PostgreSQL Source Code  git master
Data Structures | Functions | Variables
label.c File Reference
#include "postgres.h"
#include <selinux/label.h>
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/table.h"
#include "access/xact.h"
#include "catalog/catalog.h"
#include "catalog/dependency.h"
#include "catalog/pg_attribute.h"
#include "catalog/pg_class.h"
#include "catalog/pg_database.h"
#include "catalog/pg_namespace.h"
#include "catalog/pg_proc.h"
#include "commands/dbcommands.h"
#include "commands/seclabel.h"
#include "libpq/auth.h"
#include "libpq/libpq-be.h"
#include "miscadmin.h"
#include "sepgsql.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/guc.h"
#include "utils/lsyscache.h"
#include "utils/memutils.h"
#include "utils/rel.h"
Include dependency graph for label.c:

Go to the source code of this file.

Data Structures

struct  pending_label
 

Functions

char * sepgsql_get_client_label (void)
 
static void sepgsql_set_client_label (const char *new_label)
 
static void sepgsql_xact_callback (XactEvent event, void *arg)
 
static void sepgsql_subxact_callback (SubXactEvent event, SubTransactionId mySubid, SubTransactionId parentSubid, void *arg)
 
static void sepgsql_client_auth (Port *port, int status)
 
static bool sepgsql_needs_fmgr_hook (Oid functionId)
 
static void sepgsql_fmgr_hook (FmgrHookEventType event, FmgrInfo *flinfo, Datum *private)
 
void sepgsql_init_client_label (void)
 
char * sepgsql_get_label (Oid classId, Oid objectId, int32 subId)
 
void sepgsql_object_relabel (const ObjectAddress *object, const char *seclabel)
 
 PG_FUNCTION_INFO_V1 (sepgsql_getcon)
 
Datum sepgsql_getcon (PG_FUNCTION_ARGS)
 
 PG_FUNCTION_INFO_V1 (sepgsql_setcon)
 
Datum sepgsql_setcon (PG_FUNCTION_ARGS)
 
 PG_FUNCTION_INFO_V1 (sepgsql_mcstrans_in)
 
Datum sepgsql_mcstrans_in (PG_FUNCTION_ARGS)
 
 PG_FUNCTION_INFO_V1 (sepgsql_mcstrans_out)
 
Datum sepgsql_mcstrans_out (PG_FUNCTION_ARGS)
 
static char * quote_object_name (const char *src1, const char *src2, const char *src3, const char *src4)
 
static void exec_object_restorecon (struct selabel_handle *sehnd, Oid catalogId)
 
 PG_FUNCTION_INFO_V1 (sepgsql_restorecon)
 
Datum sepgsql_restorecon (PG_FUNCTION_ARGS)
 

Variables

static ClientAuthentication_hook_type next_client_auth_hook = NULL
 
static needs_fmgr_hook_type next_needs_fmgr_hook = NULL
 
static fmgr_hook_type next_fmgr_hook = NULL
 
static char * client_label_peer = NULL
 
static Listclient_label_pending = NIL
 
static char * client_label_committed = NULL
 
static char * client_label_func = NULL
 

Function Documentation

◆ exec_object_restorecon()

static void exec_object_restorecon ( struct selabel_handle *  sehnd,
Oid  catalogId 
)
static

Definition at line 678 of file label.c.

