selinux.c

Go to the documentation of this file.

/* -------------------------------------------------------------------------
 *
 * contrib/sepgsql/selinux.c
 *
 * Interactions between userspace and selinux in kernelspace,
 * using libselinux api.
 *
 * Copyright (c) 2010-2018, PostgreSQL Global Development Group
 *
 * -------------------------------------------------------------------------
 */
#include "postgres.h"

#include "lib/stringinfo.h"

#include "sepgsql.h"

/*
 * selinux_catalog
 *
 * This mapping table enables to translate the name of object classes and
 * access vectors to/from their own codes.
 * When we ask SELinux whether the required privileges are allowed or not,
 * we use security_compute_av(3). It needs us to represent object classes
 * and access vectors using 'external' codes defined in the security policy.
 * It is determined in the runtime, not build time. So, it needs an internal
 * service to translate object class/access vectors which we want to check
 * into the code which kernel want to be given.
 */
static struct
{
    const char *class_name;
    uint16      class_code;
    struct
    {
        const char *av_name;
        uint32      av_code;
    }           av[32];
}           selinux_catalog[] =

{
    {
        "process", SEPG_CLASS_PROCESS,
        {
            {
                "transition", SEPG_PROCESS__TRANSITION
            },
            {
                "dyntransition", SEPG_PROCESS__DYNTRANSITION
            },
            {
                "setcurrent", SEPG_PROCESS__SETCURRENT
            },
            {
                NULL, 0UL
            }
        }
    },
    {
        "file", SEPG_CLASS_FILE,
        {
            {
                "read", SEPG_FILE__READ
            },
            {
                "write", SEPG_FILE__WRITE
            },
            {
                "create", SEPG_FILE__CREATE
            },
            {
                "getattr", SEPG_FILE__GETATTR
            },
            {
                "unlink", SEPG_FILE__UNLINK
            },
            {
                "rename", SEPG_FILE__RENAME
            },
            {
                "append", SEPG_FILE__APPEND
            },
            {
                NULL, 0UL
            }
        }
    },
    {
        "dir", SEPG_CLASS_DIR,
        {
            {
                "read", SEPG_DIR__READ
            },
            {
                "write", SEPG_DIR__WRITE
            },
            {
                "create", SEPG_DIR__CREATE
            },
            {
                "getattr", SEPG_DIR__GETATTR
            },
            {
                "unlink", SEPG_DIR__UNLINK
            },
            {
                "rename", SEPG_DIR__RENAME
            },
            {
                "search", SEPG_DIR__SEARCH
            },
            {
                "add_name", SEPG_DIR__ADD_NAME
            },
            {
                "remove_name", SEPG_DIR__REMOVE_NAME
            },
            {
                "rmdir", SEPG_DIR__RMDIR
            },
            {
                "reparent", SEPG_DIR__REPARENT
            },
            {
                NULL, 0UL
            }
        }
    },
    {
        "lnk_file", SEPG_CLASS_LNK_FILE,
        {
            {
                "read", SEPG_LNK_FILE__READ
            },
            {
                "write", SEPG_LNK_FILE__WRITE
            },
            {
                "create", SEPG_LNK_FILE__CREATE
            },
            {
                "getattr", SEPG_LNK_FILE__GETATTR
            },
            {
                "unlink", SEPG_LNK_FILE__UNLINK
            },
            {
                "rename", SEPG_LNK_FILE__RENAME
            },
            {
                NULL, 0UL
            }
        }
    },
    {
        "chr_file", SEPG_CLASS_CHR_FILE,
        {
            {
                "read", SEPG_CHR_FILE__READ
            },
            {
                "write", SEPG_CHR_FILE__WRITE
            },
            {
                "create", SEPG_CHR_FILE__CREATE
            },
            {
                "getattr", SEPG_CHR_FILE__GETATTR
            },
            {
                "unlink", SEPG_CHR_FILE__UNLINK
            },
            {
                "rename", SEPG_CHR_FILE__RENAME
            },
            {
                NULL, 0UL
            }
        }
    },
    {
        "blk_file", SEPG_CLASS_BLK_FILE,
        {
            {
                "read", SEPG_BLK_FILE__READ
            },
            {
                "write", SEPG_BLK_FILE__WRITE
            },
            {
                "create", SEPG_BLK_FILE__CREATE
            },
            {
                "getattr", SEPG_BLK_FILE__GETATTR
            },
            {
