PostgreSQL Source Code git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
label.c File Reference
#include "postgres.h"
#include <selinux/label.h>
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/table.h"
#include "access/xact.h"
#include "catalog/catalog.h"
#include "catalog/dependency.h"
#include "catalog/pg_attribute.h"
#include "catalog/pg_class.h"
#include "catalog/pg_database.h"
#include "catalog/pg_namespace.h"
#include "catalog/pg_proc.h"
#include "commands/dbcommands.h"
#include "commands/seclabel.h"
#include "libpq/auth.h"
#include "libpq/libpq-be.h"
#include "miscadmin.h"
#include "sepgsql.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
#include "utils/rel.h"
Include dependency graph for label.c:

Go to the source code of this file.

Data Structures

struct  pending_label
 

Functions

char * sepgsql_get_client_label (void)
 
static void sepgsql_set_client_label (const char *new_label)
 
static void sepgsql_xact_callback (XactEvent event, void *arg)
 
static void sepgsql_subxact_callback (SubXactEvent event, SubTransactionId mySubid, SubTransactionId parentSubid, void *arg)
 
static void sepgsql_client_auth (Port *port, int status)
 
static bool sepgsql_needs_fmgr_hook (Oid functionId)
 
static void sepgsql_fmgr_hook (FmgrHookEventType event, FmgrInfo *flinfo, Datum *private)
 
void sepgsql_init_client_label (void)
 
char * sepgsql_get_label (Oid classId, Oid objectId, int32 subId)
 
void sepgsql_object_relabel (const ObjectAddress *object, const char *seclabel)
 
 PG_FUNCTION_INFO_V1 (sepgsql_getcon)
 
Datum sepgsql_getcon (PG_FUNCTION_ARGS)
 
 PG_FUNCTION_INFO_V1 (sepgsql_setcon)
 
Datum sepgsql_setcon (PG_FUNCTION_ARGS)
 
 PG_FUNCTION_INFO_V1 (sepgsql_mcstrans_in)
 
Datum sepgsql_mcstrans_in (PG_FUNCTION_ARGS)
 
 PG_FUNCTION_INFO_V1 (sepgsql_mcstrans_out)
 
Datum sepgsql_mcstrans_out (PG_FUNCTION_ARGS)
 
static char * quote_object_name (const char *src1, const char *src2, const char *src3, const char *src4)
 
static void exec_object_restorecon (struct selabel_handle *sehnd, Oid catalogId)
 
 PG_FUNCTION_INFO_V1 (sepgsql_restorecon)
 
Datum sepgsql_restorecon (PG_FUNCTION_ARGS)
 

Variables

static ClientAuthentication_hook_type next_client_auth_hook = NULL
 
static needs_fmgr_hook_type next_needs_fmgr_hook = NULL
 
static fmgr_hook_type next_fmgr_hook = NULL
 
static char * client_label_peer = NULL
 
static Listclient_label_pending = NIL
 
static char * client_label_committed = NULL
 
static char * client_label_func = NULL
 

Function Documentation

◆ exec_object_restorecon()

static void exec_object_restorecon ( struct selabel_handle *  sehnd,
Oid  catalogId 
)
static

Definition at line 678 of file label.c.

