROR,
522 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
523 errmsg("sepgsql provider does not support labels on %s",
524 getObjectTypeDescription(object, false))));
525 break;
526 }
527}
sepgsql_proc_relabel
void sepgsql_proc_relabel(Oid functionId, const char *seclabel)
Definition: proc.c:198
sepgsql_attribute_relabel
void sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum, const char *seclabel)
Definition: relation.c:165
sepgsql_relation_relabel
void sepgsql_relation_relabel(Oid relOid, const char *seclabel)
Definition: relation.c:564
sepgsql_database_relabel
void sepgsql_database_relabel(Oid databaseId, const char *seclabel)
Definition: database.c:186
getObjectTypeDescription
char * getObjectTypeDescription(const ObjectAddress *object, bool missing_ok)
Definition: objectaddress.c:4496
sepgsql_schema_relabel
void sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
Definition: schema.c:142

References ObjectAddress::classId, ereport, errcode(), errmsg(), ERROR, getObjectTypeDescription(), ObjectAddress::objectId, ObjectAddress::objectSubId, sepgsql_attribute_relabel(), sepgsql_database_relabel(), sepgsql_proc_relabel(), sepgsql_relation_relabel(), and sepgsql_schema_relabel().

Referenced by _PG_init(), and exec_object_restorecon().

◆ sepgsql_restorecon()

Datum sepgsql_restorecon ( PG_FUNCTION_ARGS  )

Definition at line 859 of file label.c.

860{
861 struct selabel_handle *sehnd;
862 struct selinux_opt seopts;
863
864 /*
865 * SELinux has to be enabled on the running platform.
866 */
867 if (!sepgsql_is_enabled())
868 ereport(ERROR,
869 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
870 errmsg("sepgsql is not currently enabled")));
871
872 /*
873 * Check DAC permission. Only superuser can set up initial security
874 * labels, like root-user in filesystems
875 */
876 if (!superuser())
877 ereport(ERROR,
878 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
879 errmsg("SELinux: must be superuser to restore initial contexts")));
880
881 /*
882 * Open selabel_lookup(3) stuff. It provides a set of mapping between an
883 * initial security label and object class/name due to the system setting.
884 */
885 if (PG_ARGISNULL(0))
886 {
887 seopts.type = SELABEL_OPT_UNUSED;
888 seopts.value = NULL;
889 }
890 else
891 {
892 seopts.type = SELABEL_OPT_PATH;
893 seopts.value = TextDatumGetCString(PG_GETARG_DATUM(0));
894 }
895 sehnd = selabel_open(SELABEL_CTX_DB, &seopts, 1);
896 if (!sehnd)
897 ereport(ERROR,
898 (errcode(ERRCODE_INTERNAL_ERROR),
899 errmsg("SELinux: failed to initialize labeling handle: %m")));
900 PG_TRY();
901 {
902 exec_object_restorecon(sehnd, DatabaseRelationId);
903 exec_object_restorecon(sehnd, NamespaceRelationId);
904 exec_object_restorecon(sehnd, RelationRelationId);
905 exec_object_restorecon(sehnd, AttributeRelationId);
906 exec_object_restorecon(sehnd, ProcedureRelationId);
907 }
908 PG_FINALLY();
909 {
910 selabel_close(sehnd);
911 }
912 PG_END_TRY();
913
914 PG_RETURN_BOOL(true);
915}
TextDatumGetCString
#define TextDatumGetCString(d)
Definition: builtins.h:98
PG_ARGISNULL
#define PG_ARGISNULL(n)
Definition: fmgr.h:209
PG_GETARG_DATUM
#define PG_GETARG_DATUM(n)
Definition: fmgr.h:268
PG_RETURN_BOOL
#define PG_RETURN_BOOL(x)
Definition: fmgr.h:359
exec_object_restorecon
static void exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
Definition: label.c:677
superuser
bool superuser(void)
Definition: superuser.c:46

References ereport, errcode(), errmsg(), ERROR, exec_object_restorecon(), PG_ARGISNULL, PG_END_TRY, PG_FINALLY, PG_GETARG_DATUM, PG_RETURN_BOOL, PG_TRY, sepgsql_is_enabled(), superuser(), and TextDatumGetCString.

