Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit4232c4b

Browse files
committed
Userspace access vector cache for contrib/sepgsql.
KaiGai Kohei
1 parent3d14bd2 commit4232c4b

File tree

12 files changed

+661
-211
lines changed

12 files changed

+661
-211
lines changed

‎configure

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -9481,9 +9481,9 @@ fi
94819481
# for contrib/sepgsql
94829482
if test "$with_selinux" = yes; then
94839483

9484-
{ $as_echo "$as_me:$LINENO: checking forselinux_sepgsql_context_path in -lselinux" >&5
9485-
$as_echo_n "checking forselinux_sepgsql_context_path in -lselinux... " >&6; }
9486-
if test "${ac_cv_lib_selinux_selinux_sepgsql_context_path+set}" = set; then
9484+
{ $as_echo "$as_me:$LINENO: checking forselinux_status_open in -lselinux" >&5
9485+
$as_echo_n "checking forselinux_status_open in -lselinux... " >&6; }
9486+
if test "${ac_cv_lib_selinux_selinux_status_open+set}" = set; then
94879487
$as_echo_n "(cached) " >&6
94889488
else
94899489
ac_check_lib_save_LIBS=$LIBS
@@ -9501,11 +9501,11 @@ cat >>conftest.$ac_ext <<_ACEOF
95019501
#ifdef __cplusplus
95029502
extern "C"
95039503
#endif
9504-
charselinux_sepgsql_context_path ();
9504+
charselinux_status_open ();
95059505
int
95069506
main ()
95079507
{
9508-
returnselinux_sepgsql_context_path ();
9508+
returnselinux_status_open ();
95099509
;
95109510
return 0;
95119511
}
@@ -9531,31 +9531,31 @@ $as_echo "$ac_try_echo") >&5
95319531
test "$cross_compiling" = yes ||
95329532
$as_test_x conftest$ac_exeext
95339533
}; then
9534-
ac_cv_lib_selinux_selinux_sepgsql_context_path=yes
9534+
ac_cv_lib_selinux_selinux_status_open=yes
95359535
else
95369536
$as_echo "$as_me: failed program was:" >&5
95379537
sed 's/^/| /' conftest.$ac_ext >&5
95389538

9539-
ac_cv_lib_selinux_selinux_sepgsql_context_path=no
9539+
ac_cv_lib_selinux_selinux_status_open=no
95409540
fi
95419541

95429542
rm -rf conftest.dSYM
95439543
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
95449544
conftest$ac_exeext conftest.$ac_ext
95459545
LIBS=$ac_check_lib_save_LIBS
95469546
fi
9547-
{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_selinux_sepgsql_context_path" >&5
9548-
$as_echo "$ac_cv_lib_selinux_selinux_sepgsql_context_path" >&6; }
9549-
if test "x$ac_cv_lib_selinux_selinux_sepgsql_context_path" = x""yes; then
9547+
{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_selinux_status_open" >&5
9548+
$as_echo "$ac_cv_lib_selinux_selinux_status_open" >&6; }
9549+
if test "x$ac_cv_lib_selinux_selinux_status_open" = x""yes; then
95509550
cat >>confdefs.h <<_ACEOF
95519551
#define HAVE_LIBSELINUX 1
95529552
_ACEOF
95539553

95549554
LIBS="-lselinux $LIBS"
95559555

95569556
else
9557-
{ { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.0.93 or newer, is required for SELinux support" >&5
9558-
$as_echo "$as_me: error: library 'libselinux', version 2.0.93 or newer, is required for SELinux support" >&2;}
9557+
{ { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&5
9558+
$as_echo "$as_me: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&2;}
95599559
{ (exit 1); exit 1; }; }
95609560
fi
95619561

‎configure.in

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -964,8 +964,8 @@ fi
964964

965965
# for contrib/sepgsql
966966
if test "$with_selinux" = yes; then
967-
AC_CHECK_LIB(selinux,selinux_sepgsql_context_path, [],
968-
[AC_MSG_ERROR([library 'libselinux', version 2.0.93 or newer, is required for SELinux support])])
967+
AC_CHECK_LIB(selinux,selinux_status_open, [],
968+
[AC_MSG_ERROR([library 'libselinux', version 2.0.99 or newer, is required for SELinux support])])
969969
fi
970970

971971
# for contrib/uuid-ossp

‎contrib/sepgsql/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# contrib/sepgsql/Makefile
22

33
MODULE_big = sepgsql
4-
OBJS = hooks.o selinux.o label.o dml.o\
4+
OBJS = hooks.o selinux.ouavc.olabel.o dml.o\
55
schema.o relation.o proc.o
66
DATA_built = sepgsql.sql
77