679{
680 Relation rel;
681 SysScanDesc sscan;
682 HeapTuple tuple;
683 char *database_name = get_database_name(MyDatabaseId);
684 char *namespace_name;
685 Oid namespace_id;
686 char *relation_name;
687
688 /*
689 * Open the target catalog. We don't want to allow writable accesses by
690 * other session during initial labeling.
691 */
692 rel = table_open(catalogId, AccessShareLock);
693
694 sscan = systable_beginscan(rel, InvalidOid, false,
695 NULL, 0, NULL);
696 while (HeapTupleIsValid(tuple = systable_getnext(sscan)))
697 {
698 Form_pg_database datForm;
699 Form_pg_namespace nspForm;
700 Form_pg_class relForm;
701 Form_pg_attribute attForm;
702 Form_pg_proc proForm;
703 char *objname;
704 int objtype = 1234;
705 ObjectAddress object;
706 char *context;
707
708 /*
709 * The way to determine object name depends on object classes. So, any
710 * branches set up `objtype', `objname' and `object' here.
711 */
712 switch (catalogId)
713 {
714 case DatabaseRelationId:
715 datForm = (Form_pg_database) GETSTRUCT(tuple);
716
717 objtype = SELABEL_DB_DATABASE;
718
719 objname = quote_object_name(NameStr(datForm->datname),
720 NULL, NULL, NULL);
721
722 object.classId = DatabaseRelationId;
723 object.objectId = datForm->oid;
724 object.objectSubId = 0;
725 break;
726
727 case NamespaceRelationId:
728 nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
729
730 objtype = SELABEL_DB_SCHEMA;
731
732 objname = quote_object_name(database_name,
733 NameStr(nspForm->nspname),
734 NULL, NULL);
735
736 object.classId = NamespaceRelationId;
737 object.objectId = nspForm->oid;
738 object.objectSubId = 0;
739 break;
740
741 case RelationRelationId:
742 relForm = (Form_pg_class) GETSTRUCT(tuple);
743
744 if (relForm->relkind == RELKIND_RELATION ||
745 relForm->relkind == RELKIND_PARTITIONED_TABLE)
746 objtype = SELABEL_DB_TABLE;
747 else if (relForm->relkind == RELKIND_SEQUENCE)
748 objtype = SELABEL_DB_SEQUENCE;
749 else if (relForm->relkind == RELKIND_VIEW)
750 objtype = SELABEL_DB_VIEW;
751 else
752 continue; /* no need to assign security label */
753
754 namespace_name = get_namespace_name(relForm->relnamespace);
755 objname = quote_object_name(database_name,
756 namespace_name,
757 NameStr(relForm->relname),
758 NULL);
759 pfree(namespace_name);
760
761 object.classId = RelationRelationId;
762 object.objectId = relForm->oid;
763 object.objectSubId = 0;
764 break;
765
766 case AttributeRelationId:
767 attForm = (Form_pg_attribute) GETSTRUCT(tuple);
768
769 if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION &&
770 get_rel_relkind(attForm->attrelid) != RELKIND_PARTITIONED_TABLE)
771 continue; /* no need to assign security label */
772
773 objtype = SELABEL_DB_COLUMN;
774
775 namespace_id = get_rel_namespace(attForm->attrelid);
776 namespace_name = get_namespace_name(namespace_id);
777 relation_name = get_rel_name(attForm->attrelid);
778 objname = quote_object_name(database_name,
779 namespace_name,
780 relation_name,
781 NameStr(attForm->attname));
782 pfree(namespace_name);
783 pfree(relation_name);
784
785 object.classId = RelationRelationId;
786 object.objectId = attForm->attrelid;
787 object.objectSubId = attForm->attnum;
788 break;
789
790 case ProcedureRelationId:
791 proForm = (Form_pg_proc) GETSTRUCT(tuple);
792
793 objtype = SELABEL_DB_PROCEDURE;
794
795 namespace_name = get_namespace_name(proForm->pronamespace);
796 objname = quote_object_name(database_name,
797 namespace_name,
798 NameStr(proForm->proname),
799 NULL);
800 pfree(namespace_name);
801
802 object.classId = ProcedureRelationId;
803 object.objectId = proForm->oid;
804 object.objectSubId = 0;
805 break;
806
807 default:
808 elog(ERROR, "unexpected catalog id: %u", catalogId);
809 objname = NULL; /* for compiler quiet */
810 break;
811 }
812
813 if (selabel_lookup_raw(sehnd, &context, objname, objtype) == 0)
814 {
815 PG_TRY();
816 {
817 /*
818 * Check SELinux permission to relabel the fetched object,
819 * then do the actual relabeling.
820 */
821 sepgsql_object_relabel(&object, context);
822
823 SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, context);
824 }
825 PG_FINALLY();
826 {
827 freecon(context);
828 }
829 PG_END_TRY();
830 }
831 else if (errno == ENOENT)
833 (errmsg("SELinux: no initial label assigned for %s (type=%d), skipping",
834 objname, objtype)));
835 else
837 (errcode(ERRCODE_INTERNAL_ERROR),
838 errmsg("SELinux: could not determine initial security label for %s (type=%d): %m", objname, objtype)));
839
840 pfree(objname);
841 }
842 systable_endscan(sscan);
843
844 table_close(rel, NoLock);
845}
#define NameStr(name)
Definition: c.h:700
char * get_database_name(Oid dbid)
Definition: dbcommands.c:3187
int errcode(int sqlerrcode)
Definition: elog.c:853
int errmsg(const char *fmt,...)
Definition: elog.c:1070
#define PG_TRY(...)
Definition: elog.h:371
#define WARNING
Definition: elog.h:36
#define PG_END_TRY(...)
Definition: elog.h:396
#define ERROR
Definition: elog.h:39
#define elog(elevel,...)
Definition: elog.h:225
#define PG_FINALLY(...)
Definition: elog.h:388
#define ereport(elevel,...)
Definition: elog.h:149
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:606
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:513
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:387
Oid MyDatabaseId
Definition: globals.c:93
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
#define GETSTRUCT(TUP)
Definition: htup_details.h:653
static char * quote_object_name(const char *src1, const char *src2, const char *src3, const char *src4)
Definition: label.c:653
void sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
Definition: label.c:482
#define NoLock
Definition: lockdefs.h:34
#define AccessShareLock
Definition: lockdefs.h:36
char * get_rel_name(Oid relid)
Definition: lsyscache.c:1928
char get_rel_relkind(Oid relid)
Definition: lsyscache.c:2003
Oid get_rel_namespace(Oid relid)
Definition: lsyscache.c:1952
char * get_namespace_name(Oid nspid)
Definition: lsyscache.c:3366
void pfree(void *pointer)
Definition: mcxt.c:1521
FormData_pg_attribute * Form_pg_attribute
Definition: pg_attribute.h:200
FormData_pg_class * Form_pg_class
Definition: pg_class.h:153
FormData_pg_database * Form_pg_database
Definition: pg_database.h:96
FormData_pg_namespace * Form_pg_namespace
Definition: pg_namespace.h:52
FormData_pg_proc * Form_pg_proc
Definition: pg_proc.h:136
#define InvalidOid
Definition: postgres_ext.h:36
unsigned int Oid
Definition: postgres_ext.h:31
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:404
#define SEPGSQL_LABEL_TAG
Definition: sepgsql.h:23
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40

