PostgreSQL Source Code  git master
selinux.c File Reference
#include "postgres.h"
#include "lib/stringinfo.h"
#include "sepgsql.h"
Include dependency graph for selinux.c:

Go to the source code of this file.

Functions

bool sepgsql_is_enabled (void)
 
int sepgsql_get_mode (void)
 
int sepgsql_set_mode (int new_mode)
 
bool sepgsql_getenforce (void)
 
void sepgsql_audit_log (bool denied, const char *scontext, const char *tcontext, uint16 tclass, uint32 audited, const char *audit_name)
 
void sepgsql_compute_avd (const char *scontext, const char *tcontext, uint16 tclass, struct av_decision *avd)
 
char * sepgsql_compute_create (const char *scontext, const char *tcontext, uint16 tclass, const char *objname)
 
bool sepgsql_check_perms (const char *scontext, const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
 

Variables

struct {
   const char *   class_name
 
   uint16   class_code
 
   struct {
      const char *   av_name
 
      uint32   av_code
 
   }   av [32]
 
selinux_catalog []
 
static int sepgsql_mode = SEPGSQL_MODE_INTERNAL
 

Function Documentation

◆ sepgsql_audit_log()

void sepgsql_audit_log ( bool  denied,
const char *  scontext,
const char *  tcontext,
uint16  tclass,
uint32  audited,
const char *  audit_name 
)

Definition at line 675 of file selinux.c.

References appendStringInfo(), appendStringInfoString(), Assert, av_name, buf, class_name, StringInfoData::data, ereport, errmsg(), i, initStringInfo(), LOG, selinux_catalog, and SEPG_CLASS_MAX.

Referenced by sepgsql_avc_check_perms_label(), and sepgsql_check_perms().

681 {
683  const char *class_name;
684  const char *av_name;
685  int i;
686 
687  /* lookup name of the object class */
688  Assert(tclass < SEPG_CLASS_MAX);
689  class_name = selinux_catalog[tclass].class_name;
690 
691  /* lookup name of the permissions */
692  initStringInfo(&buf);
693  appendStringInfo(&buf, "%s {",
694  (denied ? "denied" : "allowed"));
695  for (i = 0; selinux_catalog[tclass].av[i].av_name; i++)
696  {
697  if (audited & (1UL << i))
698  {
699  av_name = selinux_catalog[tclass].av[i].av_name;
700  appendStringInfo(&buf, " %s", av_name);
701  }
702  }
703  appendStringInfoString(&buf, " }");
704 
705  /*
706  * Call external audit module, if loaded
707  */
708  appendStringInfo(&buf, " scontext=%s tcontext=%s tclass=%s",
709  scontext, tcontext, class_name);
710  if (audit_name)
711  appendStringInfo(&buf, " name=\"%s\"", audit_name);
712 
713  ereport(LOG, (errmsg("SELinux: %s", buf.data)));
714 }
#define SEPG_CLASS_MAX
Definition: sepgsql.h:54
const char * av_name
Definition: selinux.c:36
#define LOG
Definition: elog.h:26
void appendStringInfo(StringInfo str, const char *fmt,...)
Definition: stringinfo.c:91
void appendStringInfoString(StringInfo str, const char *s)
Definition: stringinfo.c:176
static char * buf
Definition: pg_test_fsync.c:67
static struct @18 selinux_catalog[]
#define ereport(elevel, rest)
Definition: elog.h:141
void initStringInfo(StringInfo str)
Definition: stringinfo.c:59
#define Assert(condition)
Definition: c.h:733
const char * class_name
Definition: selinux.c:32
int errmsg(const char *fmt,...)
Definition: elog.c:822
int i

◆ sepgsql_check_perms()

bool sepgsql_check_perms ( const char *  scontext,
const char *  tcontext,
uint16  tclass,
uint32  required,
const char *  audit_name,
bool  abort_on_violation 
)

Definition at line 898 of file selinux.c.

References ereport, errcode(), errmsg(), ERROR, generate_unaccent_rules::required, sepgsql_audit_log(), sepgsql_compute_avd(), sepgsql_get_debug_audit(), sepgsql_getenforce(), sepgsql_mode, and SEPGSQL_MODE_INTERNAL.