‎contrib/sepgsql/dml.c

Lines changed: 26 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -150,12 +150,11 @@ check_relation_privileges(Oid relOid,
150150
uint32required,
151151
boolabort)
152152
{
153-
charrelkind=get_rel_relkind(relOid);
154-
char*scontext=sepgsql_get_client_label();
155-
char*tcontext;
153+
ObjectAddressobject;
156154
char*audit_name;
157155
Bitmapset*columns;
158156
intindex;
157+
charrelkind=get_rel_relkind(relOid);
159158
boolresult= true;
160159

161160
/*
@@ -184,45 +183,43 @@ check_relation_privileges(Oid relOid,
184183
/*
185184
* Check permissions on the relation
186185
*/
187-
tcontext=sepgsql_get_label(RelationRelationId,relOid,0);
188-
audit_name=getObjectDescriptionOids(RelationRelationId,relOid);
186+
object.classId=RelationRelationId;
187+
object.objectId=relOid;
188+
object.objectSubId=0;
189+
audit_name=getObjectDescription(&object);
189190
switch (relkind)
190191
{
191192
caseRELKIND_RELATION:
192-
result=sepgsql_check_perms(scontext,
193-
tcontext,
194-
SEPG_CLASS_DB_TABLE,
195-
required,
196-
audit_name,
197-
abort);
193+
result=sepgsql_avc_check_perms(&object,
194+
SEPG_CLASS_DB_TABLE,
195+
required,
196+
audit_name,
197+
abort);
198198
break;
199199

200200
caseRELKIND_SEQUENCE:
201201
Assert((required& ~SEPG_DB_TABLE__SELECT)==0);
202202

203203
if (required&SEPG_DB_TABLE__SELECT)
204-
result=sepgsql_check_perms(scontext,
205-
tcontext,
206-
SEPG_CLASS_DB_SEQUENCE,
207-
SEPG_DB_SEQUENCE__GET_VALUE,
208-
audit_name,
209-
abort);
204+
result=sepgsql_avc_check_perms(&object,
205+
SEPG_CLASS_DB_SEQUENCE,
206+
SEPG_DB_SEQUENCE__GET_VALUE,
207+
audit_name,
208+
abort);
210209
break;
211210

212211
caseRELKIND_VIEW:
213-
result=sepgsql_check_perms(scontext,
214-
tcontext,
215-
SEPG_CLASS_DB_VIEW,
216-
SEPG_DB_VIEW__EXPAND,
217-
audit_name,
218-
abort);
212+
result=sepgsql_avc_check_perms(&object,
213+
SEPG_CLASS_DB_VIEW,
214+
SEPG_DB_VIEW__EXPAND,
215+
audit_name,
216+
abort);
219217
break;
220218

221219
default:
222220
/* nothing to be checked */
223221
break;
224222
}
225-
pfree(tcontext);
226223
pfree(audit_name);
227224

228225
/*
@@ -242,7 +239,6 @@ check_relation_privileges(Oid relOid,
242239
{
243240
AttrNumberattnum;
244241
uint32column_perms=0;
245-
ObjectAddressobject;
246242

247243
if (bms_is_member(index,selected))
248244
column_perms |=SEPG_DB_COLUMN__SELECT;
@@ -258,20 +254,17 @@ check_relation_privileges(Oid relOid,
258254

259255
/* obtain column's permission */
260256
attnum=index+FirstLowInvalidHeapAttributeNumber;
261-
tcontext=sepgsql_get_label(RelationRelationId,relOid,attnum);
262257

263258
object.classId=RelationRelationId;
264259
object.objectId=relOid;
265260
object.objectSubId=attnum;
266261
audit_name=getObjectDescription(&object);
267262

268-
result=sepgsql_check_perms(scontext,
269-
tcontext,
270-
SEPG_CLASS_DB_COLUMN,
271-
column_perms,
272-
audit_name,
273-
abort);
274-
pfree(tcontext);
263+
result=sepgsql_avc_check_perms(&object,
264+
SEPG_CLASS_DB_COLUMN,
265+
column_perms,
266+
audit_name,
267+
abort);
275268
pfree(audit_name);
276269

277270
if (!result)

‎contrib/sepgsql/hooks.c

Lines changed: 28 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -184,9 +184,7 @@ sepgsql_exec_check_perms(List *rangeTabls, bool abort)
184184
staticbool
185185
sepgsql_needs_fmgr_hook(OidfunctionId)
186186
{
187-
char*old_label;
188-
char*new_label;
189-
char*function_label;
187+
ObjectAddressobject;
190188

