contrib/sepgsql/database.c | 100 +++++++++++++++++++++++++++++++-- contrib/sepgsql/expected/create.out | 19 ++++++ contrib/sepgsql/hooks.c | 104 +++++++++++++++++++++++------------ contrib/sepgsql/sepgsql.h | 10 +++ contrib/sepgsql/sql/create.sql | 15 +++++ contrib/sepgsql/test_sepgsql | 2 +- 6 files changed, 208 insertions(+), 42 deletions(-) diff --git a/contrib/sepgsql/database.c b/contrib/sepgsql/database.c index 7f15d9c..ce5a095 100644 --- a/contrib/sepgsql/database.c +++ b/contrib/sepgsql/database.c @@ -10,35 +10,122 @@ */ #include "postgres.h" +#include "access/genam.h" +#include "access/heapam.h" +#include "access/sysattr.h" #include "catalog/dependency.h" #include "catalog/pg_database.h" +#include "catalog/indexing.h" +#include "commands/dbcommands.h" #include "commands/seclabel.h" +#include "utils/fmgroids.h" +#include "utils/tqual.h" #include "sepgsql.h" +/* + * sepgsql_database_get_catalog + * + * This routine tries to reference pg_database catalog with supplied OID and + * SnapshotSelf visibility, then returns a copy of the HeapTuple. + */ +static HeapTuple +sepgsql_database_get_catalog(Oid databaseId) +{ + Relation catalog; + ScanKeyData skey; + SysScanDesc sscan; + HeapTuple tuple; + + catalog = heap_open(DatabaseRelationId, AccessShareLock); + + ScanKeyInit(&skey, + ObjectIdAttributeNumber, + BTEqualStrategyNumber, F_OIDEQ, + ObjectIdGetDatum(databaseId)); + + sscan = systable_beginscan(catalog, DatabaseOidIndexId, true, + SnapshotSelf, 1, &skey); + + tuple = systable_getnext(sscan); + if (!HeapTupleIsValid(tuple)) + elog(ERROR, "catalog lookup failed for database %u", databaseId); + + tuple = heap_copytuple(tuple); + + systable_endscan(sscan); + heap_close(catalog, AccessShareLock); + + return tuple; +} + +/* + * sepgsql_database_post_create + * + * This routine assigns a default security label on a newly defined + * database, and check permission needed for its creation. + */ void sepgsql_database_post_create(Oid databaseId) { char *scontext = sepgsql_get_client_label(); char *tcontext; char *ncontext; + char *dtemplate; + char audit_name[NAMEDATALEN + 20]; ObjectAddress object; + HeapTuple dattup; + + Assert(sepgsql_context_info.cmdtype == T_CreatedbStmt); + + /* + * Because OID of source database is not saved within pg_database + * catalog entry, we pick up it from the contextual information + * saved on entrypoint of ProcessUtility + */ + dtemplate = sepgsql_context_info.createdb_template; + if (!dtemplate) + dtemplate = "template0"; + + object.classId = DatabaseRelationId; + object.objectId = get_database_oid(dtemplate, false); + object.objectSubId = 0; + + tcontext = sepgsql_get_label(object.classId, + object.objectId, + object.objectSubId); + /* + * check db_database:{getattr} permission + */ + snprintf(audit_name, sizeof(audit_name), "database %s", dtemplate); + sepgsql_avc_check_perms_label(tcontext, + SEPG_CLASS_DB_DATABASE, + SEPG_DB_DATABASE__GETATTR, + audit_name, + true); /* * Compute a default security label of the newly created database * based on a pair of security label of client and source database. * - * XXX - Right now, this logic uses "template1" as its source, because - * here is no way to know the Oid of source database. + * XXX - uncoming version of libselinux supports to take object + * name to handle special treatment on default security label. */ - object.classId = DatabaseRelationId; - object.objectId = TemplateDbOid; - object.objectSubId = 0; - tcontext = GetSecurityLabel(&object, SEPGSQL_LABEL_TAG); + dattup = sepgsql_database_get_catalog(databaseId); ncontext = sepgsql_compute_create(scontext, tcontext, SEPG_CLASS_DB_DATABASE); /* + * check db_database:{create} permission + */ + snprintf(audit_name, sizeof(audit_name), "database %s", + NameStr(((Form_pg_database) GETSTRUCT(dattup))->datname)); + sepgsql_avc_check_perms_label(ncontext, + SEPG_CLASS_DB_DATABASE, + SEPG_DB_DATABASE__CREATE, + audit_name, + true); + /* * Assign the default security label on the new database */ object.classId = DatabaseRelationId; @@ -47,6 +134,7 @@ sepgsql_database_post_create(Oid databaseId) SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext); + heap_freetuple(dattup); pfree(ncontext); pfree(tcontext); } diff --git a/contrib/sepgsql/expected/create.out b/contrib/sepgsql/expected/create.out new file mode 100644 index 0000000..cc60118 --- /dev/null +++ b/contrib/sepgsql/expected/create.out @@ -0,0 +1,19 @@ +-- +-- Regression Test for Creation of Object Permission Checks +-- +-- confirm required permissions using audit messages +SELECT sepgsql_getcon(); -- confirm client privilege + sepgsql_getcon +------------------------------------------- + unconfined_u:unconfined_r:unconfined_t:s0 +(1 row) + +SET sepgsql.debug_audit = true; +SET client_min_messages = LOG; +CREATE DATABASE regtest_sepgsql_test_database; +LOG: SELinux: allowed { getattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_db_t:s0 tclass=db_database name="database template0" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_db_t:s0 