679 {
680  Relation rel;
681  SysScanDesc sscan;
682  HeapTuple tuple;
683  char *database_name = get_database_name(MyDatabaseId);
684  char *namespace_name;
685  Oid namespace_id;
686  char *relation_name;
687 
688  /*
689  * Open the target catalog. We don't want to allow writable accesses by
690  * other session during initial labeling.
691  */
692  rel = table_open(catalogId, AccessShareLock);
693 
694  sscan = systable_beginscan(rel, InvalidOid, false,
695  NULL, 0, NULL);
696  while (HeapTupleIsValid(tuple = systable_getnext(sscan)))
697  {
698  Form_pg_database datForm;
699  Form_pg_namespace nspForm;
700  Form_pg_class relForm;
701  Form_pg_attribute attForm;
702  Form_pg_proc proForm;
703  char *objname;
704  int objtype = 1234;
705  ObjectAddress object;
706  char *context;
707 
708  /*
709  * The way to determine object name depends on object classes. So, any
710  * branches set up `objtype', `objname' and `object' here.
711  */
712  switch (catalogId)
713  {
714  case DatabaseRelationId:
715  datForm = (Form_pg_database) GETSTRUCT(tuple);
716 
717  objtype = SELABEL_DB_DATABASE;
718 
719  objname = quote_object_name(NameStr(datForm->datname),
720  NULL, NULL, NULL);
721 
722  object.classId = DatabaseRelationId;
723  object.objectId = datForm->oid;
724  object.objectSubId = 0;
725  break;
726 
727  case NamespaceRelationId:
728  nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
729 
730  objtype = SELABEL_DB_SCHEMA;
731 
732  objname = quote_object_name(database_name,
733  NameStr(nspForm->nspname),
734  NULL, NULL);
735 
736  object.classId = NamespaceRelationId;
737  object.objectId = nspForm->oid;
738  object.objectSubId = 0;
739  break;
740 
741  case RelationRelationId:
742  relForm = (Form_pg_class) GETSTRUCT(tuple);
743 
744  if (relForm->relkind == RELKIND_RELATION ||
745  relForm->relkind == RELKIND_PARTITIONED_TABLE)
746  objtype = SELABEL_DB_TABLE;
747  else if (relForm->relkind == RELKIND_SEQUENCE)
748  objtype = SELABEL_DB_SEQUENCE;
749  else if (relForm->relkind == RELKIND_VIEW)
750  objtype = SELABEL_DB_VIEW;
751  else
752  continue; /* no need to assign security label */
753 
754  namespace_name = get_namespace_name(relForm->relnamespace);
755  objname = quote_object_name(database_name,
756  namespace_name,
757  NameStr(relForm->relname),
758  NULL);
759  pfree(namespace_name);
760 
761  object.classId = RelationRelationId;
762  object.objectId = relForm->oid;
763  object.objectSubId = 0;
764  break;
765 
766  case AttributeRelationId:
767  attForm = (Form_pg_attribute) GETSTRUCT(tuple);
768 
769  if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION &&
770  get_rel_relkind(attForm->attrelid) != RELKIND_PARTITIONED_TABLE)
771  continue; /* no need to assign security label */
772 
773  objtype = SELABEL_DB_COLUMN;
774 
775  namespace_id = get_rel_namespace(attForm->attrelid);
776  namespace_name = get_namespace_name(namespace_id);
777  relation_name = get_rel_name(attForm->attrelid);
778  objname = quote_object_name(database_name,
779  namespace_name,
780  relation_name,
781  NameStr(attForm->attname));
782  pfree(namespace_name);
783  pfree(relation_name);
784 
785  object.classId = RelationRelationId;
786  object.objectId = attForm->attrelid;
787  object.objectSubId = attForm->attnum;
788  break;
789 
790  case ProcedureRelationId:
791  proForm = (Form_pg_proc) GETSTRUCT(tuple);
792 
793  objtype = SELABEL_DB_PROCEDURE;
794 
795  namespace_name = get_namespace_name(proForm->pronamespace);
796  objname = quote_object_name(database_name,
797  namespace_name,
798  NameStr(proForm->proname),
799  NULL);
800  pfree(namespace_name);
801 
802  object.classId = ProcedureRelationId;
803  object.objectId = proForm->oid;
804  object.objectSubId = 0;
805  break;
806 
807  default:
808  elog(ERROR, "unexpected catalog id: %u", catalogId);
809  objname = NULL; /* for compiler quiet */
810  break;
811  }
812 
813  if (selabel_lookup_raw(sehnd, &context, objname, objtype) == 0)
814  {
815  PG_TRY();
816  {
817  /*
818  * Check SELinux permission to relabel the fetched object,
819  * then do the actual relabeling.
820  */
821  sepgsql_object_relabel(&object, context);
822 
823  SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, context);
824  }
825  PG_FINALLY();
826  {
827  freecon(context);
828  }
829  PG_END_TRY();
830  }
831  else if (errno == ENOENT)
832  ereport(WARNING,
833  (errmsg("SELinux: no initial label assigned for %s (type=%d), skipping",
834  objname, objtype)));
835  else
836  ereport(ERROR,
837  (errcode(ERRCODE_INTERNAL_ERROR),
838  errmsg("SELinux: could not determine initial security label for %s (type=%d): %m", objname, objtype)));
839 
840  pfree(objname);
841  }
842  systable_endscan(sscan);
843 
844  table_close(rel, NoLock);
845 }
NameStr
#define NameStr(name)
Definition: c.h:746
get_database_name
char * get_database_name(Oid dbid)
Definition: dbcommands.c:3153
errcode
int errcode(int sqlerrcode)
Definition: elog.c:859
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:1072
PG_TRY
#define PG_TRY(...)
Definition: elog.h:370
WARNING
#define WARNING
Definition: elog.h:36
PG_END_TRY
#define PG_END_TRY(...)
Definition: elog.h:395
ERROR
#define ERROR
Definition: elog.h:39
elog
#define elog(elevel,...)
Definition: elog.h:224
PG_FINALLY
#define PG_FINALLY(...)
Definition: elog.h:387
ereport
#define ereport(elevel,...)
Definition: elog.h:149
systable_endscan
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:596
systable_getnext
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:503
systable_beginscan
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:384
MyDatabaseId
Oid MyDatabaseId
Definition: globals.c:91
HeapTupleIsValid
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
GETSTRUCT
#define GETSTRUCT(TUP)
Definition: htup_details.h:653
sepgsql_object_relabel
void sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
Definition: label.c:482
quote_object_name
static char * quote_object_name(const char *src1, const char *src2, const char *src3, const char *src4)
Definition: label.c:653
NoLock
#define NoLock
Definition: lockdefs.h:34
AccessShareLock
#define AccessShareLock
Definition: lockdefs.h:36
get_namespace_name
char * get_namespace_name(Oid nspid)
Definition: lsyscache.c:3366
get_rel_relkind
char get_rel_relkind(Oid relid)
Definition: lsyscache.c:2003
get_rel_namespace
Oid get_rel_namespace(Oid relid)
Definition: lsyscache.c:1952
get_rel_name
char * get_rel_name(Oid relid)
Definition: lsyscache.c:1928
pfree
void pfree(void *pointer)
Definition: mcxt.c:1520
Form_pg_attribute
FormData_pg_attribute * Form_pg_attribute
Definition: pg_attribute.h:209
Form_pg_class
FormData_pg_class * Form_pg_class
Definition: pg_class.h:153
Form_pg_database
FormData_pg_database * Form_pg_database
Definition: pg_database.h:96
Form_pg_namespace
FormData_pg_namespace * Form_pg_namespace
Definition: pg_namespace.h:52
Form_pg_proc
FormData_pg_proc * Form_pg_proc
Definition: pg_proc.h:136
InvalidOid
#define InvalidOid
Definition: postgres_ext.h:36
Oid
unsigned int Oid
Definition: postgres_ext.h:31
context
tree context
Definition: radixtree.h:1829
SetSecurityLabel
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:404
SEPGSQL_LABEL_TAG
#define SEPGSQL_LABEL_TAG
Definition: sepgsql.h:23
table_close
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
table_open
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40

References AccessShareLock, context, elog, ereport, errcode(), errmsg(), ERROR, get_database_name(), get_namespace_name(), get_rel_name(), get_rel_namespace(), get_rel_relkind(), GETSTRUCT, HeapTupleIsValid, InvalidOid, MyDatabaseId, NameStr, NoLock, pfree(), PG_END_TRY, PG_FINALLY, PG_TRY, quote_object_name(), SEPGSQL_LABEL_TAG, sepgsql_object_relabel(), SetSecurityLabel(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and WARNING.