                "unlink", SEPG_BLK_FILE__UNLINK
            },
            {
                "rename", SEPG_BLK_FILE__RENAME
            },
            {
                NULL, 0UL
            }
        }
    },
    {
        "sock_file", SEPG_CLASS_SOCK_FILE,
        {
            {
                "read", SEPG_SOCK_FILE__READ
            },
            {
                "write", SEPG_SOCK_FILE__WRITE
            },
            {
                "create", SEPG_SOCK_FILE__CREATE
            },
            {
                "getattr", SEPG_SOCK_FILE__GETATTR
            },
            {
                "unlink", SEPG_SOCK_FILE__UNLINK
            },
            {
                "rename", SEPG_SOCK_FILE__RENAME
            },
            {
                NULL, 0UL
            }
        }
    },
    {
        "fifo_file", SEPG_CLASS_FIFO_FILE,
        {
            {
                "read", SEPG_FIFO_FILE__READ
            },
            {
                "write", SEPG_FIFO_FILE__WRITE
            },
            {
                "create", SEPG_FIFO_FILE__CREATE
            },
            {
                "getattr", SEPG_FIFO_FILE__GETATTR
            },
            {
                "unlink", SEPG_FIFO_FILE__UNLINK
            },
            {
                "rename", SEPG_FIFO_FILE__RENAME
            },
            {
                NULL, 0UL
            }
        }
    },
    {
        "db_database", SEPG_CLASS_DB_DATABASE,
        {
            {
                "create", SEPG_DB_DATABASE__CREATE
            },
            {
                "drop", SEPG_DB_DATABASE__DROP
            },
            {
                "getattr", SEPG_DB_DATABASE__GETATTR
            },
            {
                "setattr", SEPG_DB_DATABASE__SETATTR
            },
            {
                "relabelfrom", SEPG_DB_DATABASE__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_DATABASE__RELABELTO
            },
            {
                "access", SEPG_DB_DATABASE__ACCESS
            },
            {
                "load_module", SEPG_DB_DATABASE__LOAD_MODULE
            },
            {
                NULL, 0UL
            },
        }
    },
    {
        "db_schema", SEPG_CLASS_DB_SCHEMA,
        {
            {
                "create", SEPG_DB_SCHEMA__CREATE
            },
            {
                "drop", SEPG_DB_SCHEMA__DROP
            },
            {
                "getattr", SEPG_DB_SCHEMA__GETATTR
            },
            {
                "setattr", SEPG_DB_SCHEMA__SETATTR
            },
            {
                "relabelfrom", SEPG_DB_SCHEMA__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_SCHEMA__RELABELTO
            },
            {
                "search", SEPG_DB_SCHEMA__SEARCH
            },
            {
                "add_name", SEPG_DB_SCHEMA__ADD_NAME
            },
            {
                "remove_name", SEPG_DB_SCHEMA__REMOVE_NAME
            },
            {
                NULL, 0UL
            },
        }
    },
    {
        "db_table", SEPG_CLASS_DB_TABLE,
        {
            {
                "create", SEPG_DB_TABLE__CREATE
            },
            {
                "drop", SEPG_DB_TABLE__DROP
            },
            {
                "getattr", SEPG_DB_TABLE__GETATTR
            },
            {
                "setattr", SEPG_DB_TABLE__SETATTR
            },
            {
                "relabelfrom", SEPG_DB_TABLE__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_TABLE__RELABELTO
            },
            {
                "select", SEPG_DB_TABLE__SELECT
            },
            {
                "update", SEPG_DB_TABLE__UPDATE
            },
            {
                "insert", SEPG_DB_TABLE__INSERT
            },
            {
                "delete", SEPG_DB_TABLE__DELETE
            },
            {
                "lock", SEPG_DB_TABLE__LOCK
            },
            {
                NULL, 0UL
            },
        }
    },
    {
        "db_sequence", SEPG_CLASS_DB_SEQUENCE,
        {
            {
                "create", SEPG_DB_SEQUENCE__CREATE
            },
            {
                "drop", SEPG_DB_SEQUENCE__DROP
            },
            {
                "getattr", SEPG_DB_SEQUENCE__GETATTR
            },
            {
                "setattr", SEPG_DB_SEQUENCE__SETATTR
            },
            {
                "relabelfrom", SEPG_DB_SEQUENCE__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_SEQUENCE__RELABELTO
            },
            {
                "get_value", SEPG_DB_SEQUENCE__GET_VALUE
            },
            {
                "next_value", SEPG_DB_SEQUENCE__NEXT_VALUE
            },
            {
                "set_value", SEPG_DB_SEQUENCE__SET_VALUE
            },
            {
                NULL, 0UL
            },
        }
    },
    {
        "db_procedure", SEPG_CLASS_DB_PROCEDURE,
        {
            {
                "create", SEPG_DB_PROCEDURE__CREATE
            },
            {
                "drop", SEPG_DB_PROCEDURE__DROP
            },
            {
                "getattr", SEPG_DB_PROCEDURE__GETATTR
            },
            {
                "setattr", SEPG_DB_PROCEDURE__SETATTR
            },
            {
                "relabelfrom", SEPG_DB_PROCEDURE__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_PROCEDURE__RELABELTO
            },
            {
                "execute", SEPG_DB_PROCEDURE__EXECUTE
            },
            {
                "entrypoint", SEPG_DB_PROCEDURE__ENTRYPOINT
            },
            {
                "install", SEPG_DB_PROCEDURE__INSTALL
            },
            {
                NULL, 0UL
            },
        }
    },
    {
        "db_column", SEPG_CLASS_DB_COLUMN,
        {
            {
                "create", SEPG_DB_COLUMN__CREATE
            },
            {
                "drop", SEPG_DB_COLUMN__DROP
            },
            {
                "getattr", SEPG_DB_COLUMN__GETATTR
            },
            {
                "setattr", SEPG_DB_COLUMN__SETATTR
            },
            {
                "relabelfrom", SEPG_DB_COLUMN__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_COLUMN__RELABELTO
            },
            {
                "select", SEPG_DB_COLUMN__SELECT
            },
            {
                "update", SEPG_DB_COLUMN__UPDATE
            },
            {
                "insert", SEPG_DB_COLUMN__INSERT
            },
            {
                NULL, 0UL
            },
        }
    },
    {
        "db_tuple", SEPG_CLASS_DB_TUPLE,
        {
            {
                "relabelfrom", SEPG_DB_TUPLE__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_TUPLE__RELABELTO
            },
            {
                "select", SEPG_DB_TUPLE__SELECT
            },
            {
                "update", SEPG_DB_TUPLE__UPDATE
            },
            {
                "insert", SEPG_DB_TUPLE__INSERT
            },
            {
                "delete", SEPG_DB_TUPLE__DELETE
            },
            {
                NULL, 0UL
            },
        }
    },
    {
        "db_blob", SEPG_CLASS_DB_BLOB,
        {
            {
                "create", SEPG_DB_BLOB__CREATE
            },
            {
                "drop", SEPG_DB_BLOB__DROP
            },
            {
                "getattr", SEPG_DB_BLOB__GETATTR
            },
            {
                "setattr", SEPG_DB_BLOB__SETATTR
            },
            {
                "relabelfrom", SEPG_DB_BLOB__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_BLOB__RELABELTO
            },
            {
                "read", SEPG_DB_BLOB__READ
            },
            {
                "write", SEPG_DB_BLOB__WRITE
            },
            {
                "import", SEPG_DB_BLOB__IMPORT
            },
            {
                "export", SEPG_DB_BLOB__EXPORT
            },
            {
                NULL, 0UL
            },
        }
    },
    {
        "db_language", SEPG_CLASS_DB_LANGUAGE,
        {
            {
                "create", SEPG_DB_LANGUAGE__CREATE
            },
            {
                "drop", SEPG_DB_LANGUAGE__DROP
            },
            {
                "getattr", SEPG_DB_LANGUAGE__GETATTR
            },
            {
                "setattr", SEPG_DB_LANGUAGE__SETATTR
            },
            {
                "relabelfrom", SEPG_DB_LANGUAGE__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_LANGUAGE__RELABELTO
            },
            {
                "implement", SEPG_DB_LANGUAGE__IMPLEMENT
            },
            {
                "execute", SEPG_DB_LANGUAGE__EXECUTE
            },
            {
                NULL, 0UL
            },
        }
    },
    {
        "db_view", SEPG_CLASS_DB_VIEW,
        {
            {
                "create", SEPG_DB_VIEW__CREATE
            },
            {
                "drop", SEPG_DB_VIEW__DROP
            },
            {
                "getattr", SEPG_DB_VIEW__GETATTR
            },
            {
                "setattr", SEPG_DB_VIEW__SETATTR
            },
            {
                "relabelfrom", SEPG_DB_VIEW__RELABELFROM
            },
            {
                "relabelto", SEPG_DB_VIEW__RELABELTO
            },
            {
                "expand", SEPG_DB_VIEW__EXPAND
            },
            {
                NULL, 0UL
            },
        }
    },
};