References AccessShareLock, elog, ereport, errcode(), errmsg(), ERROR, get_database_name(), get_namespace_name(), get_rel_name(), get_rel_namespace(), get_rel_relkind(), GETSTRUCT, HeapTupleIsValid, InvalidOid, MyDatabaseId, NameStr, NoLock, pfree(), PG_END_TRY, PG_FINALLY, PG_TRY, quote_object_name(), SEPGSQL_LABEL_TAG, sepgsql_object_relabel(), SetSecurityLabel(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and WARNING.

Referenced by sepgsql_restorecon().

◆ PG_FUNCTION_INFO_V1() [1/5]

PG_FUNCTION_INFO_V1 ( sepgsql_getcon  )

◆ PG_FUNCTION_INFO_V1() [2/5]

PG_FUNCTION_INFO_V1 ( sepgsql_mcstrans_in  )

◆ PG_FUNCTION_INFO_V1() [3/5]

PG_FUNCTION_INFO_V1 ( sepgsql_mcstrans_out  )

◆ PG_FUNCTION_INFO_V1() [4/5]

PG_FUNCTION_INFO_V1 ( sepgsql_restorecon  )

◆ PG_FUNCTION_INFO_V1() [5/5]

PG_FUNCTION_INFO_V1 ( sepgsql_setcon  )

◆ quote_object_name()

static char * quote_object_name ( const char *  src1,
const char *  src2,
const char *  src3,
const char *  src4 
)
static

Definition at line 653 of file label.c.

655{
656 StringInfoData result;
657
658 initStringInfo(&result);
659 if (src1)
661 if (src2)
662 appendStringInfo(&result, ".%s", quote_identifier(src2));
663 if (src3)
664 appendStringInfo(&result, ".%s", quote_identifier(src3));
665 if (src4)
666 appendStringInfo(&result, ".%s", quote_identifier(src4));
667 return result.data;
668}
const char * quote_identifier(const char *ident)
Definition: ruleutils.c:12870
void appendStringInfo(StringInfo str, const char *fmt,...)
Definition: stringinfo.c:94
void appendStringInfoString(StringInfo str, const char *s)
Definition: stringinfo.c:179
void initStringInfo(StringInfo str)
Definition: stringinfo.c:56

References appendStringInfo(), appendStringInfoString(), StringInfoData::data, initStringInfo(), and quote_identifier().

Referenced by exec_object_restorecon().

◆ sepgsql_client_auth()

static void sepgsql_client_auth ( Port port,
int  status 
)
static

Definition at line 230 of file label.c.

231{
233 (*next_client_auth_hook) (port, status);
234
235 /*
236 * In the case when authentication failed, the supplied socket shall be
237 * closed soon, so we don't need to do anything here.
238 */
239 if (status != STATUS_OK)
240 return;
241
242 /*
243 * Getting security label of the peer process using API of libselinux.
244 */
245 if (getpeercon_raw(port->sock, &client_label_peer) < 0)
247 (errcode(ERRCODE_INTERNAL_ERROR),
248 errmsg("SELinux: unable to get peer label: %m")));
249
250 /*
251 * Switch the current performing mode from INTERNAL to either DEFAULT or
252 * PERMISSIVE.
253 */
256 else
258}
#define STATUS_OK
Definition: c.h:1123
#define FATAL
Definition: elog.h:41
bool sepgsql_get_permissive(void)
Definition: hooks.c:63
static char * client_label_peer
Definition: label.c:59
static ClientAuthentication_hook_type next_client_auth_hook
Definition: label.c:42
static int port
Definition: pg_regress.c:115
int sepgsql_set_mode(int new_mode)
Definition: selinux.c:634
#define SEPGSQL_MODE_DEFAULT
Definition: sepgsql.h:28
#define SEPGSQL_MODE_PERMISSIVE
Definition: sepgsql.h:29

References client_label_peer, ereport, errcode(), errmsg(), FATAL, next_client_auth_hook, port, sepgsql_get_permissive(), SEPGSQL_MODE_DEFAULT, SEPGSQL_MODE_PERMISSIVE, sepgsql_set_mode(), and STATUS_OK.

Referenced by sepgsql_init_client_label().

◆ sepgsql_fmgr_hook()

static void sepgsql_fmgr_hook ( FmgrHookEventType  event,
FmgrInfo flinfo,
Datum private 
)
static

Definition at line 311 of file label.c.

