Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit c7689ee

Browse files
committed
Various sepgsql corrections.
KaiGai Kohei
1 parent 4262278 commit c7689ee

File tree

12 files changed

+127
-49
lines changed

12 files changed

+127
-49
lines changed

contrib/sepgsql/dml.c

+26-11
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
#include "access/tupdesc.h"
1515
#include "catalog/catalog.h"
1616
#include "catalog/heap.h"
17+
#include "catalog/dependency.h"
1718
#include "catalog/pg_attribute.h"
1819
#include "catalog/pg_class.h"
1920
#include "catalog/pg_inherits_fn.h"
@@ -151,6 +152,7 @@ check_relation_privileges(Oid relOid,
151152
char relkind = get_rel_relkind(relOid);
152153
char *scontext = sepgsql_get_client_label();
153154
char *tcontext;
155+
char *audit_name;
154156
Bitmapset *columns;
155157
int index;
156158
bool result = true;
@@ -183,17 +185,16 @@ check_relation_privileges(Oid relOid,
183185
* Check permissions on the relation
184186
*/
185187
tcontext = sepgsql_get_label(RelationRelationId, relOid, 0);
188+
audit_name = getObjectDescriptionOids(RelationRelationId, relOid);
186189
switch (relkind)
187190
{
188191
case RELKIND_RELATION:
189192
result = sepgsql_check_perms(scontext,
190193
tcontext,
191194
SEPG_CLASS_DB_TABLE,
192195
required,
193-
get_rel_name(relOid),
196+
audit_name,
194197
abort);
195-
if (!result)
196-
return false;
197198
break;
198199

199200
case RELKIND_SEQUENCE:
@@ -204,23 +205,31 @@ check_relation_privileges(Oid relOid,
204205
tcontext,
205206
SEPG_CLASS_DB_SEQUENCE,
206207
SEPG_DB_SEQUENCE__GET_VALUE,
207-
get_rel_name(relOid),
208+
audit_name,
208209
abort);
209-
return result;
210+
break;
210211

211212
case RELKIND_VIEW:
212213
result = sepgsql_check_perms(scontext,
213214
tcontext,
214215
SEPG_CLASS_DB_VIEW,
215216
SEPG_DB_VIEW__EXPAND,
216-
get_rel_name(relOid),
217+
audit_name,
217218
abort);
218-
return result;
219+
break;
219220

220221
default:
221222
/* nothing to be checked */
222-
return true;
223+
break;
223224
}
225+
pfree(tcontext);
226+
pfree(audit_name);
227+
228+
/*
229+
* Only columns owned by relations shall be checked
230+
*/
231+
if (relkind != RELKIND_RELATION)
232+
return true;
224233

225234
/*
226235
* Check permissions on the columns
@@ -233,7 +242,7 @@ check_relation_privileges(Oid relOid,
233242
{
234243
AttrNumber attnum;
235244
uint32 column_perms = 0;
236-
char audit_name[NAMEDATALEN * 2 + 10];
245+
ObjectAddress object;
237246

238247
if (bms_is_member(index, selected))
239248
column_perms |= SEPG_DB_COLUMN__SELECT;
@@ -250,15 +259,21 @@ check_relation_privileges(Oid relOid,
250259
/* obtain column's permission */
251260
attnum = index + FirstLowInvalidHeapAttributeNumber;
252261
tcontext = sepgsql_get_label(RelationRelationId, relOid, attnum);
253-
snprintf(audit_name, sizeof(audit_name), "%s.%s",
254-
get_rel_name(relOid), get_attname(relOid, attnum));
262+
263+
object.classId = RelationRelationId;
264+
object.objectId = relOid;
265+
object.objectSubId = attnum;
266+
audit_name = getObjectDescription(&object);
255267

256268
result = sepgsql_check_perms(scontext,
257269
tcontext,
258270
SEPG_CLASS_DB_COLUMN,
259271
column_perms,
260272
audit_name,
261273
abort);
274+
pfree(tcontext);
275+
pfree(audit_name);
276+
262277
if (!result)
263278
return result;
264279
}

contrib/sepgsql/expected/dml.out

+3-3
Original file line numberDiff line numberDiff line change
@@ -42,15 +42,15 @@ SELECT objtype, objname, label FROM pg_seclabels
4242
table | t3 | system_u:object_r:sepgsql_fixed_table_t:s0
4343
table | t4 | system_u:object_r:sepgsql_secret_table_t:s0
4444
table | t5 | system_u:object_r:sepgsql_table_t:s0
45-
column | t5.g | system_u:object_r:sepgsql_secret_table_t:s0
46-
column | t5.f | system_u:object_r:sepgsql_ro_table_t:s0
4745
column | t5.e | system_u:object_r:sepgsql_table_t:s0
46+
column | t5.f | system_u:object_r:sepgsql_ro_table_t:s0
47+
column | t5.g | system_u:object_r:sepgsql_secret_table_t:s0
4848
(8 rows)
4949

