NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitc7689ee

committed

Various sepgsql corrections.

KaiGai Kohei

1 parent4262278 commitc7689eeCopy full SHA for c7689ee

File tree

12 files changed

+127

-49

lines changed

contrib/sepgsql
- dml.c
- expected
- hooks.c
- label.c
- launcher
- proc.c
- relation.c
- schema.c
- selinux.c
- sql
  - label.sql

12 files changed

+127

-49

lines changed

`‎contrib/sepgsql/dml.c`

Lines changed: 26 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@`
`14`	`14`	`#include"access/tupdesc.h"`
`15`	`15`	`#include"catalog/catalog.h"`
`16`	`16`	`#include"catalog/heap.h"`
	`17`	`+#include"catalog/dependency.h"`
`17`	`18`	`#include"catalog/pg_attribute.h"`
`18`	`19`	`#include"catalog/pg_class.h"`
`19`	`20`	`#include"catalog/pg_inherits_fn.h"`
`@@ -151,6 +152,7 @@ check_relation_privileges(Oid relOid,`
`151`	`152`	`charrelkind=get_rel_relkind(relOid);`
`152`	`153`	`char*scontext=sepgsql_get_client_label();`
`153`	`154`	`char*tcontext;`
	`155`	`+char*audit_name;`
`154`	`156`	`Bitmapset*columns;`
`155`	`157`	`intindex;`
`156`	`158`	`boolresult= true;`
`@@ -183,17 +185,16 @@ check_relation_privileges(Oid relOid,`
`183`	`185`	`* Check permissions on the relation`
`184`	`186`	`*/`
`185`	`187`	`tcontext=sepgsql_get_label(RelationRelationId,relOid,0);`
	`188`	`+audit_name=getObjectDescriptionOids(RelationRelationId,relOid);`
`186`	`189`	`switch (relkind)`
`187`	`190`	`{`
`188`	`191`	`caseRELKIND_RELATION:`
`189`	`192`	`result=sepgsql_check_perms(scontext,`
`190`	`193`	`tcontext,`
`191`	`194`	`SEPG_CLASS_DB_TABLE,`
`192`	`195`	`required,`
`193`		`-get_rel_name(relOid),`
	`196`	`+audit_name,`
`194`	`197`	`abort);`
`195`		`-if (!result)`
`196`		`-return false;`
`197`	`198`	`break;`
`198`	`199`
`199`	`200`	`caseRELKIND_SEQUENCE:`
`@@ -204,23 +205,31 @@ check_relation_privileges(Oid relOid,`
`204`	`205`	`tcontext,`
`205`	`206`	`SEPG_CLASS_DB_SEQUENCE,`
`206`	`207`	`SEPG_DB_SEQUENCE__GET_VALUE,`
`207`		`-get_rel_name(relOid),`
	`208`	`+audit_name,`
`208`	`209`	`abort);`
`209`		`-returnresult;`
	`210`	`+break;`
`210`	`211`
`211`	`212`	`caseRELKIND_VIEW:`
`212`	`213`	`result=sepgsql_check_perms(scontext,`
`213`	`214`	`tcontext,`
`214`	`215`	`SEPG_CLASS_DB_VIEW,`
`215`	`216`	`SEPG_DB_VIEW__EXPAND,`
`216`		`-get_rel_name(relOid),`
	`217`	`+audit_name,`
`217`	`218`	`abort);`
`218`		`-returnresult;`
	`219`	`+break;`
`219`	`220`
`220`	`221`	`default:`
`221`	`222`	`/* nothing to be checked */`
`222`		`-return true;`
	`223`	`+break;`
`223`	`224`	`}`
	`225`	`+pfree(tcontext);`
	`226`	`+pfree(audit_name);`
	`227`	`+`
	`228`	`+/*`
	`229`	`+ * Only columns owned by relations shall be checked`
	`230`	`+ */`
	`231`	`+if (relkind!=RELKIND_RELATION)`
	`232`	`+return true;`
`224`	`233`
`225`	`234`	`/*`
`226`	`235`	`* Check permissions on the columns`
`@@ -233,7 +242,7 @@ check_relation_privileges(Oid relOid,`
`233`	`242`	`{`
`234`	`243`	`AttrNumberattnum;`
`235`	`244`	`uint32column_perms=0;`
`236`		`-charaudit_name[NAMEDATALEN*2+10];`
	`245`	`+ObjectAddressobject;`
`237`	`246`
`238`	`247`	`if (bms_is_member(index,selected))`
`239`	`248`	`column_perms \|=SEPG_DB_COLUMN__SELECT;`
`@@ -250,15 +259,21 @@ check_relation_privileges(Oid relOid,`
`250`	`259`	`/* obtain column's permission */`
`251`	`260`	`attnum=index+FirstLowInvalidHeapAttributeNumber;`
`252`	`261`	`tcontext=sepgsql_get_label(RelationRelationId,relOid,attnum);`
`253`		`-snprintf(audit_name,sizeof(audit_name),"%s.%s",`
`254`		`-get_rel_name(relOid),get_attname(relOid,attnum));`
	`262`	`+`
	`263`	`+object.classId=RelationRelationId;`
	`264`	`+object.objectId=relOid;`
	`265`	`+object.objectSubId=attnum;`
	`266`	`+audit_name=getObjectDescription(&object);`
`255`	`267`
`256`	`268`	`result=sepgsql_check_perms(scontext,`
`257`	`269`	`tcontext,`
`258`	`270`	`SEPG_CLASS_DB_COLUMN,`
`259`	`271`	`column_perms,`
`260`	`272`	`audit_name,`
`261`	`273`	`abort);`
	`274`	`+pfree(tcontext);`
	`275`	`+pfree(audit_name);`
	`276`	`+`
`262`	`277`	`if (!result)`
`263`	`278`	`returnresult;`
`264`	`279`	`}`

