Add missing check on invocation of trusted procedures.

KaiGai Kohei

diff --git a/contrib/sepgsql/expected/label.out b/contrib/sepgsql/expected/label.out
index daf8d08eb2a770469dfb92c14ec9628207c94bd9..bac169f37bffdc4dcc2ab82a0ef77dedd21a7723 100644 (file)
--- a/contrib/sepgsql/expected/label.out
+++ b/contrib/sepgsql/expected/label.out
@@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text
         END;' LANGUAGE plpgsql;
 SECURITY LABEL ON FUNCTION f3()
     IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+CREATE FUNCTION f4 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f4()
+    IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
 --
 -- Tests for default labeling behavior
 --
@@ -86,6 +91,8 @@ SELECT f2();                  -- trusted procedure
 
 SELECT f3();                   -- trusted procedure that raises an error
 ERROR:  an exception from f3()
+SELECT f4();                   -- failed on domain transition
+ERROR:  SELinux: security policy violation
 SELECT sepgsql_getcon();       -- client's label must be restored
                    sepgsql_getcon                    
 -----------------------------------------------------
@@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
 DROP FUNCTION IF EXISTS f1() CASCADE;
 DROP FUNCTION IF EXISTS f2() CASCADE;
 DROP FUNCTION IF EXISTS f3() CASCADE;
+DROP FUNCTION IF EXISTS f4() CASCADE;

diff --git a/contrib/sepgsql/hooks.c b/contrib/sepgsql/hooks.c
index 83a505ec18d129ed13cdc109f55e3f1db7f0d2d1..27e85d25b1d33222a4c935b13af9c8263a720bac 100644 (file)
--- a/contrib/sepgsql/hooks.c
+++ b/contrib/sepgsql/hooks.c
@@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
                        if (!stack)
                        {
                                MemoryContext   oldcxt;
+                               const char         *cur_label = sepgsql_get_client_label();
 
                                oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
                                stack = palloc(sizeof(*stack));
@@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
 
                                MemoryContextSwitchTo(oldcxt);
 
+                               if (strcmp(cur_label, stack->new_label) != 0)
+                               {
+                                       /*
+                                        * process:transition permission between old and new
+                                        * label, when user tries to switch security label of
+                                        * the client on execution of trusted procedure.
+                                        */
+                                       sepgsql_check_perms(cur_label, stack->new_label,
+                                                                               SEPG_CLASS_PROCESS,
+                                                                               SEPG_PROCESS__TRANSITION,
+                                                                               NULL, true);
+                               }
+
                                *private = PointerGetDatum(stack);
                        }
                        Assert(!stack->old_label);

diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te
index 66666d0c38af7ea9c585c851b92a990388fc67da..3b1def75a5208739ee2197b6f919531c5b9fd884 100644 (file)
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
@@ -1,4 +1,8 @@
-policy_module(sepgsql-regtest, 1.01)
+policy_module(sepgsql-regtest, 1.02)
+
+gen_require(`
+       all_userspace_class_perms
+')
 
 ## <desc>
 ## <p>
@@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01)
 ## </desc>
 gen_tunable(sepgsql_regression_test_mode, false)
 
+#
+# Type definitions for regression test
+#
+type sepgsql_regtest_trusted_proc_exec_t;
+postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
+
 #
 # Test domains for database administrators
 #
@@ -57,3 +67,19 @@ optional_policy(`
        role unconfined_r types sepgsql_regtest_user_t;
        role unconfined_r types sepgsql_trusted_proc_t;
 ')
+
+#
+# Rule to check 
+#
+optional_policy(`
+       # These rules intends sepgsql_regtest_user_t domain to translate
+       # sepgsql_regtest_dba_t on execution of procedures labeled as
+       # sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
+       # permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
+       #
+       gen_require(`
+               attribute sepgsql_client_type;
+       ')
+       allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
+       type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
+')

diff --git a/contrib/sepgsql/sql/label.sql b/contrib/sepgsql/sql/label.sql
index 1100fcb35a635a589219e62740d845d50f786932..2b1841281c1f973811f768ba9243eeef37c225d2 100644 (file)
--- a/contrib/sepgsql/sql/label.sql
+++ b/contrib/sepgsql/sql/label.sql
@@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text
 SECURITY LABEL ON FUNCTION f3()
     IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
 
+CREATE FUNCTION f4 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f4()
+    IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
+
 --
 -- Tests for default labeling behavior
 --
@@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b
 SELECT f1();                   -- normal procedure
 SELECT f2();                   -- trusted procedure
 SELECT f3();                   -- trusted procedure that raises an error
+SELECT f4();                   -- failed on domain transition
 SELECT sepgsql_getcon();       -- client's label must be restored
 
 --
@@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
 DROP FUNCTION IF EXISTS f1() CASCADE;
 DROP FUNCTION IF EXISTS f2() CASCADE;
 DROP FUNCTION IF EXISTS f3() CASCADE;
+DROP FUNCTION IF EXISTS f4() CASCADE;