Referenced by sepgsql_restorecon().

◆ PG_FUNCTION_INFO_V1() [1/5]

PG_FUNCTION_INFO_V1 ( sepgsql_getcon  )

◆ PG_FUNCTION_INFO_V1() [2/5]

PG_FUNCTION_INFO_V1 ( sepgsql_mcstrans_in  )

◆ PG_FUNCTION_INFO_V1() [3/5]

PG_FUNCTION_INFO_V1 ( sepgsql_mcstrans_out  )

◆ PG_FUNCTION_INFO_V1() [4/5]

PG_FUNCTION_INFO_V1 ( sepgsql_restorecon  )

◆ PG_FUNCTION_INFO_V1() [5/5]

PG_FUNCTION_INFO_V1 ( sepgsql_setcon  )

◆ quote_object_name()

static char* quote_object_name ( const char *  src1,
const char *  src2,
const char *  src3,
const char *  src4 
)
static

Definition at line 653 of file label.c.

655 {
656  StringInfoData result;
657 
658  initStringInfo(&result);
659  if (src1)
660  appendStringInfoString(&result, quote_identifier(src1));
661  if (src2)
662  appendStringInfo(&result, ".%s", quote_identifier(src2));
663  if (src3)
664  appendStringInfo(&result, ".%s", quote_identifier(src3));
665  if (src4)
666  appendStringInfo(&result, ".%s", quote_identifier(src4));
667  return result.data;
668 }
quote_identifier
const char * quote_identifier(const char *ident)
Definition: ruleutils.c:12623
appendStringInfo
void appendStringInfo(StringInfo str, const char *fmt,...)
Definition: stringinfo.c:97
appendStringInfoString
void appendStringInfoString(StringInfo str, const char *s)
Definition: stringinfo.c:182
initStringInfo
void initStringInfo(StringInfo str)
Definition: stringinfo.c:59

References appendStringInfo(), appendStringInfoString(), StringInfoData::data, initStringInfo(), and quote_identifier().

Referenced by exec_object_restorecon().

◆ sepgsql_client_auth()

static void sepgsql_client_auth ( Port port,
int  status 
)
static

Definition at line 230 of file label.c.

231 {
232  if (next_client_auth_hook)
233  (*next_client_auth_hook) (port, status);
234 
235  /*
236  * In the case when authentication failed, the supplied socket shall be
237  * closed soon, so we don't need to do anything here.
238  */
239  if (status != STATUS_OK)
240  return;
241 
242  /*
243  * Getting security label of the peer process using API of libselinux.
244  */
245  if (getpeercon_raw(port->sock, &client_label_peer) < 0)
246  ereport(FATAL,
247  (errcode(ERRCODE_INTERNAL_ERROR),
248  errmsg("SELinux: unable to get peer label: %m")));
249 
250  /*
251  * Switch the current performing mode from INTERNAL to either DEFAULT or
252  * PERMISSIVE.
253  */
254  if (sepgsql_get_permissive())
255  sepgsql_set_mode(SEPGSQL_MODE_PERMISSIVE);
256  else
257  sepgsql_set_mode(SEPGSQL_MODE_DEFAULT);
258 }
STATUS_OK
#define STATUS_OK
Definition: c.h:1169
FATAL
#define FATAL
Definition: elog.h:41
sepgsql_get_permissive
bool sepgsql_get_permissive(void)
Definition: hooks.c:63
client_label_peer
static char * client_label_peer
Definition: label.c:59
next_client_auth_hook
static ClientAuthentication_hook_type next_client_auth_hook
Definition: label.c:42
port
static int port
Definition: pg_regress.c:116
sepgsql_set_mode
int sepgsql_set_mode(int new_mode)
Definition: selinux.c:634
SEPGSQL_MODE_DEFAULT
#define SEPGSQL_MODE_DEFAULT
Definition: sepgsql.h:28
SEPGSQL_MODE_PERMISSIVE
#define SEPGSQL_MODE_PERMISSIVE
Definition: sepgsql.h:29

References client_label_peer, ereport, errcode(), errmsg(), FATAL, next_client_auth_hook, port, sepgsql_get_permissive(), SEPGSQL_MODE_DEFAULT, SEPGSQL_MODE_PERMISSIVE, sepgsql_set_mode(), and STATUS_OK.

Referenced by sepgsql_init_client_label().

◆ sepgsql_fmgr_hook()

static void sepgsql_fmgr_hook ( FmgrHookEventType  event,
FmgrInfo flinfo,
Datum private 
)
static

Definition at line 311 of file label.c.