`‎contrib/sepgsql/expected/dml.out`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -42,15 +42,15 @@ SELECT objtype, objname, label FROM pg_seclabels`
`42`	`42`	`table \| t3 \| system_u:object_r:sepgsql_fixed_table_t:s0`
`43`	`43`	`table \| t4 \| system_u:object_r:sepgsql_secret_table_t:s0`
`44`	`44`	`table \| t5 \| system_u:object_r:sepgsql_table_t:s0`
`45`		`- column \| t5.g \| system_u:object_r:sepgsql_secret_table_t:s0`
`46`		`- column \| t5.f \| system_u:object_r:sepgsql_ro_table_t:s0`
`47`	`45`	`column \| t5.e \| system_u:object_r:sepgsql_table_t:s0`
	`46`	`+ column \| t5.f \| system_u:object_r:sepgsql_ro_table_t:s0`
	`47`	`+ column \| t5.g \| system_u:object_r:sepgsql_secret_table_t:s0`
`48`	`48`	`(8 rows)`
`49`	`49`
`50`	`50`	`-- Hardwired Rules`
`51`	`51`	`UPDATE pg_attribute SET attisdropped = true`
`52`	`52`	`WHERE attrelid = 't5'::regclass AND attname = 'f';-- failed`
`53`		`-ERROR:selinux: hardwired security policy violation`
	`53`	`+ERROR:SELinux: hardwired security policy violation`
`54`	`54`	`--`
`55`	`55`	`-- Simple DML statements`
`56`	`56`	`--`

`‎contrib/sepgsql/expected/label.out`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -56,8 +56,8 @@ SELECT sepgsql_getcon();-- confirm client privilege`
`56`	`56`	`SECURITY LABEL ON TABLE t1`
`57`	`57`	`IS 'system_u:object_r:sepgsql_ro_table_t:s0';-- ok`
`58`	`58`	`SECURITY LABEL ON TABLE t2`
`59`		`- IS 'invalidseuciryt context';-- be failed`
`60`		`-ERROR: invalid security label: "invalidseuciryt context"`
	`59`	`+ IS 'invalidsecurity context';-- be failed`
	`60`	`+ERROR:SELinux:invalid security label: "invalidsecurity context"`
`61`	`61`	`SECURITY LABEL ON COLUMN t2`
`62`	`62`	`IS 'system_u:object_r:sepgsql_ro_table_t:s0';-- be failed`
`63`	`63`	`ERROR: improper relation name (too many dotted names):`

