1 /* -------------------------------------------------------------------------
3 * contrib/sepgsql/hooks.c
5 * Entrypoints of the hooks in PostgreSQL, and dispatches the callbacks.
7 * Copyright (c) 2010-2013, PostgreSQL Global Development Group
9 * -------------------------------------------------------------------------
13 #include "catalog/dependency.h"
14 #include "catalog/objectaccess.h"
15 #include "catalog/pg_class.h"
16 #include "catalog/pg_database.h"
17 #include "catalog/pg_namespace.h"
18 #include "catalog/pg_proc.h"
19 #include "commands/seclabel.h"
20 #include "executor/executor.h"
22 #include "miscadmin.h"
23 #include "tcop/utility.h"
24 #include "utils/guc.h"
36 * Saved hook entries (if stacked)
38 static object_access_hook_type next_object_access_hook = NULL;
39 static ExecutorCheckPerms_hook_type next_exec_check_perms_hook = NULL;
40 static ProcessUtility_hook_type next_ProcessUtility_hook = NULL;
43 * Contextual information on DDL commands
50 * Name of the template database given by users on CREATE DATABASE
51 * command. Elsewhere (including the case of default) NULL.
53 const char *createdb_dtemplate;
54 } sepgsql_context_info_t;
56 static sepgsql_context_info_t sepgsql_context_info;
59 * GUC: sepgsql.permissive = (on|off)
61 static bool sepgsql_permissive;
64 sepgsql_get_permissive(void)
66 return sepgsql_permissive;
70 * GUC: sepgsql.debug_audit = (on|off)
72 static bool sepgsql_debug_audit;
75 sepgsql_get_debug_audit(void)
77 return sepgsql_debug_audit;
81 * sepgsql_object_access
83 * Entrypoint of the object_access_hook. This routine performs as
84 * a dispatcher of invocation based on access type and object classes.
87 sepgsql_object_access(ObjectAccessType access,
93 if (next_object_access_hook)
94 (*next_object_access_hook) (access, classId, objectId, subId, arg);
100 ObjectAccessPostCreate *pc_arg = arg;
103 is_internal = pc_arg ? pc_arg->is_internal : false;
107 case DatabaseRelationId:
108 Assert(!is_internal);
109 sepgsql_database_post_create(objectId,
110 sepgsql_context_info.createdb_dtemplate);
113 case NamespaceRelationId:
114 Assert(!is_internal);
115 sepgsql_schema_post_create(objectId);
118 case RelationRelationId:
122 * The cases in which we want to apply permission
123 * checks on creation of a new relation correspond
124 * to direct user invocation. For internal uses,
125 * that is creation of toast tables, index rebuild
126 * or ALTER TABLE commands, we need neither
127 * assignment of security labels nor permission
133 sepgsql_relation_post_create(objectId);
136 sepgsql_attribute_post_create(objectId, subId);
139 case ProcedureRelationId:
140 Assert(!is_internal);
141 sepgsql_proc_post_create(objectId);
145 /* Ignore unsupported object classes */
153 ObjectAccessDrop *drop_arg = (ObjectAccessDrop *) arg;
156 * No need to apply permission checks on object deletion due
157 * to internal cleanups; such as removal of temporary database
158 * object on session closed.
160 if ((drop_arg->dropflags & PERFORM_DELETION_INTERNAL) != 0)
165 case DatabaseRelationId:
166 sepgsql_database_drop(objectId);
169 case NamespaceRelationId:
170 sepgsql_schema_drop(objectId);
173 case RelationRelationId:
175 sepgsql_relation_drop(objectId);
177 sepgsql_attribute_drop(objectId, subId);
180 case ProcedureRelationId:
181 sepgsql_proc_drop(objectId);
185 /* Ignore unsupported object classes */
193 ObjectAccessPostAlter *pa_arg = arg;
194 bool is_internal = pa_arg->is_internal;
198 case DatabaseRelationId:
199 Assert(!is_internal);
200 sepgsql_database_setattr(objectId);
203 case NamespaceRelationId:
204 Assert(!is_internal);
205 sepgsql_schema_setattr(objectId);
208 case RelationRelationId:
212 * A case when we don't want to apply permission
213 * check is that relation is internally altered
214 * without user's intention. E.g, no need to
215 * check on toast table/index to be renamed at
216 * end of the table rewrites.