191189
if (next_needs_fmgr_hook&&
192190
(*next_needs_fmgr_hook) (functionId))
@@ -198,32 +196,24 @@ sepgsql_needs_fmgr_hook(Oid functionId)
198196
* functions as trusted-procedure, if the security policy has a rule that
199197
* switches security label of the client on execution.
200198
*/
201-
old_label=sepgsql_get_client_label();
202-
new_label=sepgsql_proc_get_domtrans(functionId);
203-
if (strcmp(old_label,new_label)!=0)
204-
{
205-
pfree(new_label);
199+
if (sepgsql_avc_trusted_proc(functionId)!=NULL)
206200
return true;
207-
}
208-
pfree(new_label);
209201

210202
/*
211203
* Even if not a trusted-procedure, this function should not be inlined
212204
* unless the client has db_procedure:{execute} permission. Please note
213205
* that it shall be actually failed later because of same reason with
214206
* ACL_EXECUTE.
215207
*/
216-
function_label=sepgsql_get_label(ProcedureRelationId,functionId,0);
217-
if (sepgsql_check_perms(sepgsql_get_client_label(),
218-
function_label,
219-
SEPG_CLASS_DB_PROCEDURE,
220-
SEPG_DB_PROCEDURE__EXECUTE,
221-
NULL, false)!= true)
222-
{
223-
pfree(function_label);
208+
object.classId=ProcedureRelationId;
209+
object.objectId=functionId;
210+
object.objectSubId=0;
211+
if (!sepgsql_avc_check_perms(&object,
212+
SEPG_CLASS_DB_PROCEDURE,
213+
SEPG_DB_PROCEDURE__EXECUTE,
214+
SEPGSQL_AVC_NOAUDIT, false))
224215
return true;
225-
}
226-
pfree(function_label);
216+
227217
return false;
228218
}
229219

@@ -251,33 +241,31 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
251241
if (!stack)
252242
{
253243
MemoryContextoldcxt;
254-
constchar*cur_label=sepgsql_get_client_label();
255244

256245
oldcxt=MemoryContextSwitchTo(flinfo->fn_mcxt);
257246
stack=palloc(sizeof(*stack));
258247
stack->old_label=NULL;
259-
stack->new_label=sepgsql_proc_get_domtrans(flinfo->fn_oid);
248+
stack->new_label=sepgsql_avc_trusted_proc(flinfo->fn_oid);
260249
stack->next_private=0;
261250

262251
MemoryContextSwitchTo(oldcxt);
263252

264-
if (strcmp(cur_label,stack->new_label)!=0)
265-
{
266-
/*
267-
* process:transition permission between old and new
268-
* label, when user tries to switch security label of the
269-
* client on execution of trusted procedure.
270-
*/
271-
sepgsql_check_perms(cur_label,stack->new_label,
272-
SEPG_CLASS_PROCESS,
273-
SEPG_PROCESS__TRANSITION,
274-
NULL, true);
275-
}
253+
/*
254+
* process:transition permission between old and new label,
255+
* when user tries to switch security label of the client
256+
* on execution of trusted procedure.
257+
*/
258+
if (stack->new_label)
259+
sepgsql_avc_check_perms_label(stack->new_label,
260+
SEPG_CLASS_PROCESS,
261+
SEPG_PROCESS__TRANSITION,
262+
NULL, true);
276263

277264
*private=PointerGetDatum(stack);
278265
}
279266
Assert(!stack->old_label);
280-
stack->old_label=sepgsql_set_client_label(stack->new_label);
267+
if (stack->new_label)
268+
stack->old_label=sepgsql_set_client_label(stack->new_label);
281269

282270
if (next_fmgr_hook)
283271
(*next_fmgr_hook) (event,flinfo,&stack->next_private);
@@ -290,7 +278,8 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
290278
if (next_fmgr_hook)
291279
(*next_fmgr_hook) (event,flinfo,&stack->next_private);
292280

293-
sepgsql_set_client_label(stack->old_label);
281+
if (stack->old_label)
282+
sepgsql_set_client_label(stack->old_label);
294283
stack->old_label=NULL;
295284
break;
296285

@@ -433,6 +422,9 @@ _PG_init(void)
433422
errmsg("SELinux: failed to get server security label: %m")));
434423
sepgsql_set_client_label(context);
435424

425+
/* Initialize userspace access vector cache */
426+
sepgsql_avc_init();
427+
436428
/* Security label provider hook */
437429
register_label_provider(SEPGSQL_LABEL_TAG,
438430
sepgsql_object_relabel);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp