52 #define AVC_NUM_SLOTS 512 53 #define AVC_NUM_RECLAIM 16 54 #define AVC_DEF_THRESHOLD 384 69 return hash_any((
const unsigned char *) scontext, strlen(scontext))
70 ^
hash_any((
const unsigned char *) tcontext, strlen(tcontext))
101 foreach(cell, avc_slots[index])
154 if (selinux_status_updated() > 0)
176 if (security_get_initial_context_raw(
"unlabeled", &unlabeled) < 0)
178 (
errcode(ERRCODE_INTERNAL_ERROR),
179 errmsg(
"SELinux: failed to get initial security label: %m")));
202 char *ucontext = NULL;
203 char *ncontext = NULL;
208 struct av_decision avd;
219 if (security_check_context_raw(tcontext) != 0)
248 if (strcmp(scontext, ncontext) == 0)
271 if (avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE)
283 avc_slots[index] =
lcons(cache, avc_slots[index]);
307 foreach(cell, avc_slots[index])
311 if (cache->
hash == hash &&
312 cache->
tclass == tclass &&
313 strcmp(cache->
tcontext, tcontext) == 0 &&
314 strcmp(cache->
scontext, scontext) == 0)
339 const char *audit_name,
340 bool abort_on_violation)
363 denied = required & ~cache->
allowed;
369 audited = (denied ? (denied & ~0) : (required & ~0));
371 audited = denied ? (denied & cache->
auditdeny)
410 if (abort_on_violation && !result)
412 (
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
413 errmsg(
"SELinux: security policy violation")));
421 const char *audit_name,
422 bool abort_on_violation)
429 audit_name, abort_on_violation);
451 tobject.
classId = ProcedureRelationId;
478 selinux_status_close();
495 "userspace access vector cache",
497 memset(avc_slots, 0,
sizeof(avc_slots));
509 rc = selinux_status_open(1);
512 (
errcode(ERRCODE_INTERNAL_ERROR),
513 errmsg(
"SELinux: could not open selinux status : %m")));
516 (
errmsg(
"SELinux: kernel status page uses fallback mode")));
#define SEPGSQL_MODE_INTERNAL
static char * avc_unlabeled
#define AllocSetContextCreate
#define AVC_DEF_THRESHOLD
static uint32 sepgsql_avc_hash(const char *scontext, const char *tcontext, uint16 tclass)
void on_proc_exit(pg_on_exit_callback function, Datum arg)
static void sepgsql_avc_reset(void)
char * pstrdup(const char *in)
void sepgsql_compute_avd(const char *scontext, const char *tcontext, uint16 tclass, struct av_decision *avd)
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
int errcode(int sqlerrcode)
bool sepgsql_getenforce(void)
static char * sepgsql_avc_unlabeled(void)
void MemoryContextReset(MemoryContext context)
static avc_cache * sepgsql_avc_lookup(const char *scontext, const char *tcontext, uint16 tclass)
static avc_cache * sepgsql_avc_compute(const char *scontext, const char *tcontext, uint16 tclass)
#define SEPGSQL_AVC_NOAUDIT
#define SEPG_CLASS_PROCESS
#define foreach_delete_current(lst, cell)
int sepgsql_get_mode(void)
void pfree(void *pointer)
static MemoryContext avc_mem_cxt
void sepgsql_audit_log(bool denied, const char *scontext, const char *tcontext, uint16 tclass, uint32 audited, const char *audit_name)
char * GetSecurityLabel(const ObjectAddress *object, const char *provider)
#define ALLOCSET_DEFAULT_SIZES
bool sepgsql_get_debug_audit(void)
#define SEPG_CLASS_DB_PROCEDURE
void sepgsql_avc_init(void)
static void sepgsql_avc_exit(int code, Datum arg)
#define SEPGSQL_LABEL_TAG
static Datum hash_any(const unsigned char *k, int keylen)
char * sepgsql_avc_trusted_proc(Oid functionId)
MemoryContext TopMemoryContext
static int avc_num_caches
void * palloc0(Size size)
#define ereport(elevel,...)
List * lcons(void *datum, List *list)
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
static List * avc_slots[AVC_NUM_SLOTS]
static void sepgsql_avc_reclaim(void)
char * sepgsql_get_client_label(void)
static bool sepgsql_avc_check_valid(void)
char * sepgsql_compute_create(const char *scontext, const char *tcontext, uint16 tclass, const char *objname)
int errmsg(const char *fmt,...)
char * MemoryContextStrdup(MemoryContext context, const char *string)
static unsigned hash(unsigned *uv, int n)
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)