◆ sepgsql_set_client_label()

static void sepgsql_set_client_label ( const char *  new_label)
static

Definition at line 110 of file label.c.

111{
112 const char *tcontext;
113 MemoryContext oldcxt;
114 pending_label *plabel;
115
116 /* Reset to the initial client label, if NULL */
117 if (!new_label)
118 tcontext = client_label_peer;
119 else
120 {
121 if (security_check_context_raw(new_label) < 0)
122 ereport(ERROR,
123 (errcode(ERRCODE_INVALID_NAME),
124 errmsg("SELinux: invalid security label: \"%s\"",
125 new_label)));
126 tcontext = new_label;
127 }
128
129 /* Check process:{setcurrent} permission. */
130 sepgsql_avc_check_perms_label(sepgsql_get_client_label(),
131 SEPG_CLASS_PROCESS,
132 SEPG_PROCESS__SETCURRENT,
133 NULL,
134 true);
135 /* Check process:{dyntransition} permission. */
136 sepgsql_avc_check_perms_label(tcontext,
137 SEPG_CLASS_PROCESS,
138 SEPG_PROCESS__DYNTRANSITION,
139 NULL,
140 true);
141
142 /*
143 * Append the supplied new_label on the pending list until the current
144 * transaction is committed.
145 */
146 oldcxt = MemoryContextSwitchTo(CurTransactionContext);
147
148 plabel = palloc0(sizeof(pending_label));
149 plabel->subid = GetCurrentSubTransactionId();
150 if (new_label)
151 plabel->label = pstrdup(new_label);
152 client_label_pending = lappend(client_label_pending, plabel);
153
154 MemoryContextSwitchTo(oldcxt);
155}
lappend
List * lappend(List *list, void *datum)
Definition: list.c:339
palloc0
void * palloc0(Size size)
Definition: mcxt.c:1395
CurTransactionContext
MemoryContext CurTransactionContext
Definition: mcxt.c:172
SEPG_PROCESS__SETCURRENT
#define SEPG_PROCESS__SETCURRENT
Definition: sepgsql.h:61
SEPG_PROCESS__DYNTRANSITION
#define SEPG_PROCESS__DYNTRANSITION
Definition: sepgsql.h:60
pending_label::subid
SubTransactionId subid
Definition: label.c:67
GetCurrentSubTransactionId
SubTransactionId GetCurrentSubTransactionId(void)
Definition: xact.c:792

References client_label_peer, client_label_pending, CurTransactionContext, ereport, errcode(), errmsg(), ERROR, GetCurrentSubTransactionId(), pending_label::label, lappend(), MemoryContextSwitchTo(), palloc0(), pstrdup(), SEPG_CLASS_PROCESS, SEPG_PROCESS__DYNTRANSITION, SEPG_PROCESS__SETCURRENT, sepgsql_avc_check_perms_label(), sepgsql_get_client_label(), and pending_label::subid.

Referenced by sepgsql_setcon().

◆ sepgsql_setcon()

Datum sepgsql_setcon ( PG_FUNCTION_ARGS  )

Definition at line 555 of file label.c.

556{
557 const char *new_label;
558
559 if (PG_ARGISNULL(0))
560 new_label = NULL;
561 else
562 new_label = TextDatumGetCString(PG_GETARG_DATUM(0));
563
564 sepgsql_set_client_label(new_label);
565
566 PG_RETURN_BOOL(true);
567}
sepgsql_set_client_label
static void sepgsql_set_client_label(const char *new_label)
Definition: label.c:110

References PG_ARGISNULL, PG_GETARG_DATUM, PG_RETURN_BOOL, sepgsql_set_client_label(), and TextDatumGetCString.

◆ sepgsql_subxact_callback()

static void sepgsql_subxact_callback ( SubXactEvent  event,
SubTransactionId  mySubid,
SubTransactionId  parentSubid,
void *  arg 
)
static

Definition at line 203 of file label.c.