`‎contrib/sepgsql/expected/misc.out`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,4 @@`
`2`	`2`	`-- Regression Test for Misc Permission Checks`
`3`	`3`	`--`
`4`	`4`	`LOAD '$libdir/sepgsql';-- failed`
`5`		`-ERROR: SELinux: LOAD is notallowed anyway.`
	`5`	`+ERROR: SELinux: LOAD is notpermitted`

`‎contrib/sepgsql/hooks.c`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ sepgsql_client_auth(Port *port, int status)`
`91`	`91`	`if (getpeercon_raw(port->sock,&context)<0)`
`92`	`92`	`ereport(FATAL,`
`93`	`93`	`(errcode(ERRCODE_INTERNAL_ERROR),`
`94`		`-errmsg("SELinux: unable to get peer label")));`
	`94`	`+errmsg("SELinux: unable to get peer label: %m")));`
`95`	`95`
`96`	`96`	`sepgsql_set_client_label(context);`
`97`	`97`
`@@ -414,7 +414,7 @@ _PG_init(void)`
`414`	`414`	`if (getcon_raw(&context)<0)`
`415`	`415`	`ereport(ERROR,`
`416`	`416`	`(errcode(ERRCODE_INTERNAL_ERROR),`
`417`		`-errmsg("SELinux: failed to get server security label")));`
	`417`	`+errmsg("SELinux: failed to get server security label: %m")));`
`418`	`418`	`sepgsql_set_client_label(context);`
`419`	`419`
`420`	`420`	`/* Security label provider hook */`