904 {
905  struct av_decision avd;
906  uint32 denied;
907  uint32 audited;
908  bool result = true;
909 
910  sepgsql_compute_avd(scontext, tcontext, tclass, &avd);
911 
912  denied = required & ~avd.allowed;
913 
915  audited = (denied ? denied : required);
916  else
917  audited = (denied ? (denied & avd.auditdeny)
918  : (required & avd.auditallow));
919 
920  if (denied &&
921  sepgsql_getenforce() > 0 &&
922  (avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0)
923  result = false;
924 
925  /*
926  * It records a security audit for the request, if needed. But, when
927  * SE-PgSQL performs 'internal' mode, it needs to keep silent.
928  */
929  if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
930  {
931  sepgsql_audit_log(denied,
932  scontext,
933  tcontext,
934  tclass,
935  audited,
936  audit_name);
937  }
938 
939  if (!result && abort_on_violation)
940  ereport(ERROR,
941  (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
942  errmsg("SELinux: security policy violation")));
943  return result;
944 }
#define SEPGSQL_MODE_INTERNAL
Definition: sepgsql.h:30
static int sepgsql_mode
Definition: selinux.c:607
void sepgsql_compute_avd(const char *scontext, const char *tcontext, uint16 tclass, struct av_decision *avd)
Definition: selinux.c:730
int errcode(int sqlerrcode)
Definition: elog.c:608
bool sepgsql_getenforce(void)
Definition: selinux.c:648
#define ERROR
Definition: elog.h:43
void sepgsql_audit_log(bool denied, const char *scontext, const char *tcontext, uint16 tclass, uint32 audited, const char *audit_name)
Definition: selinux.c:675
bool sepgsql_get_debug_audit(void)
Definition: hooks.c:75
unsigned int uint32
Definition: c.h:359
#define ereport(elevel, rest)
Definition: elog.h:141
int errmsg(const char *fmt,...)
Definition: elog.c:822

◆ sepgsql_compute_avd()

void sepgsql_compute_avd ( const char *  scontext,
const char *  tcontext,
uint16  tclass,
struct av_decision *  avd 
)

Definition at line 730 of file selinux.c.

References Assert, av_code, av_name, class_code, ereport, errcode(), errmsg(), ERROR, i, selinux_catalog, and SEPG_CLASS_MAX.

Referenced by sepgsql_avc_compute(), and sepgsql_check_perms().

734 {
735  const char *tclass_name;
736  security_class_t tclass_ex;
737  struct av_decision avd_ex;
738  int i,
739  deny_unknown = security_deny_unknown();
740 
741  /* Get external code of the object class */
742  Assert(tclass < SEPG_CLASS_MAX);
743  Assert(tclass == selinux_catalog[tclass].class_code);
744 
745  tclass_name = selinux_catalog[tclass].class_name;
746  tclass_ex = string_to_security_class(tclass_name);
747 
748  if (tclass_ex == 0)
749  {
750  /*
751  * If the current security policy does not support permissions
752  * corresponding to database objects, we fill up them with dummy data.
753  * If security_deny_unknown() returns positive value, undefined
754  * permissions should be denied. Otherwise, allowed
755  */
756  avd->allowed = (security_deny_unknown() > 0 ? 0 : ~0);
757  avd->auditallow = 0U;
758  avd->auditdeny = ~0U;
759  avd->flags = 0;
760 
761  return;
762  }
763 
764  /*
765  * Ask SELinux what is allowed set of permissions on a pair of the
766  * security contexts and the given object class.
767  */
768  if (security_compute_av_flags_raw((security_context_t) scontext,
769  (security_context_t) tcontext,
770  tclass_ex, 0, &avd_ex) < 0)
771  ereport(ERROR,
772  (errcode(ERRCODE_INTERNAL_ERROR),
773  errmsg("SELinux could not compute av_decision: "
774  "scontext=%s tcontext=%s tclass=%s: %m",
775  scontext, tcontext, tclass_name)));
776 
777  /*
778  * SELinux returns its access control decision as a set of permissions
779  * represented in external code which depends on run-time environment. So,
780  * we need to translate it to the internal representation before returning
781  * results for the caller.
782  */
783  memset(avd, 0, sizeof(struct av_decision));
784 
785  for (i = 0; selinux_catalog[tclass].av[i].av_name; i++)
786  {
787  access_vector_t av_code_ex;
788  const char *av_name = selinux_catalog[tclass].av[i].av_name;
789  uint32 av_code = selinux_catalog[tclass].av[i].av_code;
790 
791  av_code_ex = string_to_av_perm(tclass_ex, av_name);
792  if (av_code_ex == 0)
793  {
794  /* fill up undefined permissions */
795  if (!deny_unknown)
796  avd->allowed |= av_code;
797  avd->auditdeny |= av_code;
798 
799  continue;
800  }
801 
802  if (avd_ex.allowed & av_code_ex)
803  avd->allowed |= av_code;
804  if (avd_ex.auditallow & av_code_ex)
805  avd->auditallow |= av_code;
806  if (avd_ex.auditdeny & av_code_ex)
807  avd->auditdeny |= av_code;
808  }
809 
810  return;
811 }
#define SEPG_CLASS_MAX
Definition: sepgsql.h:54
const char * av_name
Definition: selinux.c:36
int errcode(int sqlerrcode)
Definition: elog.c:608
#define ERROR
Definition: elog.h:43
uint32 av_code
Definition: selinux.c:37
static struct @18 selinux_catalog[]
unsigned int uint32
Definition: c.h:359
#define ereport(elevel, rest)
Definition: elog.h:141
uint16 class_code
Definition: selinux.c:33
#define Assert(condition)
Definition: c.h:733
int errmsg(const char *fmt,...)
Definition: elog.c:822
int i

◆ sepgsql_compute_create()

char* sepgsql_compute_create ( const char *  scontext,
const char *  tcontext,
uint16  tclass,
const char *  objname 
)

Definition at line 835 of file selinux.c.