205{
206 ListCell *cell;
207
208 if (event == SUBXACT_EVENT_ABORT_SUB)
209 {
210 foreach(cell, client_label_pending)
211 {
212 pending_label *plabel = lfirst(cell);
213
214 if (plabel->subid == mySubid)
215 client_label_pending
216 = foreach_delete_current(client_label_pending, cell);
217 }
218 }
219}
lfirst
#define lfirst(lc)
Definition: pg_list.h:172
foreach_delete_current
#define foreach_delete_current(lst, var_or_cell)
Definition: pg_list.h:391
SUBXACT_EVENT_ABORT_SUB
@ SUBXACT_EVENT_ABORT_SUB
Definition: xact.h:145

References client_label_pending, foreach_delete_current, lfirst, pending_label::subid, and SUBXACT_EVENT_ABORT_SUB.

Referenced by sepgsql_init_client_label().

◆ sepgsql_xact_callback()

static void sepgsql_xact_callback ( XactEvent  event,
void *  arg 
)
static

Definition at line 164 of file label.c.

165{
166 if (event == XACT_EVENT_COMMIT)
167 {
168 if (client_label_pending != NIL)
169 {
170 pending_label *plabel = llast(client_label_pending);
171 char *new_label;
172
173 if (plabel->label)
174 new_label = MemoryContextStrdup(TopMemoryContext,
175 plabel->label);
176 else
177 new_label = NULL;
178
179 if (client_label_committed)
180 pfree(client_label_committed);
181
182 client_label_committed = new_label;
183
184 /*
185 * XXX - Note that items of client_label_pending are allocated on
186 * CurTransactionContext, thus, all acquired memory region shall
187 * be released implicitly.
188 */
189 client_label_pending = NIL;
190 }
191 }
192 else if (event == XACT_EVENT_ABORT)
193 client_label_pending = NIL;
194}
MemoryContextStrdup
char * MemoryContextStrdup(MemoryContext context, const char *string)
Definition: mcxt.c:1746
TopMemoryContext
MemoryContext TopMemoryContext
Definition: mcxt.c:166
NIL
#define NIL
Definition: pg_list.h:68
XACT_EVENT_COMMIT
@ XACT_EVENT_COMMIT
Definition: xact.h:129
XACT_EVENT_ABORT
@ XACT_EVENT_ABORT
Definition: xact.h:131

References client_label_committed, client_label_pending, pending_label::label, llast, MemoryContextStrdup(), NIL, pfree(), TopMemoryContext, XACT_EVENT_ABORT, and XACT_EVENT_COMMIT.

Referenced by sepgsql_init_client_label().

Variable Documentation

◆ client_label_committed

char* client_label_committed = NULL
static

Definition at line 61 of file label.c.

Referenced by sepgsql_get_client_label(), and sepgsql_xact_callback().

◆ client_label_func

char* client_label_func = NULL
static

Definition at line 63 of file label.c.

Referenced by sepgsql_fmgr_hook(), and sepgsql_get_client_label().

◆ client_label_peer

char* client_label_peer = NULL
static

Definition at line 58 of file label.c.

Referenced by sepgsql_client_auth(), sepgsql_get_client_label(), sepgsql_init_client_label(), and sepgsql_set_client_label().

◆ client_label_pending

List* client_label_pending = NIL
static

Definition at line 59 of file label.c.

Referenced by sepgsql_get_client_label(), sepgsql_set_client_label(), sepgsql_subxact_callback(), and sepgsql_xact_callback().

◆ next_client_auth_hook

ClientAuthentication_hook_type next_client_auth_hook = NULL
static

Definition at line 41 of file label.c.

Referenced by sepgsql_client_auth(), and sepgsql_init_client_label().

◆ next_fmgr_hook

fmgr_hook_type next_fmgr_hook = NULL
static

Definition at line 43 of file label.c.

Referenced by sepgsql_fmgr_hook(), and sepgsql_init_client_label().

◆ next_needs_fmgr_hook

needs_fmgr_hook_type next_needs_fmgr_hook = NULL
static

Definition at line 42 of file label.c.

Referenced by sepgsql_init_client_label(), and sepgsql_needs_fmgr_hook().