313 {
314  struct
315  {
316  char *old_label;
317  char *new_label;
318  Datum next_private;
319  } *stack;
320 
321  switch (event)
322  {
323  case FHET_START:
324  stack = (void *) DatumGetPointer(*private);
325  if (!stack)
326  {
327  MemoryContext oldcxt;
328 
329  oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
330  stack = palloc(sizeof(*stack));
331  stack->old_label = NULL;
332  stack->new_label = sepgsql_avc_trusted_proc(flinfo->fn_oid);
333  stack->next_private = 0;
334 
335  MemoryContextSwitchTo(oldcxt);
336 
337  /*
338  * process:transition permission between old and new label,
339  * when user tries to switch security label of the client on
340  * execution of trusted procedure.
341  *
342  * Also, db_procedure:entrypoint permission should be checked
343  * whether this procedure can perform as an entrypoint of the
344  * trusted procedure, or not. Note that db_procedure:execute
345  * permission shall be checked individually.
346  */
347  if (stack->new_label)
348  {
349  ObjectAddress object;
350 
351  object.classId = ProcedureRelationId;
352  object.objectId = flinfo->fn_oid;
353  object.objectSubId = 0;
354  sepgsql_avc_check_perms(&object,
355  SEPG_CLASS_DB_PROCEDURE,
356  SEPG_DB_PROCEDURE__ENTRYPOINT,
357  getObjectDescription(&object, false),
358  true);
359 
360  sepgsql_avc_check_perms_label(stack->new_label,
361  SEPG_CLASS_PROCESS,
362  SEPG_PROCESS__TRANSITION,
363  NULL, true);
364  }
365  *private = PointerGetDatum(stack);
366  }
367  Assert(!stack->old_label);
368  if (stack->new_label)
369  {
370  stack->old_label = client_label_func;
371  client_label_func = stack->new_label;
372  }
373  if (next_fmgr_hook)
374  (*next_fmgr_hook) (event, flinfo, &stack->next_private);
375  break;
376 
377  case FHET_END:
378  case FHET_ABORT:
379  stack = (void *) DatumGetPointer(*private);
380 
381  if (next_fmgr_hook)
382  (*next_fmgr_hook) (event, flinfo, &stack->next_private);
383 
384  if (stack->new_label)
385  {
386  client_label_func = stack->old_label;
387  stack->old_label = NULL;
388  }
389  break;
390 
391  default:
392  elog(ERROR, "unexpected event type: %d", (int) event);
393  break;
394  }
395 }
Assert
#define Assert(condition)
Definition: c.h:858
FHET_END
@ FHET_END
Definition: fmgr.h:785
FHET_ABORT
@ FHET_ABORT
Definition: fmgr.h:786
FHET_START
@ FHET_START
Definition: fmgr.h:784
next_fmgr_hook
static fmgr_hook_type next_fmgr_hook
Definition: label.c:44
client_label_func
static char * client_label_func
Definition: label.c:64
palloc
void * palloc(Size size)
Definition: mcxt.c:1316
getObjectDescription
char * getObjectDescription(const ObjectAddress *object, bool missing_ok)
Definition: objectaddress.c:2878
PointerGetDatum
static Datum PointerGetDatum(const void *X)
Definition: postgres.h:322
Datum
uintptr_t Datum
Definition: postgres.h:64
DatumGetPointer
static Pointer DatumGetPointer(Datum X)
Definition: postgres.h:312
MemoryContextSwitchTo
MemoryContextSwitchTo(old_ctx)
sepgsql_avc_trusted_proc
char * sepgsql_avc_trusted_proc(Oid functionId)
Definition: uavc.c:445
sepgsql_avc_check_perms_label
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:337
SEPG_PROCESS__TRANSITION
#define SEPG_PROCESS__TRANSITION
Definition: sepgsql.h:59
SEPG_DB_PROCEDURE__ENTRYPOINT
#define SEPG_DB_PROCEDURE__ENTRYPOINT
Definition: sepgsql.h:167
SEPG_CLASS_DB_PROCEDURE
#define SEPG_CLASS_DB_PROCEDURE
Definition: sepgsql.h:48
SEPG_CLASS_PROCESS
#define SEPG_CLASS_PROCESS
Definition: sepgsql.h:36
sepgsql_avc_check_perms
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:420
FmgrInfo::fn_mcxt
MemoryContext fn_mcxt
Definition: fmgr.h:65
FmgrInfo::fn_oid
Oid fn_oid
Definition: fmgr.h:59

References Assert, ObjectAddress::classId, client_label_func, DatumGetPointer(), elog, ERROR, FHET_ABORT, FHET_END, FHET_START, FmgrInfo::fn_mcxt, FmgrInfo::fn_oid, getObjectDescription(), MemoryContextSwitchTo(), next_fmgr_hook, palloc(), PointerGetDatum(), SEPG_CLASS_DB_PROCEDURE, SEPG_CLASS_PROCESS, SEPG_DB_PROCEDURE__ENTRYPOINT, SEPG_PROCESS__TRANSITION, sepgsql_avc_check_perms(), sepgsql_avc_check_perms_label(), and sepgsql_avc_trusted_proc().

Referenced by sepgsql_init_client_label().

◆ sepgsql_get_client_label()

char* sepgsql_get_client_label ( void  )

Definition at line 80 of file label.c.

81 {
82  /* trusted procedure client label override */
83  if (client_label_func)
84  return client_label_func;
85 
86  /* uncommitted sepgsql_setcon() value */
87  if (client_label_pending)
88  {
89  pending_label *plabel = llast(client_label_pending);
90 
91  if (plabel->label)
92  return plabel->label;
93  }
94  else if (client_label_committed)
95  return client_label_committed; /* set by sepgsql_setcon() committed */
96 
97  /* default label */
98  Assert(client_label_peer != NULL);
99  return client_label_peer;
100 }
client_label_committed
static char * client_label_committed
Definition: label.c:62
client_label_pending
static List * client_label_pending
Definition: label.c:60
llast
#define llast(l)
Definition: pg_list.h:198
pending_label
Definition: label.c:67
pending_label::label
char * label
Definition: label.c:69

References Assert, client_label_committed, client_label_func, client_label_peer, client_label_pending, pending_label::label, and llast.

Referenced by sepgsql_attribute_post_create(), sepgsql_avc_check_perms_label(), sepgsql_avc_trusted_proc(), sepgsql_database_post_create(), sepgsql_getcon(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), sepgsql_schema_post_create(), and sepgsql_set_client_label().

◆ sepgsql_get_label()

char* sepgsql_get_label ( Oid  classId,
Oid  objectId,
int32  subId 
)

Definition at line 445 of file label.c.