References Assert, ereport, errcode(), errmsg(), ERROR, PG_END_TRY, PG_FINALLY, PG_TRY, pstrdup(), selinux_catalog, and SEPG_CLASS_MAX.

Referenced by sepgsql_attribute_post_create(), sepgsql_avc_compute(), sepgsql_database_post_create(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), and sepgsql_schema_post_create().

839 {
840  security_context_t ncontext;
841  security_class_t tclass_ex;
842  const char *tclass_name;
843  char *result;
844 
845  /* Get external code of the object class */
846  Assert(tclass < SEPG_CLASS_MAX);
847 
848  tclass_name = selinux_catalog[tclass].class_name;
849  tclass_ex = string_to_security_class(tclass_name);
850 
851  /*
852  * Ask SELinux what is the default context for the given object class on a
853  * pair of security contexts
854  */
855  if (security_compute_create_name_raw((security_context_t) scontext,
856  (security_context_t) tcontext,
857  tclass_ex,
858  objname,
859  &ncontext) < 0)
860  ereport(ERROR,
861  (errcode(ERRCODE_INTERNAL_ERROR),
862  errmsg("SELinux could not compute a new context: "
863  "scontext=%s tcontext=%s tclass=%s: %m",
864  scontext, tcontext, tclass_name)));
865 
866  /*
867  * libselinux returns malloc()'ed string, so we need to copy it on the
868  * palloc()'ed region.
869  */
870  PG_TRY();
871  {
872  result = pstrdup(ncontext);
873  }
874  PG_FINALLY();
875  {
876  freecon(ncontext);
877  }
878  PG_END_TRY();
879 
880  return result;
881 }
#define SEPG_CLASS_MAX
Definition: sepgsql.h:54
char * pstrdup(const char *in)
Definition: mcxt.c:1186
int errcode(int sqlerrcode)
Definition: elog.c:608
#define ERROR
Definition: elog.h:43
static struct @18 selinux_catalog[]
#define ereport(elevel, rest)
Definition: elog.h:141
#define PG_FINALLY()
Definition: elog.h:339
#define Assert(condition)
Definition: c.h:733
int errmsg(const char *fmt,...)
Definition: elog.c:822
#define PG_TRY()
Definition: elog.h:322
#define PG_END_TRY()
Definition: elog.h:347

◆ sepgsql_get_mode()

int sepgsql_get_mode ( void  )

Definition at line 622 of file selinux.c.

References sepgsql_mode.

Referenced by sepgsql_avc_check_perms_label().

623 {
624  return sepgsql_mode;
625 }
static int sepgsql_mode
Definition: selinux.c:607

◆ sepgsql_getenforce()

bool sepgsql_getenforce ( void  )

Definition at line 648 of file selinux.c.

References sepgsql_mode, and SEPGSQL_MODE_DEFAULT.

Referenced by check_relation_privileges(), sepgsql_avc_check_perms_label(), sepgsql_check_perms(), and sepgsql_utility_command().

649 {
651  selinux_status_getenforce() > 0)
652  return true;
653 
654  return false;
655 }
static int sepgsql_mode
Definition: selinux.c:607
#define SEPGSQL_MODE_DEFAULT
Definition: sepgsql.h:28

◆ sepgsql_is_enabled()

bool sepgsql_is_enabled ( void  )

Definition at line 613 of file selinux.c.

References sepgsql_mode, and SEPGSQL_MODE_DISABLED.

Referenced by sepgsql_getcon(), sepgsql_mcstrans_in(), sepgsql_mcstrans_out(), and sepgsql_restorecon().

614 {
615  return (sepgsql_mode != SEPGSQL_MODE_DISABLED ? true : false);
616 }
static int sepgsql_mode
Definition: selinux.c:607
#define SEPGSQL_MODE_DISABLED
Definition: sepgsql.h:31

◆ sepgsql_set_mode()

int sepgsql_set_mode ( int  new_mode)

Definition at line 631 of file selinux.c.

References sepgsql_mode.

Referenced by _PG_init(), and sepgsql_client_auth().

632 {
633  int old_mode = sepgsql_mode;
634 
635  sepgsql_mode = new_mode;
636 
637  return old_mode;
638 }
static int sepgsql_mode
Definition: selinux.c:607

Variable Documentation

◆ av

◆ av_code

uint32 av_code

Definition at line 37 of file selinux.c.

Referenced by sepgsql_compute_avd().

◆ av_name

const char* av_name

Definition at line 36 of file selinux.c.

Referenced by sepgsql_audit_log(), and sepgsql_compute_avd().

◆ class_code

uint16 class_code

Definition at line 33 of file selinux.c.

Referenced by sepgsql_compute_avd().

◆ class_name

const char* class_name

Definition at line 32 of file selinux.c.

Referenced by sepgsql_audit_log(), and to_regclass().

◆ selinux_catalog

struct { ... } selinux_catalog[]

◆ sepgsql_mode