313{
314 struct
315 {
316 char *old_label;
317 char *new_label;
318 Datum next_private;
319 } *stack;
320
321 switch (event)
322 {
323 case FHET_START:
324 stack = (void *) DatumGetPointer(*private);
325 if (!stack)
326 {
327 MemoryContext oldcxt;
328
329 oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
330 stack = palloc(sizeof(*stack));
331 stack->old_label = NULL;
332 stack->new_label = sepgsql_avc_trusted_proc(flinfo->fn_oid);
333 stack->next_private = 0;
334
335 MemoryContextSwitchTo(oldcxt);
336
337 /*
338 * process:transition permission between old and new label,
339 * when user tries to switch security label of the client on
340 * execution of trusted procedure.
341 *
342 * Also, db_procedure:entrypoint permission should be checked
343 * whether this procedure can perform as an entrypoint of the
344 * trusted procedure, or not. Note that db_procedure:execute
345 * permission shall be checked individually.
346 */
347 if (stack->new_label)
348 {
349 ObjectAddress object;
350
351 object.classId = ProcedureRelationId;
352 object.objectId = flinfo->fn_oid;
353 object.objectSubId = 0;
357 getObjectDescription(&object, false),
358 true);
359
360 sepgsql_avc_check_perms_label(stack->new_label,
363 NULL, true);
364 }
365 *private = PointerGetDatum(stack);
366 }
367 Assert(!stack->old_label);
368 if (stack->new_label)
369 {
370 stack->old_label = client_label_func;
371 client_label_func = stack->new_label;
372 }
373 if (next_fmgr_hook)
374 (*next_fmgr_hook) (event, flinfo, &stack->next_private);
375 break;
376
377 case FHET_END:
378 case FHET_ABORT:
379 stack = (void *) DatumGetPointer(*private);
380
381 if (next_fmgr_hook)
382 (*next_fmgr_hook) (event, flinfo, &stack->next_private);
383
384 if (stack->new_label)
385 {
386 client_label_func = stack->old_label;
387 stack->old_label = NULL;
388 }
389 break;
390
391 default:
392 elog(ERROR, "unexpected event type: %d", (int) event);
393 break;
394 }
395}
#define Assert(condition)
Definition: c.h:812
@ FHET_END
Definition: fmgr.h:784
@ FHET_ABORT
Definition: fmgr.h:785
@ FHET_START
Definition: fmgr.h:783
static fmgr_hook_type next_fmgr_hook
Definition: label.c:44
static char * client_label_func
Definition: label.c:64
void * palloc(Size size)
Definition: mcxt.c:1317
char * getObjectDescription(const ObjectAddress *object, bool missing_ok)
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:124
static Datum PointerGetDatum(const void *X)
Definition: postgres.h:322
uintptr_t Datum
Definition: postgres.h:64
static Pointer DatumGetPointer(Datum X)
Definition: postgres.h:312
char * sepgsql_avc_trusted_proc(Oid functionId)
Definition: uavc.c:445
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:337
#define SEPG_PROCESS__TRANSITION
Definition: sepgsql.h:59
#define SEPG_DB_PROCEDURE__ENTRYPOINT
Definition: sepgsql.h:167
#define SEPG_CLASS_DB_PROCEDURE
Definition: sepgsql.h:48
#define SEPG_CLASS_PROCESS
Definition: sepgsql.h:36
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:420
MemoryContext fn_mcxt
Definition: fmgr.h:65
Oid fn_oid
Definition: fmgr.h:59

References Assert, ObjectAddress::classId, client_label_func, DatumGetPointer(), elog, ERROR, FHET_ABORT, FHET_END, FHET_START, FmgrInfo::fn_mcxt, FmgrInfo::fn_oid, getObjectDescription(), MemoryContextSwitchTo(), next_fmgr_hook, palloc(), PointerGetDatum(), SEPG_CLASS_DB_PROCEDURE, SEPG_CLASS_PROCESS, SEPG_DB_PROCEDURE__ENTRYPOINT, SEPG_PROCESS__TRANSITION, sepgsql_avc_check_perms(), sepgsql_avc_check_perms_label(), and sepgsql_avc_trusted_proc().

Referenced by sepgsql_init_client_label().

◆ sepgsql_get_client_label()

char * sepgsql_get_client_label ( void  )

Definition at line 80 of file label.c.

81{
82 /* trusted procedure client label override */
84 return client_label_func;
85
86 /* uncommitted sepgsql_setcon() value */
88 {
90
91 if (plabel->label)
92 return plabel->label;
93 }
95 return client_label_committed; /* set by sepgsql_setcon() committed */
96
97 /* default label */
99 return client_label_peer;
100}
static char * client_label_committed
Definition: label.c:62
static List * client_label_pending
Definition: label.c:60
#define llast(l)
Definition: pg_list.h:198
char * label
Definition: label.c:69

References Assert, client_label_committed, client_label_func, client_label_peer, client_label_pending, pending_label::label, and llast.

Referenced by sepgsql_attribute_post_create(), sepgsql_avc_check_perms_label(), sepgsql_avc_trusted_proc(), sepgsql_database_post_create(), sepgsql_getcon(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), sepgsql_schema_post_create(), and sepgsql_set_client_label().