221 sepgsql_relation_setattr(objectId);
224 sepgsql_attribute_setattr(objectId, subId);
227 case ProcedureRelationId:
228 Assert(!is_internal);
229 sepgsql_proc_setattr(objectId);
233 /* Ignore unsupported object classes */
240 elog(ERROR, "unexpected object access type: %d", (int) access);
246 * sepgsql_exec_check_perms
248 * Entrypoint of DML permissions
251 sepgsql_exec_check_perms(List *rangeTabls, bool abort)
254 * If security provider is stacking and one of them replied 'false' at
255 * least, we don't need to check any more.
257 if (next_exec_check_perms_hook &&
258 !(*next_exec_check_perms_hook) (rangeTabls, abort))
261 if (!sepgsql_dml_privileges(rangeTabls, abort))
268 * sepgsql_utility_command
270 * It tries to rough-grained control on utility commands; some of them can
271 * break whole of the things if nefarious user would use.
274 sepgsql_utility_command(Node *parsetree,
275 const char *queryString,
276 ParamListInfo params,
279 ProcessUtilityContext context)
281 sepgsql_context_info_t saved_context_info = sepgsql_context_info;
287 * Check command tag to avoid nefarious operations, and save the
288 * current contextual information to determine whether we should apply
289 * permission checks here, or not.
291 sepgsql_context_info.cmdtype = nodeTag(parsetree);
293 switch (nodeTag(parsetree))
298 * We hope to reference name of the source database, but it
299 * does not appear in system catalog. So, we save it here.
301 foreach(cell, ((CreatedbStmt *) parsetree)->options)
303 DefElem *defel = (DefElem *) lfirst(cell);
305 if (strcmp(defel->defname, "template") == 0)
307 sepgsql_context_info.createdb_dtemplate
308 = strVal(defel->arg);
317 * We reject LOAD command across the board on enforcing mode,
318 * because a binary module can arbitrarily override hooks.
320 if (sepgsql_getenforce())
323 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
324 errmsg("SELinux: LOAD is not permitted")));
330 * Right now we don't check any other utility commands,
331 * because it needs more detailed information to make access
332 * control decision here, but we don't want to have two parse
333 * and analyze routines individually.
338 if (next_ProcessUtility_hook)
339 (*next_ProcessUtility_hook) (parsetree, queryString, params,
340 dest, completionTag, context);
342 standard_ProcessUtility(parsetree, queryString, params,
343 dest, completionTag, context);
347 sepgsql_context_info = saved_context_info;
351 sepgsql_context_info = saved_context_info;
355 * Module load/unload callback
361 * We allow to load the SE-PostgreSQL module on single-user-mode or
362 * shared_preload_libraries settings only.
364 if (IsUnderPostmaster)
366 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
367 errmsg("sepgsql must be loaded via shared_preload_libraries")));
370 * Check availability of SELinux on the platform. If disabled, we cannot
371 * activate any SE-PostgreSQL features, and we have to skip rest of
374 if (is_selinux_enabled() < 1)
376 sepgsql_set_mode(SEPGSQL_MODE_DISABLED);
381 * sepgsql.permissive = (on|off)
383 * This variable controls performing mode of SE-PostgreSQL on user's
386 DefineCustomBoolVariable("sepgsql.permissive",
387 "Turn on/off permissive mode in SE-PostgreSQL",
398 * sepgsql.debug_audit = (on|off)
400 * This variable allows users to turn on/off audit logs on access control
401 * decisions, independent from auditallow/auditdeny setting in the
402 * security policy. We intend to use this option for debugging purpose.
404 DefineCustomBoolVariable("sepgsql.debug_audit",
405 "Turn on/off debug audit messages",
407 &sepgsql_debug_audit,
415 /* Initialize userspace access vector cache */
418 /* Initialize security label of the client and related stuff */
419 sepgsql_init_client_label();
421 /* Security label provider hook */
422 register_label_provider(SEPGSQL_LABEL_TAG,
423 sepgsql_object_relabel);
425 /* Object access hook */
426 next_object_access_hook = object_access_hook;
427 object_access_hook = sepgsql_object_access;
429 /* DML permission check */
430 next_exec_check_perms_hook = ExecutorCheckPerms_hook;
431 ExecutorCheckPerms_hook = sepgsql_exec_check_perms;
433 /* ProcessUtility hook */
434 next_ProcessUtility_hook = ProcessUtility_hook;
435 ProcessUtility_hook = sepgsql_utility_command;
437 /* init contextual info */
438 memset(&sepgsql_context_info, 0, sizeof(sepgsql_context_info));