1 /* -------------------------------------------------------------------------
3 * contrib/sepgsql/selinux.c
5 * Interactions between userspace and selinux in kernelspace,
6 * using libselinux api.
8 * Copyright (c) 2010-2012, PostgreSQL Global Development Group
10 * -------------------------------------------------------------------------
14 #include "lib/stringinfo.h"
21 * This mapping table enables to translate the name of object classes and
22 * access vectors to/from their own codes.
23 * When we ask SELinux whether the required privileges are allowed or not,
24 * we use security_compute_av(3). It needs us to represent object classes
25 * and access vectors using 'external' codes defined in the security policy.
26 * It is determinded in the runtime, not build time. So, it needs an internal
27 * service to translate object class/access vectors which we want to check
28 * into the code which kernel want to be given.
32 const char *class_name;
43 "process", SEPG_CLASS_PROCESS,
46 "transition", SEPG_PROCESS__TRANSITION
54 "file", SEPG_CLASS_FILE,
57 "read", SEPG_FILE__READ
60 "write", SEPG_FILE__WRITE
63 "create", SEPG_FILE__CREATE
66 "getattr", SEPG_FILE__GETATTR
69 "unlink", SEPG_FILE__UNLINK
72 "rename", SEPG_FILE__RENAME
75 "append", SEPG_FILE__APPEND
83 "dir", SEPG_CLASS_DIR,
86 "read", SEPG_DIR__READ
89 "write", SEPG_DIR__WRITE
92 "create", SEPG_DIR__CREATE
95 "getattr", SEPG_DIR__GETATTR
98 "unlink", SEPG_DIR__UNLINK
101 "rename", SEPG_DIR__RENAME
104 "search", SEPG_DIR__SEARCH
107 "add_name", SEPG_DIR__ADD_NAME
110 "remove_name", SEPG_DIR__REMOVE_NAME
113 "rmdir", SEPG_DIR__RMDIR
116 "reparent", SEPG_DIR__REPARENT
124 "lnk_file", SEPG_CLASS_LNK_FILE,
127 "read", SEPG_LNK_FILE__READ
130 "write", SEPG_LNK_FILE__WRITE
133 "create", SEPG_LNK_FILE__CREATE
136 "getattr", SEPG_LNK_FILE__GETATTR
139 "unlink", SEPG_LNK_FILE__UNLINK
142 "rename", SEPG_LNK_FILE__RENAME
150 "chr_file", SEPG_CLASS_CHR_FILE,
153 "read", SEPG_CHR_FILE__READ
156 "write", SEPG_CHR_FILE__WRITE
159 "create", SEPG_CHR_FILE__CREATE
162 "getattr", SEPG_CHR_FILE__GETATTR
165 "unlink", SEPG_CHR_FILE__UNLINK
168 "rename", SEPG_CHR_FILE__RENAME
176 "blk_file", SEPG_CLASS_BLK_FILE,
179 "read", SEPG_BLK_FILE__READ
182 "write", SEPG_BLK_FILE__WRITE
185 "create", SEPG_BLK_FILE__CREATE
188 "getattr", SEPG_BLK_FILE__GETATTR
191 "unlink", SEPG_BLK_FILE__UNLINK
194 "rename", SEPG_BLK_FILE__RENAME
202 "sock_file", SEPG_CLASS_SOCK_FILE,
205 "read", SEPG_SOCK_FILE__READ
208 "write", SEPG_SOCK_FILE__WRITE
211 "create", SEPG_SOCK_FILE__CREATE
214 "getattr", SEPG_SOCK_FILE__GETATTR
217 "unlink", SEPG_SOCK_FILE__UNLINK