◆ sepgsql_get_label()

char * sepgsql_get_label ( Oid  classId,
Oid  objectId,
int32  subId 
)

Definition at line 445 of file label.c.

446{
447 ObjectAddress object;
448 char *label;
449
450 object.classId = classId;
451 object.objectId = objectId;
452 object.objectSubId = subId;
453
455 if (!label || security_check_context_raw(label))
456 {
457 char *unlabeled;
458
459 if (security_get_initial_context_raw("unlabeled", &unlabeled) < 0)
461 (errcode(ERRCODE_INTERNAL_ERROR),
462 errmsg("SELinux: failed to get initial security label: %m")));
463 PG_TRY();
464 {
465 label = pstrdup(unlabeled);
466 }
467 PG_FINALLY();
468 {
469 freecon(unlabeled);
470 }
471 PG_END_TRY();
472 }
473 return label;
474}
char * pstrdup(const char *in)
Definition: mcxt.c:1696
static char * label
char * GetSecurityLabel(const ObjectAddress *object, const char *provider)
Definition: seclabel.c:272

References ereport, errcode(), errmsg(), ERROR, GetSecurityLabel(), label, PG_END_TRY, PG_FINALLY, PG_TRY, pstrdup(), and SEPGSQL_LABEL_TAG.

Referenced by sepgsql_attribute_post_create(), sepgsql_database_post_create(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), and sepgsql_schema_post_create().

◆ sepgsql_getcon()

Datum sepgsql_getcon ( PG_FUNCTION_ARGS  )

Definition at line 537 of file label.c.

538{
539 char *client_label;
540
541 if (!sepgsql_is_enabled())
543
544 client_label = sepgsql_get_client_label();
545
546 PG_RETURN_TEXT_P(cstring_to_text(client_label));
547}
#define PG_RETURN_NULL()
Definition: fmgr.h:345
#define PG_RETURN_TEXT_P(x)
Definition: fmgr.h:372
char * sepgsql_get_client_label(void)
Definition: label.c:80
bool sepgsql_is_enabled(void)
Definition: selinux.c:616
text * cstring_to_text(const char *s)
Definition: varlena.c:184

References cstring_to_text(), PG_RETURN_NULL, PG_RETURN_TEXT_P, sepgsql_get_client_label(), and sepgsql_is_enabled().

◆ sepgsql_init_client_label()

void sepgsql_init_client_label ( void  )

Definition at line 404 of file label.c.

405{
406 /*
407 * Set up dummy client label.
408 *
409 * XXX - note that PostgreSQL launches background worker process like
410 * autovacuum without authentication steps. So, we initialize sepgsql_mode
411 * with SEPGSQL_MODE_INTERNAL, and client_label with the security context
412 * of server process. Later, it also launches background of user session.
413 * In this case, the process is always hooked on post-authentication, and
414 * we can initialize the sepgsql_mode and client_label correctly.
415 */
416 if (getcon_raw(&client_label_peer) < 0)
418 (errcode(ERRCODE_INTERNAL_ERROR),
419 errmsg("SELinux: failed to get server security label: %m")));
420
421 /* Client authentication hook */
424
425 /* Trusted procedure hooks */
428
431
432 /* Transaction/Sub-transaction callbacks */
435}
ClientAuthentication_hook_type ClientAuthentication_hook
Definition: auth.c:230
PGDLLIMPORT needs_fmgr_hook_type needs_fmgr_hook
Definition: fmgr.c:39
PGDLLIMPORT fmgr_hook_type fmgr_hook
Definition: fmgr.c:40
static void sepgsql_fmgr_hook(FmgrHookEventType event, FmgrInfo *flinfo, Datum *private)
Definition: label.c:311
static needs_fmgr_hook_type next_needs_fmgr_hook
Definition: label.c:43
static void sepgsql_subxact_callback(SubXactEvent event, SubTransactionId mySubid, SubTransactionId parentSubid, void *arg)
Definition: label.c:204
static void sepgsql_client_auth(Port *port, int status)
Definition: label.c:230
static void sepgsql_xact_callback(XactEvent event, void *arg)
Definition: label.c:165
static bool sepgsql_needs_fmgr_hook(Oid functionId)
Definition: label.c:268
void RegisterXactCallback(XactCallback callback, void *arg)
Definition: xact.c:3796
void RegisterSubXactCallback(SubXactCallback callback, void *arg)
Definition: xact.c:3856

References client_label_peer, ClientAuthentication_hook, ereport, errcode(), errmsg(), ERROR, fmgr_hook, needs_fmgr_hook, next_client_auth_hook, next_fmgr_hook, next_needs_fmgr_hook, RegisterSubXactCallback(), RegisterXactCallback(), sepgsql_client_auth(), sepgsql_fmgr_hook(), sepgsql_needs_fmgr_hook(), sepgsql_subxact_callback(), and sepgsql_xact_callback().

Referenced by _PG_init().