tclass=db_database name="database regtest_sepgsql_test_database" +-- +-- clean-up +-- +DROP DATABASE IF EXISTS regtest_sepgsql_test_database; diff --git a/contrib/sepgsql/hooks.c b/contrib/sepgsql/hooks.c index 331bbd7..bbc9a82 100644 --- a/contrib/sepgsql/hooks.c +++ b/contrib/sepgsql/hooks.c @@ -31,6 +31,7 @@ PG_MODULE_MAGIC; * Declarations */ void _PG_init(void); +sepgsql_context_info_t sepgsql_context_info; /* * Saved hook entries (if stacked) @@ -308,44 +309,74 @@ sepgsql_utility_command(Node *parsetree, DestReceiver *dest, char *completionTag) { - if (next_ProcessUtility_hook) - (*next_ProcessUtility_hook) (parsetree, queryString, params, - isTopLevel, dest, completionTag); + sepgsql_context_info_t saved_context_info = sepgsql_context_info; + ListCell *cell; - /* - * Check command tag to avoid nefarious operations - */ - switch (nodeTag(parsetree)) + PG_TRY(); { - case T_LoadStmt: - - /* - * We reject LOAD command across the board on enforcing mode, - * because a binary module can arbitrarily override hooks. - */ - if (sepgsql_getenforce()) - { - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("SELinux: LOAD is not permitted"))); - } - break; - default: - - /* - * Right now we don't check any other utility commands, because it - * needs more detailed information to make access control decision - * here, but we don't want to have two parse and analyze routines - * individually. - */ - break; + /* + * Check command tag to avoid nefarious operations, and save the + * current contextual information to determine whether we should + * apply permission checks here, or not. + */ + sepgsql_context_info.cmdtype = nodeTag(parsetree); + + switch (nodeTag(parsetree)) + { + case T_CreatedbStmt: + /* + * We hope to reference name of the source database, but it + * does not appear in system catalog. So, we save it here. + */ + foreach (cell, ((CreatedbStmt *) parsetree)->options) + { + DefElem *defel = (DefElem *) lfirst(cell); + + if (strcmp(defel->defname, "template") == 0) + { + sepgsql_context_info.createdb_template + = strVal(defel->arg); + break; + } + } + break; + + case T_LoadStmt: + /* + * We reject LOAD command across the board on enforcing mode, + * because a binary module can arbitrarily override hooks. + */ + if (sepgsql_getenforce()) + { + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("SELinux: LOAD is not permitted"))); + } + break; + default: + /* + * Right now we don't check any other utility commands, + * because it needs more detailed information to make access + * control decision here, but we don't want to have two parse + * and analyze routines individually. + */ + break; + } + + if (next_ProcessUtility_hook) + (*next_ProcessUtility_hook) (parsetree, queryString, params, + isTopLevel, dest, completionTag); + else + standard_ProcessUtility(parsetree, queryString, params, + isTopLevel, dest, completionTag); } - - /* - * Original implementation - */ - standard_ProcessUtility(parsetree, queryString, params, - isTopLevel, dest, completionTag); + PG_CATCH(); + { + sepgsql_context_info = saved_context_info; + PG_RE_THROW(); + } + PG_END_TRY(); + sepgsql_context_info = saved_context_info; } /* @@ -456,4 +487,7 @@ _PG_init(void) /* ProcessUtility hook */ next_ProcessUtility_hook = ProcessUtility_hook; ProcessUtility_hook = sepgsql_utility_command; + + /* init contextual info */ + memset(&sepgsql_context_info, 0, sizeof(sepgsql_context_info)); } diff --git a/contrib/sepgsql/sepgsql.h b/contrib/sepgsql/sepgsql.h index b4c1dfd..f192fd4 100644 --- a/contrib/sepgsql/sepgsql.h +++ b/contrib/sepgsql/sepgsql.h @@ -213,6 +213,16 @@ /* * hooks.c */ +typedef struct +{ + NodeTag cmdtype; + + /* User given template database on CREATE DATABASE, elsewhere NULL */ + char *createdb_template; +} sepgsql_context_info_t; + +extern sepgsql_context_info_t sepgsql_context_info; + extern bool sepgsql_get_permissive(void); extern bool sepgsql_get_debug_audit(void); diff --git a/contrib/sepgsql/sql/create.sql b/contrib/sepgsql/sql/create.sql new file mode 100644 index 0000000..6cd5656 --- /dev/null +++ b/contrib/sepgsql/sql/create.sql @@ -0,0 +1,15 @@ +-- +-- Regression Test for Creation of Object Permission Checks +-- + +-- confirm required permissions using audit messages +-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0 +SET sepgsql.debug_audit = true; +SET client_min_messages = LOG; + +CREATE DATABASE regtest_sepgsql_test_database; + +-- +-- clean-up +-- +DROP DATABASE IF EXISTS regtest_sepgsql_test_database; diff --git a/contrib/sepgsql/test_sepgsql b/contrib/sepgsql/test_sepgsql index 9b7262a..52237e6 100755 --- a/contrib/sepgsql/test_sepgsql +++ b/contrib/sepgsql/test_sepgsql @@ -259,6 +259,6 @@ echo "found ${NUM}" echo echo "============== running sepgsql regression tests ==============" -make REGRESS="label dml misc" REGRESS_OPTS="--launcher ./launcher" installcheck +make REGRESS="label dml create misc" REGRESS_OPTS="--launcher ./launcher" installcheck # exit with the exit code provided by "make"