220 "rename", SEPG_SOCK_FILE__RENAME
228 "fifo_file", SEPG_CLASS_FIFO_FILE,
231 "read", SEPG_FIFO_FILE__READ
234 "write", SEPG_FIFO_FILE__WRITE
237 "create", SEPG_FIFO_FILE__CREATE
240 "getattr", SEPG_FIFO_FILE__GETATTR
243 "unlink", SEPG_FIFO_FILE__UNLINK
246 "rename", SEPG_FIFO_FILE__RENAME
254 "db_database", SEPG_CLASS_DB_DATABASE,
257 "create", SEPG_DB_DATABASE__CREATE
260 "drop", SEPG_DB_DATABASE__DROP
263 "getattr", SEPG_DB_DATABASE__GETATTR
266 "setattr", SEPG_DB_DATABASE__SETATTR
269 "relabelfrom", SEPG_DB_DATABASE__RELABELFROM
272 "relabelto", SEPG_DB_DATABASE__RELABELTO
275 "access", SEPG_DB_DATABASE__ACCESS
278 "load_module", SEPG_DB_DATABASE__LOAD_MODULE
286 "db_schema", SEPG_CLASS_DB_SCHEMA,
289 "create", SEPG_DB_SCHEMA__CREATE
292 "drop", SEPG_DB_SCHEMA__DROP
295 "getattr", SEPG_DB_SCHEMA__GETATTR
298 "setattr", SEPG_DB_SCHEMA__SETATTR
301 "relabelfrom", SEPG_DB_SCHEMA__RELABELFROM
304 "relabelto", SEPG_DB_SCHEMA__RELABELTO
307 "search", SEPG_DB_SCHEMA__SEARCH
310 "add_name", SEPG_DB_SCHEMA__ADD_NAME
313 "remove_name", SEPG_DB_SCHEMA__REMOVE_NAME
321 "db_table", SEPG_CLASS_DB_TABLE,
324 "create", SEPG_DB_TABLE__CREATE
327 "drop", SEPG_DB_TABLE__DROP
330 "getattr", SEPG_DB_TABLE__GETATTR
333 "setattr", SEPG_DB_TABLE__SETATTR
336 "relabelfrom", SEPG_DB_TABLE__RELABELFROM
339 "relabelto", SEPG_DB_TABLE__RELABELTO
342 "select", SEPG_DB_TABLE__SELECT
345 "update", SEPG_DB_TABLE__UPDATE
348 "insert", SEPG_DB_TABLE__INSERT
351 "delete", SEPG_DB_TABLE__DELETE
354 "lock", SEPG_DB_TABLE__LOCK
362 "db_sequence", SEPG_CLASS_DB_SEQUENCE,
365 "create", SEPG_DB_SEQUENCE__CREATE
368 "drop", SEPG_DB_SEQUENCE__DROP
371 "getattr", SEPG_DB_SEQUENCE__GETATTR
374 "setattr", SEPG_DB_SEQUENCE__SETATTR
377 "relabelfrom", SEPG_DB_SEQUENCE__RELABELFROM
380 "relabelto", SEPG_DB_SEQUENCE__RELABELTO
383 "get_value", SEPG_DB_SEQUENCE__GET_VALUE
386 "next_value", SEPG_DB_SEQUENCE__NEXT_VALUE
389 "set_value", SEPG_DB_SEQUENCE__SET_VALUE
397 "db_procedure", SEPG_CLASS_DB_PROCEDURE,
400 "create", SEPG_DB_PROCEDURE__CREATE
403 "drop", SEPG_DB_PROCEDURE__DROP
406 "getattr", SEPG_DB_PROCEDURE__GETATTR
409 "setattr", SEPG_DB_PROCEDURE__SETATTR
412 "relabelfrom", SEPG_DB_PROCEDURE__RELABELFROM
415 "relabelto", SEPG_DB_PROCEDURE__RELABELTO
418 "execute", SEPG_DB_PROCEDURE__EXECUTE
421 "entrypoint", SEPG_DB_PROCEDURE__ENTRYPOINT
424 "install", SEPG_DB_PROCEDURE__INSTALL
432 "db_column", SEPG_CLASS_DB_COLUMN,
435 "create", SEPG_DB_COLUMN__CREATE
438 "drop", SEPG_DB_COLUMN__DROP
441 "getattr", SEPG_DB_COLUMN__GETATTR
444 "setattr", SEPG_DB_COLUMN__SETATTR