446 {
447  ObjectAddress object;
448  char *label;
449 
450  object.classId = classId;
451  object.objectId = objectId;
452  object.objectSubId = subId;
453 
454  label = GetSecurityLabel(&object, SEPGSQL_LABEL_TAG);
455  if (!label || security_check_context_raw(label))
456  {
457  char *unlabeled;
458 
459  if (security_get_initial_context_raw("unlabeled", &unlabeled) < 0)
460  ereport(ERROR,
461  (errcode(ERRCODE_INTERNAL_ERROR),
462  errmsg("SELinux: failed to get initial security label: %m")));
463  PG_TRY();
464  {
465  label = pstrdup(unlabeled);
466  }
467  PG_FINALLY();
468  {
469  freecon(unlabeled);
470  }
471  PG_END_TRY();
472  }
473  return label;
474 }
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1695
label
static char * label
Definition: pg_basebackup.c:134
GetSecurityLabel
char * GetSecurityLabel(const ObjectAddress *object, const char *provider)
Definition: seclabel.c:272

References ereport, errcode(), errmsg(), ERROR, GetSecurityLabel(), label, PG_END_TRY, PG_FINALLY, PG_TRY, pstrdup(), and SEPGSQL_LABEL_TAG.

Referenced by sepgsql_attribute_post_create(), sepgsql_database_post_create(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), and sepgsql_schema_post_create().

◆ sepgsql_getcon()

Datum sepgsql_getcon ( PG_FUNCTION_ARGS  )

Definition at line 537 of file label.c.

538 {
539  char *client_label;
540 
541  if (!sepgsql_is_enabled())
542  PG_RETURN_NULL();
543 
544  client_label = sepgsql_get_client_label();
545 
546  PG_RETURN_TEXT_P(cstring_to_text(client_label));
547 }
PG_RETURN_NULL
#define PG_RETURN_NULL()
Definition: fmgr.h:345
PG_RETURN_TEXT_P
#define PG_RETURN_TEXT_P(x)
Definition: fmgr.h:372
sepgsql_get_client_label
char * sepgsql_get_client_label(void)
Definition: label.c:80
sepgsql_is_enabled
bool sepgsql_is_enabled(void)
Definition: selinux.c:616
cstring_to_text
text * cstring_to_text(const char *s)
Definition: varlena.c:184

References cstring_to_text(), PG_RETURN_NULL, PG_RETURN_TEXT_P, sepgsql_get_client_label(), and sepgsql_is_enabled().

◆ sepgsql_init_client_label()

void sepgsql_init_client_label ( void  )

Definition at line 404 of file label.c.

405 {
406  /*
407  * Set up dummy client label.
408  *
409  * XXX - note that PostgreSQL launches background worker process like
410  * autovacuum without authentication steps. So, we initialize sepgsql_mode
411  * with SEPGSQL_MODE_INTERNAL, and client_label with the security context
412  * of server process. Later, it also launches background of user session.
413  * In this case, the process is always hooked on post-authentication, and
414  * we can initialize the sepgsql_mode and client_label correctly.
415  */
416  if (getcon_raw(&client_label_peer) < 0)
417  ereport(ERROR,
418  (errcode(ERRCODE_INTERNAL_ERROR),
419  errmsg("SELinux: failed to get server security label: %m")));
420 
421  /* Client authentication hook */
422  next_client_auth_hook = ClientAuthentication_hook;
423  ClientAuthentication_hook = sepgsql_client_auth;
424 
425  /* Trusted procedure hooks */
426  next_needs_fmgr_hook = needs_fmgr_hook;
427  needs_fmgr_hook = sepgsql_needs_fmgr_hook;
428 
429  next_fmgr_hook = fmgr_hook;
430  fmgr_hook = sepgsql_fmgr_hook;
431 
432  /* Transaction/Sub-transaction callbacks */
433  RegisterXactCallback(sepgsql_xact_callback, NULL);
434  RegisterSubXactCallback(sepgsql_subxact_callback, NULL);
435 }
ClientAuthentication_hook
ClientAuthentication_hook_type ClientAuthentication_hook
Definition: auth.c:230
needs_fmgr_hook
PGDLLIMPORT needs_fmgr_hook_type needs_fmgr_hook
Definition: fmgr.c:39
fmgr_hook
PGDLLIMPORT fmgr_hook_type fmgr_hook
Definition: fmgr.c:40
sepgsql_fmgr_hook
static void sepgsql_fmgr_hook(FmgrHookEventType event, FmgrInfo *flinfo, Datum *private)
Definition: label.c:311
next_needs_fmgr_hook
static needs_fmgr_hook_type next_needs_fmgr_hook
Definition: label.c:43
sepgsql_subxact_callback
static void sepgsql_subxact_callback(SubXactEvent event, SubTransactionId mySubid, SubTransactionId parentSubid, void *arg)
Definition: label.c:204
sepgsql_client_auth
static void sepgsql_client_auth(Port *port, int status)
Definition: label.c:230
sepgsql_xact_callback
static void sepgsql_xact_callback(XactEvent event, void *arg)
Definition: label.c:165
sepgsql_needs_fmgr_hook
static bool sepgsql_needs_fmgr_hook(Oid functionId)
Definition: label.c:268
RegisterXactCallback
void RegisterXactCallback(XactCallback callback, void *arg)
Definition: xact.c:3753
RegisterSubXactCallback
void RegisterSubXactCallback(SubXactCallback callback, void *arg)
Definition: xact.c:3813

References client_label_peer, ClientAuthentication_hook, ereport, errcode(), errmsg(), ERROR, fmgr_hook, needs_fmgr_hook, next_client_auth_hook, next_fmgr_hook, next_needs_fmgr_hook, RegisterSubXactCallback(), RegisterXactCallback(), sepgsql_client_auth(), sepgsql_fmgr_hook(), sepgsql_needs_fmgr_hook(), sepgsql_subxact_callback(), and sepgsql_xact_callback().

Referenced by _PG_init().

◆ sepgsql_mcstrans_in()

Datum sepgsql_mcstrans_in ( PG_FUNCTION_ARGS  )

Definition at line 578 of file label.c.