5050
-- Hardwired Rules
5151
UPDATE pg_attribute SET attisdropped = true
5252
WHERE attrelid = 't5'::regclass AND attname = 'f'; -- failed
53-
ERROR: selinux: hardwired security policy violation
53+
ERROR: SELinux: hardwired security policy violation
5454
--
5555
-- Simple DML statements
5656
--

contrib/sepgsql/expected/label.out

+2-2
Original file line numberDiff line numberDiff line change
@@ -56,8 +56,8 @@ SELECT sepgsql_getcon(); -- confirm client privilege
5656
SECURITY LABEL ON TABLE t1
5757
IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok
5858
SECURITY LABEL ON TABLE t2
59-
IS 'invalid seuciryt context'; -- be failed
60-
ERROR: invalid security label: "invalid seuciryt context"
59+
IS 'invalid security context'; -- be failed
60+
ERROR: SELinux: invalid security label: "invalid security context"
6161
SECURITY LABEL ON COLUMN t2
6262
IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- be failed
6363
ERROR: improper relation name (too many dotted names):

contrib/sepgsql/expected/misc.out

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22
-- Regression Test for Misc Permission Checks
33
--
44
LOAD '$libdir/sepgsql'; -- failed
5-
ERROR: SELinux: LOAD is not allowed anyway.
5+
ERROR: SELinux: LOAD is not permitted

contrib/sepgsql/hooks.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ sepgsql_client_auth(Port *port, int status)
9191
if (getpeercon_raw(port->sock, &context) < 0)
9292
ereport(FATAL,
9393
(errcode(ERRCODE_INTERNAL_ERROR),
94-
errmsg("SELinux: unable to get peer label")));
94+
errmsg("SELinux: unable to get peer label: %m")));
9595

9696
sepgsql_set_client_label(context);
9797

@@ -414,7 +414,7 @@ _PG_init(void)
414414
if (getcon_raw(&context) < 0)
415415
ereport(ERROR,
416416
(errcode(ERRCODE_INTERNAL_ERROR),
417-
errmsg("SELinux: failed to get server security label")));
417+
errmsg("SELinux: failed to get server security label: %m")));
418418
sepgsql_set_client_label(context);
419419

420420
/* Security label provider hook */

contrib/sepgsql/label.c

+71-18
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
8181
if (security_get_initial_context_raw("unlabeled", &unlabeled) < 0)
8282
ereport(ERROR,
8383
(errcode(ERRCODE_INTERNAL_ERROR),
84-
errmsg("SELinux: failed to get initial security label")));
84+
errmsg("SELinux: failed to get initial security label: %m")));
8585
PG_TRY();
8686
{
8787
label = pstrdup(unlabeled);
@@ -184,7 +184,7 @@ sepgsql_mcstrans_in(PG_FUNCTION_ARGS)
184184
&raw_label) < 0)
185185
ereport(ERROR,
186186
(errcode(ERRCODE_INTERNAL_ERROR),
187-
errmsg("SELinux: could not translate security label")));
187+
errmsg("SELinux: could not translate security label: %m")));
188188

189189
PG_TRY();
190190
{
@@ -224,7 +224,7 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
224224
&qual_label) < 0)
225225
ereport(ERROR,
226226
(errcode(ERRCODE_INTERNAL_ERROR),
227-
errmsg("SELinux: could not translate security label")));
227+
errmsg("SELinux: could not translate security label: %m")));
228228

229229
PG_TRY();
230230
{
@@ -241,6 +241,51 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
241241
PG_RETURN_TEXT_P(cstring_to_text(result));
242242
}
243243

244+
/*
245+
* quote_object_names
246+
*
247+
* It tries to quote the supplied identifiers
248+
*/
249+
static char *
250+
quote_object_name(const char *src1, const char *src2,
251+
const char *src3, const char *src4)
252+
{
253+
StringInfoData result;
254+
const char *temp;
255+
256+
initStringInfo(&result);
257+
258+
if (src1)
259+
{
260+
temp = quote_identifier(src1);
261+
appendStringInfo(&result, "%s", temp);
262+
if (src1 != temp)
263+
pfree((void *)temp);
264+
}
265+
if (src2)
266+
{
267+
temp = quote_identifier(src2);
268+
appendStringInfo(&result, ".%s", temp);
269+
if (src2 != temp)
270+
pfree((void *)temp);
271+
}
272+
if (src3)
273+
{
274+
temp = quote_identifier(src3);
275+
appendStringInfo(&result, ".%s", temp);
276+
if (src3 != temp)
277+
pfree((void *)temp);
278+
}
279+
if (src4)
280+
{
281+
temp = quote_identifier(src4);
282+
appendStringInfo(&result, ".%s", temp);
283+
if (src4 != temp)
284+
pfree((void *)temp);
285+
}
286+
return result.data;
287+
}
288+
244289
/*
245290
* exec_object_restorecon
246291
*
@@ -273,7 +318,7 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
273318
Form_pg_class relForm;
274319
Form_pg_attribute attForm;
275320
Form_pg_proc proForm;
276-
char objname[NAMEDATALEN * 4 + 10];
321+
char *objname;
277322
int objtype = 1234;
278323
ObjectAddress object;
279324
security_context_t context;
@@ -288,8 +333,10 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
288333
nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
289334