447 "relabelfrom", SEPG_DB_COLUMN__RELABELFROM
450 "relabelto", SEPG_DB_COLUMN__RELABELTO
453 "select", SEPG_DB_COLUMN__SELECT
456 "update", SEPG_DB_COLUMN__UPDATE
459 "insert", SEPG_DB_COLUMN__INSERT
467 "db_tuple", SEPG_CLASS_DB_TUPLE,
470 "relabelfrom", SEPG_DB_TUPLE__RELABELFROM
473 "relabelto", SEPG_DB_TUPLE__RELABELTO
476 "select", SEPG_DB_TUPLE__SELECT
479 "update", SEPG_DB_TUPLE__UPDATE
482 "insert", SEPG_DB_TUPLE__INSERT
485 "delete", SEPG_DB_TUPLE__DELETE
493 "db_blob", SEPG_CLASS_DB_BLOB,
496 "create", SEPG_DB_BLOB__CREATE
499 "drop", SEPG_DB_BLOB__DROP
502 "getattr", SEPG_DB_BLOB__GETATTR
505 "setattr", SEPG_DB_BLOB__SETATTR
508 "relabelfrom", SEPG_DB_BLOB__RELABELFROM
511 "relabelto", SEPG_DB_BLOB__RELABELTO
514 "read", SEPG_DB_BLOB__READ
517 "write", SEPG_DB_BLOB__WRITE
520 "import", SEPG_DB_BLOB__IMPORT
523 "export", SEPG_DB_BLOB__EXPORT
531 "db_language", SEPG_CLASS_DB_LANGUAGE,
534 "create", SEPG_DB_LANGUAGE__CREATE
537 "drop", SEPG_DB_LANGUAGE__DROP
540 "getattr", SEPG_DB_LANGUAGE__GETATTR
543 "setattr", SEPG_DB_LANGUAGE__SETATTR
546 "relabelfrom", SEPG_DB_LANGUAGE__RELABELFROM
549 "relabelto", SEPG_DB_LANGUAGE__RELABELTO
552 "implement", SEPG_DB_LANGUAGE__IMPLEMENT
555 "execute", SEPG_DB_LANGUAGE__EXECUTE
563 "db_view", SEPG_CLASS_DB_VIEW,
566 "create", SEPG_DB_VIEW__CREATE
569 "drop", SEPG_DB_VIEW__DROP
572 "getattr", SEPG_DB_VIEW__GETATTR
575 "setattr", SEPG_DB_VIEW__SETATTR
578 "relabelfrom", SEPG_DB_VIEW__RELABELFROM
581 "relabelto", SEPG_DB_VIEW__RELABELTO
584 "expand", SEPG_DB_VIEW__EXPAND
596 * SEPGSQL_MODE_DISABLED: Disabled on runtime
597 * SEPGSQL_MODE_DEFAULT: Same as system settings
598 * SEPGSQL_MODE_PERMISSIVE: Always permissive mode
599 * SEPGSQL_MODE_INTERNAL: Same as permissive, except for no audit logs
601 static int sepgsql_mode = SEPGSQL_MODE_INTERNAL;
607 sepgsql_is_enabled(void)
609 return (sepgsql_mode != SEPGSQL_MODE_DISABLED ? true : false);
616 sepgsql_get_mode(void)
625 sepgsql_set_mode(int new_mode)
627 int old_mode = sepgsql_mode;
629 sepgsql_mode = new_mode;
637 * It returns whether the current working mode tries to enforce access
638 * control decision, or not. It shall be enforced when sepgsql_mode is
639 * SEPGSQL_MODE_DEFAULT and system is running in enforcing mode.
642 sepgsql_getenforce(void)
644 if (sepgsql_mode == SEPGSQL_MODE_DEFAULT &&
645 selinux_status_getenforce() > 0)
654 * It generates a security audit record. In the default, it writes out
655 * audit records into standard PG's logfile. It also allows to set up
656 * external audit log receiver, such as auditd in Linux, using the
657 * sepgsql_audit_hook.