◆ sepgsql_mcstrans_in()

Datum sepgsql_mcstrans_in ( PG_FUNCTION_ARGS  )

Definition at line 578 of file label.c.

579{
581 char *raw_label;
582 char *result;
583
584 if (!sepgsql_is_enabled())
586 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
587 errmsg("sepgsql is not enabled")));
588
589 if (selinux_trans_to_raw_context(text_to_cstring(label),
590 &raw_label) < 0)
592 (errcode(ERRCODE_INTERNAL_ERROR),
593 errmsg("SELinux: could not translate security label: %m")));
594
595 PG_TRY();
596 {
597 result = pstrdup(raw_label);
598 }
599 PG_FINALLY();
600 {
601 freecon(raw_label);
602 }
603 PG_END_TRY();
604
606}
#define PG_GETARG_TEXT_PP(n)
Definition: fmgr.h:309
Definition: c.h:641
char * text_to_cstring(const text *t)
Definition: varlena.c:217

References cstring_to_text(), ereport, errcode(), errmsg(), ERROR, label, PG_END_TRY, PG_FINALLY, PG_GETARG_TEXT_PP, PG_RETURN_TEXT_P, PG_TRY, pstrdup(), sepgsql_is_enabled(), and text_to_cstring().

◆ sepgsql_mcstrans_out()

Datum sepgsql_mcstrans_out ( PG_FUNCTION_ARGS  )

Definition at line 616 of file label.c.

617{
619 char *qual_label;
620 char *result;
621
622 if (!sepgsql_is_enabled())
624 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
625 errmsg("sepgsql is not currently enabled")));
626
627 if (selinux_raw_to_trans_context(text_to_cstring(label),
628 &qual_label) < 0)
630 (errcode(ERRCODE_INTERNAL_ERROR),
631 errmsg("SELinux: could not translate security label: %m")));
632
633 PG_TRY();
634 {
635 result = pstrdup(qual_label);
636 }
637 PG_FINALLY();
638 {
639 freecon(qual_label);
640 }
641 PG_END_TRY();
642
644}

References cstring_to_text(), ereport, errcode(), errmsg(), ERROR, label, PG_END_TRY, PG_FINALLY, PG_GETARG_TEXT_PP, PG_RETURN_TEXT_P, PG_TRY, pstrdup(), sepgsql_is_enabled(), and text_to_cstring().

◆ sepgsql_needs_fmgr_hook()

static bool sepgsql_needs_fmgr_hook ( Oid  functionId)
static

Definition at line 268 of file label.c.

269{
270 ObjectAddress object;
271
273 (*next_needs_fmgr_hook) (functionId))
274 return true;
275
276 /*
277 * SELinux needs the function to be called via security_definer wrapper,
278 * if this invocation will take a domain-transition. We call these
279 * functions as trusted-procedure, if the security policy has a rule that
280 * switches security label of the client on execution.
281 */
282 if (sepgsql_avc_trusted_proc(functionId) != NULL)
283 return true;
284
285 /*
286 * Even if not a trusted-procedure, this function should not be inlined
287 * unless the client has db_procedure:{execute} permission. Please note
288 * that it shall be actually failed later because of same reason with
289 * ACL_EXECUTE.
290 */
291 object.classId = ProcedureRelationId;
292 object.objectId = functionId;
293 object.objectSubId = 0;
294 if (!sepgsql_avc_check_perms(&object,
298 SEPGSQL_AVC_NOAUDIT, false))
299 return true;
300
301 return false;
302}
#define SEPG_DB_PROCEDURE__EXECUTE
Definition: sepgsql.h:166
#define SEPGSQL_AVC_NOAUDIT
Definition: sepgsql.h:250

References ObjectAddress::classId, next_needs_fmgr_hook, SEPG_CLASS_DB_PROCEDURE, SEPG_DB_PROCEDURE__ENTRYPOINT, SEPG_DB_PROCEDURE__EXECUTE, sepgsql_avc_check_perms(), SEPGSQL_AVC_NOAUDIT, and sepgsql_avc_trusted_proc().

Referenced by sepgsql_init_client_label().

◆ sepgsql_object_relabel()

void sepgsql_object_relabel ( const ObjectAddress object,
const char *  seclabel 
)

Definition at line 482 of file label.c.

483{
484 /*
485 * validate format of the supplied security label, if it is security
486 * context of selinux.
487 */
488 if (seclabel &&
489 security_check_context_raw(seclabel) < 0)
491 (errcode(ERRCODE_INVALID_NAME),
492 errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
493
494 /*
495 * Do actual permission checks for each object classes
496 */
497 switch (object->classId)
498 {
499 case DatabaseRelationId:
500 sepgsql_database_relabel(object->objectId, seclabel);
501 break;
502
503 case NamespaceRelationId:
504 sepgsql_schema_relabel(object->objectId, seclabel);
505 break;
506
507 case RelationRelationId:
508 if (object->objectSubId == 0)
510 seclabel);
511 else
513 object->objectSubId,
514 seclabel);
515 break;
516
517 case ProcedureRelationId:
518 sepgsql_proc_relabel(object->objectId, seclabel);
519 break;
520
521 default:
523 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
524 errmsg("sepgsql provider does not support labels on %s",
525 getObjectTypeDescription(object, false))));
526 break;
527 }
528}
void sepgsql_proc_relabel(Oid functionId, const char *seclabel)
Definition: proc.c:198
void sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum, const char *seclabel)
Definition: relation.c:165
void sepgsql_relation_relabel(Oid relOid, const char *seclabel)
Definition: relation.c:564
void sepgsql_database_relabel(Oid databaseId, const char *seclabel)
Definition: database.c:187
char * getObjectTypeDescription(const ObjectAddress *object, bool missing_ok)
void sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
Definition: schema.c:142