/*
 * sepgsql_mode
 *
 * SEPGSQL_MODE_DISABLED: Disabled on runtime
 * SEPGSQL_MODE_DEFAULT: Same as system settings
 * SEPGSQL_MODE_PERMISSIVE: Always permissive mode
 * SEPGSQL_MODE_INTERNAL: Same as permissive, except for no audit logs
 */
static int  sepgsql_mode = SEPGSQL_MODE_INTERNAL;

/*
 * sepgsql_is_enabled
 */
bool
sepgsql_is_enabled(void)
{
    return (sepgsql_mode != SEPGSQL_MODE_DISABLED ? true : false);
}

/*
 * sepgsql_get_mode
 */
int
sepgsql_get_mode(void)
{
    return sepgsql_mode;
}

/*
 * sepgsql_set_mode
 */
int
sepgsql_set_mode(int new_mode)
{
    int         old_mode = sepgsql_mode;

    sepgsql_mode = new_mode;

    return old_mode;
}

/*
 * sepgsql_getenforce
 *
 * It returns whether the current working mode tries to enforce access
 * control decision, or not. It shall be enforced when sepgsql_mode is
 * SEPGSQL_MODE_DEFAULT and system is running in enforcing mode.
 */
bool
sepgsql_getenforce(void)
{
    if (sepgsql_mode == SEPGSQL_MODE_DEFAULT &&
        selinux_status_getenforce() > 0)
        return true;

    return false;
}

/*
 * sepgsql_audit_log
 *
 * It generates a security audit record. In the default, it writes out
 * audit records into standard PG's logfile. It also allows to set up
 * external audit log receiver, such as auditd in Linux, using the
 * sepgsql_audit_hook.
 *
 * SELinux can control what should be audited and should not using
 * "auditdeny" and "auditallow" rules in the security policy. In the
 * default, all the access violations are audited, and all the access
 * allowed are not audited. But we can set up the security policy, so
 * we can have exceptions. So, it is necessary to follow the suggestion
 * come from the security policy. (av_decision.auditallow and auditdeny)
 *
 * Security audit is an important feature, because it enables us to check
 * what was happen if we have a security incident. In fact, ISO/IEC15408
 * defines several security functionalities for audit features.
 */
void
sepgsql_audit_log(bool denied,
                  const char *scontext,
                  const char *tcontext,
                  uint16 tclass,
                  uint32 audited,
                  const char *audit_name)
{
    StringInfoData buf;
    const char *class_name;
    const char *av_name;
    int         i;