659 * SELinux can control what should be audited and should not using
660 * "auditdeny" and "auditallow" rules in the security policy. In the
661 * default, all the access violations are audited, and all the access
662 * allowed are not audited. But we can set up the security policy, so
663 * we can have exceptions. So, it is necessary to follow the suggestion
664 * come from the security policy. (av_decision.auditallow and auditdeny)
666 * Security audit is an important feature, because it enables us to check
667 * what was happen if we have a security incident. In fact, ISO/IEC15408
668 * defines several security functionalities for audit features.
671 sepgsql_audit_log(bool denied,
672 const char *scontext,
673 const char *tcontext,
676 const char *audit_name)
679 const char *class_name;
683 /* lookup name of the object class */
684 Assert(tclass < SEPG_CLASS_MAX);
685 class_name = selinux_catalog[tclass].class_name;
687 /* lookup name of the permissions */
688 initStringInfo(&buf);
689 appendStringInfo(&buf, "%s {",
690 (denied ? "denied" : "allowed"));
691 for (i = 0; selinux_catalog[tclass].av[i].av_name; i++)
693 if (audited & (1UL << i))
695 av_name = selinux_catalog[tclass].av[i].av_name;
696 appendStringInfo(&buf, " %s", av_name);
699 appendStringInfo(&buf, " }");
702 * Call external audit module, if loaded
704 appendStringInfo(&buf, " scontext=%s tcontext=%s tclass=%s",
705 scontext, tcontext, class_name);
707 appendStringInfo(&buf, " name=\"%s\"", audit_name);
709 ereport(LOG, (errmsg("SELinux: %s", buf.data)));
713 * sepgsql_compute_avd
715 * It actually asks SELinux what permissions are allowed on a pair of
716 * the security contexts and object class. It also returns what permissions
717 * should be audited on access violation or allowed.
718 * In most cases, subject's security context (scontext) is a client, and
719 * target security context (tcontext) is a database object.
721 * The access control decision shall be set on the given av_decision.
722 * The av_decision.allowed has a bitmask of SEPG_<class>__<perms>
723 * to suggest a set of allowed actions in this object class.
726 sepgsql_compute_avd(const char *scontext,
727 const char *tcontext,
729 struct av_decision * avd)
731 const char *tclass_name;
732 security_class_t tclass_ex;
733 struct av_decision avd_ex;
735 deny_unknown = security_deny_unknown();
737 /* Get external code of the object class */
738 Assert(tclass < SEPG_CLASS_MAX);
739 Assert(tclass == selinux_catalog[tclass].class_code);
741 tclass_name = selinux_catalog[tclass].class_name;
742 tclass_ex = string_to_security_class(tclass_name);
747 * If the current security policy does not support permissions
748 * corresponding to database objects, we fill up them with dummy data.
749 * If security_deny_unknown() returns positive value, undefined
750 * permissions should be denied. Otherwise, allowed
752 avd->allowed = (security_deny_unknown() > 0 ? 0 : ~0);
753 avd->auditallow = 0U;
754 avd->auditdeny = ~0U;
761 * Ask SELinux what is allowed set of permissions on a pair of the
762 * security contexts and the given object class.
764 if (security_compute_av_flags_raw((security_context_t) scontext,
765 (security_context_t) tcontext,
766 tclass_ex, 0, &avd_ex) < 0)
768 (errcode(ERRCODE_INTERNAL_ERROR),
769 errmsg("SELinux could not compute av_decision: "
770 "scontext=%s tcontext=%s tclass=%s: %m",
771 scontext, tcontext, tclass_name)));
774 * SELinux returns its access control decision as a set of permissions
775 * represented in external code which depends on run-time environment. So,
776 * we need to translate it to the internal representation before returning
777 * results for the caller.