References ObjectAddress::classId, ereport, errcode(), errmsg(), ERROR, getObjectTypeDescription(), ObjectAddress::objectId, ObjectAddress::objectSubId, sepgsql_attribute_relabel(), sepgsql_database_relabel(), sepgsql_proc_relabel(), sepgsql_relation_relabel(), and sepgsql_schema_relabel().

Referenced by _PG_init(), and exec_object_restorecon().

◆ sepgsql_restorecon()

Datum sepgsql_restorecon ( PG_FUNCTION_ARGS  )

Definition at line 860 of file label.c.

861{
862 struct selabel_handle *sehnd;
863 struct selinux_opt seopts;
864
865 /*
866 * SELinux has to be enabled on the running platform.
867 */
868 if (!sepgsql_is_enabled())
870 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
871 errmsg("sepgsql is not currently enabled")));
872
873 /*
874 * Check DAC permission. Only superuser can set up initial security
875 * labels, like root-user in filesystems
876 */
877 if (!superuser())
879 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
880 errmsg("SELinux: must be superuser to restore initial contexts")));
881
882 /*
883 * Open selabel_lookup(3) stuff. It provides a set of mapping between an
884 * initial security label and object class/name due to the system setting.
885 */
886 if (PG_ARGISNULL(0))
887 {
888 seopts.type = SELABEL_OPT_UNUSED;
889 seopts.value = NULL;
890 }
891 else
892 {
893 seopts.type = SELABEL_OPT_PATH;
894 seopts.value = TextDatumGetCString(PG_GETARG_DATUM(0));
895 }
896 sehnd = selabel_open(SELABEL_CTX_DB, &seopts, 1);
897 if (!sehnd)
899 (errcode(ERRCODE_INTERNAL_ERROR),
900 errmsg("SELinux: failed to initialize labeling handle: %m")));
901 PG_TRY();
902 {
903 exec_object_restorecon(sehnd, DatabaseRelationId);
904 exec_object_restorecon(sehnd, NamespaceRelationId);
905 exec_object_restorecon(sehnd, RelationRelationId);
906 exec_object_restorecon(sehnd, AttributeRelationId);
907 exec_object_restorecon(sehnd, ProcedureRelationId);
908 }
909 PG_FINALLY();
910 {
911 selabel_close(sehnd);
912 }
913 PG_END_TRY();
914
915 PG_RETURN_BOOL(true);
916}
#define TextDatumGetCString(d)
Definition: builtins.h:98
#define PG_ARGISNULL(n)
Definition: fmgr.h:209
#define PG_GETARG_DATUM(n)
Definition: fmgr.h:268
#define PG_RETURN_BOOL(x)
Definition: fmgr.h:359
static void exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
Definition: label.c:678
bool superuser(void)
Definition: superuser.c:46

References ereport, errcode(), errmsg(), ERROR, exec_object_restorecon(), PG_ARGISNULL, PG_END_TRY, PG_FINALLY, PG_GETARG_DATUM, PG_RETURN_BOOL, PG_TRY, sepgsql_is_enabled(), superuser(), and TextDatumGetCString.

◆ sepgsql_set_client_label()

static void sepgsql_set_client_label ( const char *  new_label)
static

Definition at line 111 of file label.c.

112{
113 const char *tcontext;
114 MemoryContext oldcxt;
115 pending_label *plabel;
116
117 /* Reset to the initial client label, if NULL */
118 if (!new_label)
119 tcontext = client_label_peer;
120 else
121 {
122 if (security_check_context_raw(new_label) < 0)
124 (errcode(ERRCODE_INVALID_NAME),
125 errmsg("SELinux: invalid security label: \"%s\"",
126 new_label)));
127 tcontext = new_label;
128 }
129
130 /* Check process:{setcurrent} permission. */
134 NULL,
135 true);
136 /* Check process:{dyntransition} permission. */
140 NULL,
141 true);
142
143 /*
144 * Append the supplied new_label on the pending list until the current
145 * transaction is committed.
146 */
148
149 plabel = palloc0(sizeof(pending_label));
151 if (new_label)
152 plabel->label = pstrdup(new_label);
154
155 MemoryContextSwitchTo(oldcxt);
156}
List * lappend(List *list, void *datum)
Definition: list.c:339
void * palloc0(Size size)
Definition: mcxt.c:1347
MemoryContext CurTransactionContext
Definition: mcxt.c:155
#define SEPG_PROCESS__SETCURRENT
Definition: sepgsql.h:61
#define SEPG_PROCESS__DYNTRANSITION
Definition: sepgsql.h:60
SubTransactionId subid
Definition: label.c:68
SubTransactionId GetCurrentSubTransactionId(void)
Definition: xact.c:790