579 {
580  text *label = PG_GETARG_TEXT_PP(0);
581  char *raw_label;
582  char *result;
583 
584  if (!sepgsql_is_enabled())
585  ereport(ERROR,
586  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
587  errmsg("sepgsql is not enabled")));
588 
589  if (selinux_trans_to_raw_context(text_to_cstring(label),
590  &raw_label) < 0)
591  ereport(ERROR,
592  (errcode(ERRCODE_INTERNAL_ERROR),
593  errmsg("SELinux: could not translate security label: %m")));
594 
595  PG_TRY();
596  {
597  result = pstrdup(raw_label);
598  }
599  PG_FINALLY();
600  {
601  freecon(raw_label);
602  }
603  PG_END_TRY();
604 
605  PG_RETURN_TEXT_P(cstring_to_text(result));
606 }
PG_GETARG_TEXT_PP
#define PG_GETARG_TEXT_PP(n)
Definition: fmgr.h:309
varlena
Definition: c.h:687
text_to_cstring
char * text_to_cstring(const text *t)
Definition: varlena.c:217

References cstring_to_text(), ereport, errcode(), errmsg(), ERROR, label, PG_END_TRY, PG_FINALLY, PG_GETARG_TEXT_PP, PG_RETURN_TEXT_P, PG_TRY, pstrdup(), sepgsql_is_enabled(), and text_to_cstring().

◆ sepgsql_mcstrans_out()

Datum sepgsql_mcstrans_out ( PG_FUNCTION_ARGS  )

Definition at line 616 of file label.c.

617 {
618  text *label = PG_GETARG_TEXT_PP(0);
619  char *qual_label;
620  char *result;
621 
622  if (!sepgsql_is_enabled())
623  ereport(ERROR,
624  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
625  errmsg("sepgsql is not currently enabled")));
626 
627  if (selinux_raw_to_trans_context(text_to_cstring(label),
628  &qual_label) < 0)
629  ereport(ERROR,
630  (errcode(ERRCODE_INTERNAL_ERROR),
631  errmsg("SELinux: could not translate security label: %m")));
632 
633  PG_TRY();
634  {
635  result = pstrdup(qual_label);
636  }
637  PG_FINALLY();
638  {
639  freecon(qual_label);
640  }
641  PG_END_TRY();
642 
643  PG_RETURN_TEXT_P(cstring_to_text(result));
644 }

References cstring_to_text(), ereport, errcode(), errmsg(), ERROR, label, PG_END_TRY, PG_FINALLY, PG_GETARG_TEXT_PP, PG_RETURN_TEXT_P, PG_TRY, pstrdup(), sepgsql_is_enabled(), and text_to_cstring().

◆ sepgsql_needs_fmgr_hook()

static bool sepgsql_needs_fmgr_hook ( Oid  functionId)
static

Definition at line 268 of file label.c.

269 {
270  ObjectAddress object;
271 
272  if (next_needs_fmgr_hook &&
273  (*next_needs_fmgr_hook) (functionId))
274  return true;
275 
276  /*
277  * SELinux needs the function to be called via security_definer wrapper,
278  * if this invocation will take a domain-transition. We call these
279  * functions as trusted-procedure, if the security policy has a rule that
280  * switches security label of the client on execution.
281  */
282  if (sepgsql_avc_trusted_proc(functionId) != NULL)
283  return true;
284 
285  /*
286  * Even if not a trusted-procedure, this function should not be inlined
287  * unless the client has db_procedure:{execute} permission. Please note
288  * that it shall be actually failed later because of same reason with
289  * ACL_EXECUTE.
290  */
291  object.classId = ProcedureRelationId;
292  object.objectId = functionId;
293  object.objectSubId = 0;
294  if (!sepgsql_avc_check_perms(&object,
295  SEPG_CLASS_DB_PROCEDURE,
296  SEPG_DB_PROCEDURE__EXECUTE |
297  SEPG_DB_PROCEDURE__ENTRYPOINT,
298  SEPGSQL_AVC_NOAUDIT, false))
299  return true;
300 
301  return false;
302 }
SEPG_DB_PROCEDURE__EXECUTE
#define SEPG_DB_PROCEDURE__EXECUTE
Definition: sepgsql.h:166
SEPGSQL_AVC_NOAUDIT
#define SEPGSQL_AVC_NOAUDIT
Definition: sepgsql.h:250

References ObjectAddress::classId, next_needs_fmgr_hook, SEPG_CLASS_DB_PROCEDURE, SEPG_DB_PROCEDURE__ENTRYPOINT, SEPG_DB_PROCEDURE__EXECUTE, sepgsql_avc_check_perms(), SEPGSQL_AVC_NOAUDIT, and sepgsql_avc_trusted_proc().

Referenced by sepgsql_init_client_label().

◆ sepgsql_object_relabel()

void sepgsql_object_relabel ( const ObjectAddress object,
const char *  seclabel 
)

Definition at line 482 of file label.c.

483 {
484  /*
485  * validate format of the supplied security label, if it is security
486  * context of selinux.
487  */
488  if (seclabel &&
489  security_check_context_raw(seclabel) < 0)
490  ereport(ERROR,
491  (errcode(ERRCODE_INVALID_NAME),
492  errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
493 
494  /*
495  * Do actual permission checks for each object classes
496  */
497  switch (object->classId)
498  {
499  case DatabaseRelationId:
500  sepgsql_database_relabel(object->objectId, seclabel);
501  break;
502 
503  case NamespaceRelationId:
504  sepgsql_schema_relabel(object->objectId, seclabel);
505  break;
506 
507  case RelationRelationId:
508  if (object->objectSubId == 0)
509  sepgsql_relation_relabel(object->objectId,
510  seclabel);
511  else
512  sepgsql_attribute_relabel(object->objectId,
513  object->objectSubId,
514  seclabel);
515  break;
516 
517  case ProcedureRelationId:
518  sepgsql_proc_relabel(object->objectId, seclabel);
519  break;
520 
521  default:
522  ereport(ERROR,
523  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
524  errmsg("sepgsql provider does not support labels on %s",
525  getObjectTypeDescription(object, false))));
526  break;
527  }
528 }
sepgsql_proc_relabel
void sepgsql_proc_relabel(Oid functionId, const char *seclabel)
Definition: proc.c:198
sepgsql_attribute_relabel
void sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum, const char *seclabel)
Definition: relation.c:165
sepgsql_relation_relabel
void sepgsql_relation_relabel(Oid relOid, const char *seclabel)
Definition: relation.c:564
sepgsql_database_relabel
void sepgsql_database_relabel(Oid databaseId, const char *seclabel)
Definition: database.c:187
getObjectTypeDescription
char * getObjectTypeDescription(const ObjectAddress *object, bool missing_ok)
Definition: objectaddress.c:4372
sepgsql_schema_relabel
void sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
Definition: schema.c:142

References ObjectAddress::classId, ereport, errcode(), errmsg(), ERROR, getObjectTypeDescription(), ObjectAddress::objectId, ObjectAddress::objectSubId, sepgsql_attribute_relabel(), sepgsql_database_relabel(), sepgsql_proc_relabel(), sepgsql_relation_relabel(), and sepgsql_schema_relabel().