290335
objtype = SELABEL_DB_SCHEMA;
291-
snprintf(objname, sizeof(objname), "%s.%s",
292-
database_name, NameStr(nspForm->nspname));
336+
337+
objname = quote_object_name(database_name,
338+
NameStr(nspForm->nspname),
339+
NULL, NULL);
293340

294341
object.classId = NamespaceRelationId;
295342
object.objectId = HeapTupleGetOid(tuple);
@@ -309,9 +356,10 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
309356
continue; /* no need to assign security label */
310357

311358
namespace_name = get_namespace_name(relForm->relnamespace);
312-
snprintf(objname, sizeof(objname), "%s.%s.%s",
313-
database_name, namespace_name,
314-
NameStr(relForm->relname));
359+
objname = quote_object_name(database_name,
360+
namespace_name,
361+
NameStr(relForm->relname),
362+
NULL);
315363
pfree(namespace_name);
316364

317365
object.classId = RelationRelationId;
@@ -330,11 +378,12 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
330378
namespace_id = get_rel_namespace(attForm->attrelid);
331379
namespace_name = get_namespace_name(namespace_id);
332380
relation_name = get_rel_name(attForm->attrelid);
333-
snprintf(objname, sizeof(objname), "%s.%s.%s.%s",
334-
database_name, namespace_name,
335-
relation_name, NameStr(attForm->attname));
336-
pfree(relation_name);
381+
objname = quote_object_name(database_name,
382+
namespace_name,
383+
relation_name,
384+
NameStr(attForm->attname));
337385
pfree(namespace_name);
386+
pfree(relation_name);
338387

339388
object.classId = RelationRelationId;
340389
object.objectId = attForm->attrelid;
@@ -347,9 +396,10 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
347396
objtype = SELABEL_DB_PROCEDURE;
348397

349398
namespace_name = get_namespace_name(proForm->pronamespace);
350-
snprintf(objname, sizeof(objname), "%s.%s.%s",
351-
database_name, namespace_name,
352-
NameStr(proForm->proname));
399+
objname = quote_object_name(database_name,
400+
namespace_name,
401+
NameStr(proForm->proname),
402+
NULL);
353403
pfree(namespace_name);
354404

355405
object.classId = ProcedureRelationId;
@@ -359,6 +409,7 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
359409

360410
default:
361411
elog(ERROR, "unexpected catalog id: %u", catalogId);
412+
objname = NULL; /* for compiler quiet */
362413
break;
363414
}
364415

@@ -389,7 +440,9 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
389440
else
390441
ereport(ERROR,
391442
(errcode(ERRCODE_INTERNAL_ERROR),
392-
errmsg("SELinux: could not determine initial security label for %s (type=%d)", objname, objtype)));
443+
errmsg("SELinux: could not determine initial security label for %s (type=%d): %m", objname, objtype)));
444+
445+
pfree(objname);
393446
}
394447
systable_endscan(sscan);
395448

@@ -449,7 +502,7 @@ sepgsql_restorecon(PG_FUNCTION_ARGS)
449502
if (!sehnd)
450503
ereport(ERROR,
451504
(errcode(ERRCODE_INTERNAL_ERROR),
452-
errmsg("SELinux: failed to initialize labeling handle")));
505+
errmsg("SELinux: failed to initialize labeling handle: %m")));
453506
PG_TRY();
454507
{
455508
/*

contrib/sepgsql/launcher

100644100755
File mode changed.

contrib/sepgsql/proc.c

+2-1
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
#include "access/genam.h"
1414
#include "access/heapam.h"
1515
#include "access/sysattr.h"
16+
#include "catalog/dependency.h"
1617
#include "catalog/indexing.h"
1718
#include "catalog/pg_namespace.h"
1819
#include "catalog/pg_proc.h"
@@ -99,7 +100,7 @@ sepgsql_proc_relabel(Oid functionId, const char *seclabel)
99100
char *tcontext;
100101
char *audit_name;
101102

102-
audit_name = get_func_name(functionId);
103+
audit_name = getObjectDescriptionOids(ProcedureRelationId, functionId);
103104

104105
/*
105106
* check db_procedure:{setattr relabelfrom} permission

0 commit comments

Comments
 (0)