References client_label_peer, client_label_pending, CurTransactionContext, ereport, errcode(), errmsg(), ERROR, GetCurrentSubTransactionId(), pending_label::label, lappend(), MemoryContextSwitchTo(), palloc0(), pstrdup(), SEPG_CLASS_PROCESS, SEPG_PROCESS__DYNTRANSITION, SEPG_PROCESS__SETCURRENT, sepgsql_avc_check_perms_label(), sepgsql_get_client_label(), and pending_label::subid.

Referenced by sepgsql_setcon().

◆ sepgsql_setcon()

Datum sepgsql_setcon ( PG_FUNCTION_ARGS  )

Definition at line 556 of file label.c.

557{
558 const char *new_label;
559
560 if (PG_ARGISNULL(0))
561 new_label = NULL;
562 else
563 new_label = TextDatumGetCString(PG_GETARG_DATUM(0));
564
565 sepgsql_set_client_label(new_label);
566
567 PG_RETURN_BOOL(true);
568}
static void sepgsql_set_client_label(const char *new_label)
Definition: label.c:111

References PG_ARGISNULL, PG_GETARG_DATUM, PG_RETURN_BOOL, sepgsql_set_client_label(), and TextDatumGetCString.

◆ sepgsql_subxact_callback()

static void sepgsql_subxact_callback ( SubXactEvent  event,
SubTransactionId  mySubid,
SubTransactionId  parentSubid,
void *  arg 
)
static

Definition at line 204 of file label.c.

206{
207 ListCell *cell;
208
209 if (event == SUBXACT_EVENT_ABORT_SUB)
210 {
211 foreach(cell, client_label_pending)
212 {
213 pending_label *plabel = lfirst(cell);
214
215 if (plabel->subid == mySubid)
218 }
219 }
220}
#define lfirst(lc)
Definition: pg_list.h:172
#define foreach_delete_current(lst, var_or_cell)
Definition: pg_list.h:391
@ SUBXACT_EVENT_ABORT_SUB
Definition: xact.h:144

References client_label_pending, foreach_delete_current, lfirst, pending_label::subid, and SUBXACT_EVENT_ABORT_SUB.

Referenced by sepgsql_init_client_label().

◆ sepgsql_xact_callback()

static void sepgsql_xact_callback ( XactEvent  event,
void *  arg 
)
static

Definition at line 165 of file label.c.

166{
167 if (event == XACT_EVENT_COMMIT)
168 {
170 {
172 char *new_label;
173
174 if (plabel->label)
176 plabel->label);
177 else
178 new_label = NULL;
179
182
183 client_label_committed = new_label;
184
185 /*
186 * XXX - Note that items of client_label_pending are allocated on
187 * CurTransactionContext, thus, all acquired memory region shall
188 * be released implicitly.
189 */
191 }
192 }
193 else if (event == XACT_EVENT_ABORT)
195}
char * MemoryContextStrdup(MemoryContext context, const char *string)
Definition: mcxt.c:1683
MemoryContext TopMemoryContext
Definition: mcxt.c:149
#define NIL
Definition: pg_list.h:68
@ XACT_EVENT_COMMIT
Definition: xact.h:128
@ XACT_EVENT_ABORT
Definition: xact.h:130

References client_label_committed, client_label_pending, pending_label::label, llast, MemoryContextStrdup(), NIL, pfree(), TopMemoryContext, XACT_EVENT_ABORT, and XACT_EVENT_COMMIT.

Referenced by sepgsql_init_client_label().

Variable Documentation

◆ client_label_committed

char* client_label_committed = NULL
static

Definition at line 62 of file label.c.

Referenced by sepgsql_get_client_label(), and sepgsql_xact_callback().

◆ client_label_func

char* client_label_func = NULL
static

Definition at line 64 of file label.c.

Referenced by sepgsql_fmgr_hook(), and sepgsql_get_client_label().

◆ client_label_peer

char* client_label_peer = NULL
static

◆ client_label_pending

List* client_label_pending = NIL
static

◆ next_client_auth_hook

ClientAuthentication_hook_type next_client_auth_hook = NULL
static

Definition at line 42 of file label.c.

Referenced by sepgsql_client_auth(), and sepgsql_init_client_label().

◆ next_fmgr_hook

fmgr_hook_type next_fmgr_hook = NULL
static

Definition at line 44 of file label.c.

Referenced by sepgsql_fmgr_hook(), and sepgsql_init_client_label().

◆ next_needs_fmgr_hook

needs_fmgr_hook_type next_needs_fmgr_hook = NULL
static

Definition at line 43 of file label.c.

Referenced by sepgsql_init_client_label(), and sepgsql_needs_fmgr_hook().