Referenced by _PG_init(), and exec_object_restorecon().

◆ sepgsql_restorecon()

Datum sepgsql_restorecon ( PG_FUNCTION_ARGS  )

Definition at line 860 of file label.c.

861 {
862  struct selabel_handle *sehnd;
863  struct selinux_opt seopts;
864 
865  /*
866  * SELinux has to be enabled on the running platform.
867  */
868  if (!sepgsql_is_enabled())
869  ereport(ERROR,
870  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
871  errmsg("sepgsql is not currently enabled")));
872 
873  /*
874  * Check DAC permission. Only superuser can set up initial security
875  * labels, like root-user in filesystems
876  */
877  if (!superuser())
878  ereport(ERROR,
879  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
880  errmsg("SELinux: must be superuser to restore initial contexts")));
881 
882  /*
883  * Open selabel_lookup(3) stuff. It provides a set of mapping between an
884  * initial security label and object class/name due to the system setting.
885  */
886  if (PG_ARGISNULL(0))
887  {
888  seopts.type = SELABEL_OPT_UNUSED;
889  seopts.value = NULL;
890  }
891  else
892  {
893  seopts.type = SELABEL_OPT_PATH;
894  seopts.value = TextDatumGetCString(PG_GETARG_DATUM(0));
895  }
896  sehnd = selabel_open(SELABEL_CTX_DB, &seopts, 1);
897  if (!sehnd)
898  ereport(ERROR,
899  (errcode(ERRCODE_INTERNAL_ERROR),
900  errmsg("SELinux: failed to initialize labeling handle: %m")));
901  PG_TRY();
902  {
903  exec_object_restorecon(sehnd, DatabaseRelationId);
904  exec_object_restorecon(sehnd, NamespaceRelationId);
905  exec_object_restorecon(sehnd, RelationRelationId);
906  exec_object_restorecon(sehnd, AttributeRelationId);
907  exec_object_restorecon(sehnd, ProcedureRelationId);
908  }
909  PG_FINALLY();
910  {
911  selabel_close(sehnd);
912  }
913  PG_END_TRY();
914 
915  PG_RETURN_BOOL(true);
916 }
TextDatumGetCString
#define TextDatumGetCString(d)
Definition: builtins.h:98
PG_ARGISNULL
#define PG_ARGISNULL(n)
Definition: fmgr.h:209
PG_GETARG_DATUM
#define PG_GETARG_DATUM(n)
Definition: fmgr.h:268
PG_RETURN_BOOL
#define PG_RETURN_BOOL(x)
Definition: fmgr.h:359
exec_object_restorecon
static void exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
Definition: label.c:678
superuser
bool superuser(void)
Definition: superuser.c:46

References ereport, errcode(), errmsg(), ERROR, exec_object_restorecon(), PG_ARGISNULL, PG_END_TRY, PG_FINALLY, PG_GETARG_DATUM, PG_RETURN_BOOL, PG_TRY, sepgsql_is_enabled(), superuser(), and TextDatumGetCString.

◆ sepgsql_set_client_label()

static void sepgsql_set_client_label ( const char *  new_label)
static

Definition at line 111 of file label.c.

112 {
113  const char *tcontext;
114  MemoryContext oldcxt;
115  pending_label *plabel;
116 
117  /* Reset to the initial client label, if NULL */
118  if (!new_label)
119  tcontext = client_label_peer;
120  else
121  {
122  if (security_check_context_raw(new_label) < 0)
123  ereport(ERROR,
124  (errcode(ERRCODE_INVALID_NAME),
125  errmsg("SELinux: invalid security label: \"%s\"",
126  new_label)));
127  tcontext = new_label;
128  }
129 
130  /* Check process:{setcurrent} permission. */
131  sepgsql_avc_check_perms_label(sepgsql_get_client_label(),
132  SEPG_CLASS_PROCESS,
133  SEPG_PROCESS__SETCURRENT,
134  NULL,
135  true);
136  /* Check process:{dyntransition} permission. */
137  sepgsql_avc_check_perms_label(tcontext,
138  SEPG_CLASS_PROCESS,
139  SEPG_PROCESS__DYNTRANSITION,
140  NULL,
141  true);
142 
143  /*
144  * Append the supplied new_label on the pending list until the current
145  * transaction is committed.
146  */
147  oldcxt = MemoryContextSwitchTo(CurTransactionContext);
148 
149  plabel = palloc0(sizeof(pending_label));
150  plabel->subid = GetCurrentSubTransactionId();
151  if (new_label)
152  plabel->label = pstrdup(new_label);
153  client_label_pending = lappend(client_label_pending, plabel);
154 
155  MemoryContextSwitchTo(oldcxt);
156 }
lappend
List * lappend(List *list, void *datum)
Definition: list.c:339
palloc0
void * palloc0(Size size)
Definition: mcxt.c:1346
CurTransactionContext
MemoryContext CurTransactionContext
Definition: mcxt.c:155
SEPG_PROCESS__SETCURRENT
#define SEPG_PROCESS__SETCURRENT
Definition: sepgsql.h:61
SEPG_PROCESS__DYNTRANSITION
#define SEPG_PROCESS__DYNTRANSITION
Definition: sepgsql.h:60
pending_label::subid
SubTransactionId subid
Definition: label.c:68
GetCurrentSubTransactionId
SubTransactionId GetCurrentSubTransactionId(void)
Definition: xact.c:788

References client_label_peer, client_label_pending, CurTransactionContext, ereport, errcode(), errmsg(), ERROR, GetCurrentSubTransactionId(), pending_label::label, lappend(), MemoryContextSwitchTo(), palloc0(), pstrdup(), SEPG_CLASS_PROCESS, SEPG_PROCESS__DYNTRANSITION, SEPG_PROCESS__SETCURRENT, sepgsql_avc_check_perms_label(), sepgsql_get_client_label(), and pending_label::subid.