779 memset(avd, 0, sizeof(struct av_decision));
781 for (i = 0; selinux_catalog[tclass].av[i].av_name; i++)
783 access_vector_t av_code_ex;
784 const char *av_name = selinux_catalog[tclass].av[i].av_name;
785 uint32 av_code = selinux_catalog[tclass].av[i].av_code;
787 av_code_ex = string_to_av_perm(tclass_ex, av_name);
790 /* fill up undefined permissions */
792 avd->allowed |= av_code;
793 avd->auditdeny |= av_code;
798 if (avd_ex.allowed & av_code_ex)
799 avd->allowed |= av_code;
800 if (avd_ex.auditallow & av_code_ex)
801 avd->auditallow |= av_code;
802 if (avd_ex.auditdeny & av_code_ex)
803 avd->auditdeny |= av_code;
810 * sepgsql_compute_create
812 * It returns a default security context to be assigned on a new database
813 * object. SELinux compute it based on a combination of client, upper object
814 * which owns the new object and object class.
816 * For example, when a client (staff_u:staff_r:staff_t:s0) tries to create
817 * a new table within a schema (system_u:object_r:sepgsql_schema_t:s0),
818 * SELinux looks-up its security policy. If it has a special rule on the
819 * combination of these security contexts and object class (db_table),
820 * it returns the security context suggested by the special rule.
821 * Otherwise, it returns the security context of schema, as is.
823 * We expect the caller already applies sanity/validation checks on the
824 * given security context.
826 * scontext: security context of the subject (mostly, peer process).
827 * tcontext: security context of the the upper database object.
828 * tclass: class code (SEPG_CLASS_*) of the new object in creation
831 sepgsql_compute_create(const char *scontext,
832 const char *tcontext,
835 security_context_t ncontext;
836 security_class_t tclass_ex;
837 const char *tclass_name;
840 /* Get external code of the object class */
841 Assert(tclass < SEPG_CLASS_MAX);
843 tclass_name = selinux_catalog[tclass].class_name;
844 tclass_ex = string_to_security_class(tclass_name);
847 * Ask SELinux what is the default context for the given object class on a
848 * pair of security contexts
850 if (security_compute_create_raw((security_context_t) scontext,
851 (security_context_t) tcontext,
852 tclass_ex, &ncontext) < 0)
854 (errcode(ERRCODE_INTERNAL_ERROR),
855 errmsg("SELinux could not compute a new context: "
856 "scontext=%s tcontext=%s tclass=%s: %m",
857 scontext, tcontext, tclass_name)));
860 * libselinux returns malloc()'ed string, so we need to copy it on the
861 * palloc()'ed region.
865 result = pstrdup(ncontext);
879 * sepgsql_check_perms
881 * It makes access control decision without userspace caching mechanism.
882 * If SELinux denied the required accesses on the pair of security labels,
883 * it raises an error or returns false.
885 * scontext: security label of the subject (mostly, peer process)
886 * tcontext: security label of the object being referenced
887 * tclass: class code (SEPG_CLASS_*) of the object being referenced
888 * required: a mask of required permissions (SEPG_<class>__<perm>)
889 * audit_name: a human readable object name for audit logs, or NULL.
890 * abort: true, if caller wants to raise an error on access violation
893 sepgsql_check_perms(const char *scontext,
894 const char *tcontext,
897 const char *audit_name,
900 struct av_decision avd;
905 sepgsql_compute_avd(scontext, tcontext, tclass, &avd);
907 denied = required & ~avd.allowed;
909 if (sepgsql_get_debug_audit())
910 audited = (denied ? denied : required);
912 audited = (denied ? (denied & avd.auditdeny)
913 : (required & avd.auditallow));
916 sepgsql_getenforce() > 0 &&
917 (avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0)
921 * It records a security audit for the request, if needed. But, when
922 * SE-PgSQL performs 'internal' mode, it needs to keep silent.
924 if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
926 sepgsql_audit_log(denied,
934 if (!result && abort)
936 (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
937 errmsg("SELinux: security policy violation")));