    /* lookup name of the object class */
    Assert(tclass < SEPG_CLASS_MAX);
    class_name = selinux_catalog[tclass].class_name;

    /* lookup name of the permissions */
    initStringInfo(&buf);
    appendStringInfo(&buf, "%s {",
                     (denied ? "denied" : "allowed"));
    for (i = 0; selinux_catalog[tclass].av[i].av_name; i++)
    {
        if (audited & (1UL << i))
        {
            av_name = selinux_catalog[tclass].av[i].av_name;
            appendStringInfo(&buf, " %s", av_name);
        }
    }
    appendStringInfo(&buf, " }");

    /*
     * Call external audit module, if loaded
     */
    appendStringInfo(&buf, " scontext=%s tcontext=%s tclass=%s",
                     scontext, tcontext, class_name);
    if (audit_name)
        appendStringInfo(&buf, " name=\"%s\"", audit_name);

    ereport(LOG, (errmsg("SELinux: %s", buf.data)));
}

/*
 * sepgsql_compute_avd
 *
 * It actually asks SELinux what permissions are allowed on a pair of
 * the security contexts and object class. It also returns what permissions
 * should be audited on access violation or allowed.
 * In most cases, subject's security context (scontext) is a client, and
 * target security context (tcontext) is a database object.
 *
 * The access control decision shall be set on the given av_decision.
 * The av_decision.allowed has a bitmask of SEPG_<class>__<perms>
 * to suggest a set of allowed actions in this object class.
 */
void
sepgsql_compute_avd(const char *scontext,
                    const char *tcontext,
                    uint16 tclass,
                    struct av_decision *avd)
{
    const char *tclass_name;
    security_class_t tclass_ex;
    struct av_decision avd_ex;
    int         i,
                deny_unknown = security_deny_unknown();

    /* Get external code of the object class */
    Assert(tclass < SEPG_CLASS_MAX);
    Assert(tclass == selinux_catalog[tclass].class_code);

    tclass_name = selinux_catalog[tclass].class_name;
    tclass_ex = string_to_security_class(tclass_name);

    if (tclass_ex == 0)
    {
        /*
         * If the current security policy does not support permissions
         * corresponding to database objects, we fill up them with dummy data.
         * If security_deny_unknown() returns positive value, undefined
         * permissions should be denied. Otherwise, allowed
         */
        avd->allowed = (security_deny_unknown() > 0 ? 0 : ~0);
        avd->auditallow = 0U;
        avd->auditdeny = ~0U;
        avd->flags = 0;

        return;
    }

    /*
     * Ask SELinux what is allowed set of permissions on a pair of the
     * security contexts and the given object class.
     */
    if (security_compute_av_flags_raw((security_context_t) scontext,
                                      (security_context_t) tcontext,
                                      tclass_ex, 0, &avd_ex) < 0)
        ereport(ERROR,
                (errcode(ERRCODE_INTERNAL_ERROR),
                 errmsg("SELinux could not compute av_decision: "
                        "scontext=%s tcontext=%s tclass=%s: %m",
                        scontext, tcontext, tclass_name)));

    /*
     * SELinux returns its access control decision as a set of permissions
     * represented in external code which depends on run-time environment. So,
     * we need to translate it to the internal representation before returning
     * results for the caller.
     */
    memset(avd, 0, sizeof(struct av_decision));

    for (i = 0; selinux_catalog[tclass].av[i].av_name; i++)
    {
        access_vector_t av_code_ex;
        const char *av_name = selinux_catalog[tclass].av[i].av_name;
        uint32      av_code = selinux_catalog[tclass].av[i].av_code;

        av_code_ex = string_to_av_perm(tclass_ex, av_name);
        if (av_code_ex == 0)
        {
            /* fill up undefined permissions */
            if (!deny_unknown)
                avd->allowed |= av_code;
            avd->auditdeny |= av_code;

            continue;
        }

        if (avd_ex.allowed & av_code_ex)
            avd->allowed |= av_code;
        if (avd_ex.auditallow & av_code_ex)
            avd->auditallow |= av_code;
        if (avd_ex.auditdeny & av_code_ex)
            avd->auditdeny |= av_code;
    }