Referenced by sepgsql_setcon().

◆ sepgsql_setcon()

Datum sepgsql_setcon ( PG_FUNCTION_ARGS  )

Definition at line 556 of file label.c.

557 {
558  const char *new_label;
559 
560  if (PG_ARGISNULL(0))
561  new_label = NULL;
562  else
563  new_label = TextDatumGetCString(PG_GETARG_DATUM(0));
564 
565  sepgsql_set_client_label(new_label);
566 
567  PG_RETURN_BOOL(true);
568 }
sepgsql_set_client_label
static void sepgsql_set_client_label(const char *new_label)
Definition: label.c:111

References PG_ARGISNULL, PG_GETARG_DATUM, PG_RETURN_BOOL, sepgsql_set_client_label(), and TextDatumGetCString.

◆ sepgsql_subxact_callback()

static void sepgsql_subxact_callback ( SubXactEvent  event,
SubTransactionId  mySubid,
SubTransactionId  parentSubid,
void *  arg 
)
static

Definition at line 204 of file label.c.

206 {
207  ListCell *cell;
208 
209  if (event == SUBXACT_EVENT_ABORT_SUB)
210  {
211  foreach(cell, client_label_pending)
212  {
213  pending_label *plabel = lfirst(cell);
214 
215  if (plabel->subid == mySubid)
216  client_label_pending
217  = foreach_delete_current(client_label_pending, cell);
218  }
219  }
220 }
lfirst
#define lfirst(lc)
Definition: pg_list.h:172
foreach_delete_current
#define foreach_delete_current(lst, var_or_cell)
Definition: pg_list.h:391
SUBXACT_EVENT_ABORT_SUB
@ SUBXACT_EVENT_ABORT_SUB
Definition: xact.h:144

References client_label_pending, foreach_delete_current, lfirst, pending_label::subid, and SUBXACT_EVENT_ABORT_SUB.

Referenced by sepgsql_init_client_label().

◆ sepgsql_xact_callback()

static void sepgsql_xact_callback ( XactEvent  event,
void *  arg 
)
static

Definition at line 165 of file label.c.

166 {
167  if (event == XACT_EVENT_COMMIT)
168  {
169  if (client_label_pending != NIL)
170  {
171  pending_label *plabel = llast(client_label_pending);
172  char *new_label;
173 
174  if (plabel->label)
175  new_label = MemoryContextStrdup(TopMemoryContext,
176  plabel->label);
177  else
178  new_label = NULL;
179 
180  if (client_label_committed)
181  pfree(client_label_committed);
182 
183  client_label_committed = new_label;
184 
185  /*
186  * XXX - Note that items of client_label_pending are allocated on
187  * CurTransactionContext, thus, all acquired memory region shall
188  * be released implicitly.
189  */
190  client_label_pending = NIL;
191  }
192  }
193  else if (event == XACT_EVENT_ABORT)
194  client_label_pending = NIL;
195 }
TopMemoryContext
MemoryContext TopMemoryContext
Definition: mcxt.c:149
MemoryContextStrdup
char * MemoryContextStrdup(MemoryContext context, const char *string)
Definition: mcxt.c:1682
NIL
#define NIL
Definition: pg_list.h:68
XACT_EVENT_COMMIT
@ XACT_EVENT_COMMIT
Definition: xact.h:128
XACT_EVENT_ABORT
@ XACT_EVENT_ABORT
Definition: xact.h:130

References client_label_committed, client_label_pending, pending_label::label, llast, MemoryContextStrdup(), NIL, pfree(), TopMemoryContext, XACT_EVENT_ABORT, and XACT_EVENT_COMMIT.

Referenced by sepgsql_init_client_label().

Variable Documentation

◆ client_label_committed

char* client_label_committed = NULL
static

Definition at line 62 of file label.c.

Referenced by sepgsql_get_client_label(), and sepgsql_xact_callback().

◆ client_label_func

char* client_label_func = NULL
static

Definition at line 64 of file label.c.

Referenced by sepgsql_fmgr_hook(), and sepgsql_get_client_label().

◆ client_label_peer

char* client_label_peer = NULL
static

Definition at line 59 of file label.c.

Referenced by sepgsql_client_auth(), sepgsql_get_client_label(), sepgsql_init_client_label(), and sepgsql_set_client_label().

◆ client_label_pending

List* client_label_pending = NIL
static

Definition at line 60 of file label.c.

Referenced by sepgsql_get_client_label(), sepgsql_set_client_label(), sepgsql_subxact_callback(), and sepgsql_xact_callback().

◆ next_client_auth_hook

ClientAuthentication_hook_type next_client_auth_hook = NULL
static

Definition at line 42 of file label.c.

Referenced by sepgsql_client_auth(), and sepgsql_init_client_label().

◆ next_fmgr_hook

fmgr_hook_type next_fmgr_hook = NULL
static

Definition at line 44 of file label.c.

Referenced by sepgsql_fmgr_hook(), and sepgsql_init_client_label().

◆ next_needs_fmgr_hook

needs_fmgr_hook_type next_needs_fmgr_hook = NULL
static

Definition at line 43 of file label.c.

Referenced by sepgsql_init_client_label(), and sepgsql_needs_fmgr_hook().