    return;
}

/*
 * sepgsql_compute_create
 *
 * It returns a default security context to be assigned on a new database
 * object. SELinux compute it based on a combination of client, upper object
 * which owns the new object and object class.
 *
 * For example, when a client (staff_u:staff_r:staff_t:s0) tries to create
 * a new table within a schema (system_u:object_r:sepgsql_schema_t:s0),
 * SELinux looks-up its security policy. If it has a special rule on the
 * combination of these security contexts and object class (db_table),
 * it returns the security context suggested by the special rule.
 * Otherwise, it returns the security context of schema, as is.
 *
 * We expect the caller already applies sanity/validation checks on the
 * given security context.
 *
 * scontext: security context of the subject (mostly, peer process).
 * tcontext: security context of the upper database object.
 * tclass: class code (SEPG_CLASS_*) of the new object in creation
 */
char *
sepgsql_compute_create(const char *scontext,
                       const char *tcontext,
                       uint16 tclass,
                       const char *objname)
{
    security_context_t ncontext;
    security_class_t tclass_ex;
    const char *tclass_name;
    char       *result;

    /* Get external code of the object class */
    Assert(tclass < SEPG_CLASS_MAX);

    tclass_name = selinux_catalog[tclass].class_name;
    tclass_ex = string_to_security_class(tclass_name);

    /*
     * Ask SELinux what is the default context for the given object class on a
     * pair of security contexts
     */
    if (security_compute_create_name_raw((security_context_t) scontext,
                                         (security_context_t) tcontext,
                                         tclass_ex,
                                         objname,
                                         &ncontext) < 0)
        ereport(ERROR,
                (errcode(ERRCODE_INTERNAL_ERROR),
                 errmsg("SELinux could not compute a new context: "
                        "scontext=%s tcontext=%s tclass=%s: %m",
                        scontext, tcontext, tclass_name)));

    /*
     * libselinux returns malloc()'ed string, so we need to copy it on the
     * palloc()'ed region.
     */
    PG_TRY();
    {
        result = pstrdup(ncontext);
    }
    PG_CATCH();
    {
        freecon(ncontext);
        PG_RE_THROW();
    }
    PG_END_TRY();
    freecon(ncontext);

    return result;
}

/*
 * sepgsql_check_perms
 *
 * It makes access control decision without userspace caching mechanism.
 * If SELinux denied the required accesses on the pair of security labels,
 * it raises an error or returns false.
 *
 * scontext: security label of the subject (mostly, peer process)
 * tcontext: security label of the object being referenced
 * tclass: class code (SEPG_CLASS_*) of the object being referenced
 * required: a mask of required permissions (SEPG_<class>__<perm>)
 * audit_name: a human readable object name for audit logs, or NULL.
 * abort_on_violation: true, if error shall be raised on access violation
 */
bool
sepgsql_check_perms(const char *scontext,
                    const char *tcontext,
                    uint16 tclass,
                    uint32 required,
                    const char *audit_name,
                    bool abort_on_violation)
{
    struct av_decision avd;
    uint32      denied;
    uint32      audited;
    bool        result = true;

    sepgsql_compute_avd(scontext, tcontext, tclass, &avd);

    denied = required & ~avd.allowed;

    if (sepgsql_get_debug_audit())
        audited = (denied ? denied : required);
    else
        audited = (denied ? (denied & avd.auditdeny)
                   : (required & avd.auditallow));

    if (denied &&
        sepgsql_getenforce() > 0 &&
        (avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0)
        result = false;

    /*
     * It records a security audit for the request, if needed. But, when
     * SE-PgSQL performs 'internal' mode, it needs to keep silent.
     */
    if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
    {
        sepgsql_audit_log(denied,
                          scontext,
                          tcontext,
                          tclass,
                          audited,
                          audit_name);
    }

    if (!result && abort_on_violation)
        ereport(ERROR,
                (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                 errmsg("SELinux: security policy violation")));
    return result;
}