`‎contrib/sepgsql/label.c`

Lines changed: 71 additions & 18 deletions

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ sepgsql_get_label(Oid classId, Oid objectId, int32 subId)`
`81`	`81`	`if (security_get_initial_context_raw("unlabeled",&unlabeled)<0)`
`82`	`82`	`ereport(ERROR,`
`83`	`83`	`(errcode(ERRCODE_INTERNAL_ERROR),`
`84`		`-errmsg("SELinux: failed to get initial security label")));`
	`84`	`+errmsg("SELinux: failed to get initial security label: %m")));`
`85`	`85`	`PG_TRY();`
`86`	`86`	`{`
`87`	`87`	`label=pstrdup(unlabeled);`
`@@ -184,7 +184,7 @@ sepgsql_mcstrans_in(PG_FUNCTION_ARGS)`
`184`	`184`	`&raw_label)<0)`
`185`	`185`	`ereport(ERROR,`
`186`	`186`	`(errcode(ERRCODE_INTERNAL_ERROR),`
`187`		`-errmsg("SELinux: could not translate security label")));`
	`187`	`+errmsg("SELinux: could not translate security label: %m")));`
`188`	`188`
`189`	`189`	`PG_TRY();`
`190`	`190`	`{`
`@@ -224,7 +224,7 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)`
`224`	`224`	`&qual_label)<0)`
`225`	`225`	`ereport(ERROR,`
`226`	`226`	`(errcode(ERRCODE_INTERNAL_ERROR),`
`227`		`-errmsg("SELinux: could not translate security label")));`
	`227`	`+errmsg("SELinux: could not translate security label: %m")));`
`228`	`228`
`229`	`229`	`PG_TRY();`
`230`	`230`	`{`
`@@ -241,6 +241,51 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)`
`241`	`241`	`PG_RETURN_TEXT_P(cstring_to_text(result));`
`242`	`242`	`}`
`243`	`243`
	`244`	`+/*`
	`245`	`+ * quote_object_names`
	`246`	`+ *`
	`247`	`+ * It tries to quote the supplied identifiers`
	`248`	`+ */`
	`249`	`+staticchar*`
	`250`	`+quote_object_name(constcharsrc1,constcharsrc2,`
	`251`	`+constcharsrc3,constcharsrc4)`
	`252`	`+{`
	`253`	`+StringInfoDataresult;`
	`254`	`+constchar*temp;`
	`255`	`+`
	`256`	`+initStringInfo(&result);`
	`257`	`+`
	`258`	`+if (src1)`
	`259`	`+{`
	`260`	`+temp=quote_identifier(src1);`
	`261`	`+appendStringInfo(&result,"%s",temp);`
	`262`	`+if (src1!=temp)`
	`263`	`+pfree((void*)temp);`
	`264`	`+}`
	`265`	`+if (src2)`
	`266`	`+{`
	`267`	`+temp=quote_identifier(src2);`
	`268`	`+appendStringInfo(&result,".%s",temp);`
	`269`	`+if (src2!=temp)`
	`270`	`+pfree((void*)temp);`
	`271`	`+}`
	`272`	`+if (src3)`
	`273`	`+{`
	`274`	`+temp=quote_identifier(src3);`
	`275`	`+appendStringInfo(&result,".%s",temp);`
	`276`	`+if (src3!=temp)`
	`277`	`+pfree((void*)temp);`
	`278`	`+}`
	`279`	`+if (src4)`
	`280`	`+{`
	`281`	`+temp=quote_identifier(src4);`
	`282`	`+appendStringInfo(&result,".%s",temp);`
	`283`	`+if (src4!=temp)`
	`284`	`+pfree((void*)temp);`
	`285`	`+}`
	`286`	`+returnresult.data;`
	`287`	`+}`
	`288`	`+`
`244`	`289`	`/*`
`245`	`290`	`* exec_object_restorecon`
`246`	`291`	`*`
`@@ -273,7 +318,7 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)`
`273`	`318`	`Form_pg_classrelForm;`
`274`	`319`	`Form_pg_attributeattForm;`
`275`	`320`	`Form_pg_procproForm;`
`276`		`-charobjname[NAMEDATALEN*4+10];`
	`321`	`+char*objname;`
`277`	`322`	`intobjtype=1234;`
`278`	`323`	`ObjectAddressobject;`
`279`	`324`	`security_context_tcontext;`
`@@ -288,8 +333,10 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)`
`288`	`333`	`nspForm= (Form_pg_namespace)GETSTRUCT(tuple);`
`289`	`334`
`290`	`335`	`objtype=SELABEL_DB_SCHEMA;`
`291`		`-snprintf(objname,sizeof(objname),"%s.%s",`
`292`		`-database_name,NameStr(nspForm->nspname));`
	`336`	`+`
	`337`	`+objname=quote_object_name(database_name,`
	`338`	`+NameStr(nspForm->nspname),`
	`339`	`+NULL,NULL);`
`293`	`340`
`294`	`341`	`object.classId=NamespaceRelationId;`
`295`	`342`	`object.objectId=HeapTupleGetOid(tuple);`
`@@ -309,9 +356,10 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)`
`309`	`356`	`continue;/* no need to assign security label */`
`310`	`357`
`311`	`358`	`namespace_name=get_namespace_name(relForm->relnamespace);`
`312`		`-snprintf(objname,sizeof(objname),"%s.%s.%s",`
`313`		`-database_name,namespace_name,`
`314`		`-NameStr(relForm->relname));`
	`359`	`+objname=quote_object_name(database_name,`
	`360`	`+namespace_name,`
	`361`	`+NameStr(relForm->relname),`
	`362`	`+NULL);`
`315`	`363`	`pfree(namespace_name);`
`316`	`364`
`317`	`365`	`object.classId=RelationRelationId;`
`@@ -330,11 +378,12 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)`
`330`	`378`	`namespace_id=get_rel_namespace(attForm->attrelid);`
`331`	`379`	`namespace_name=get_namespace_name(namespace_id);`
`332`	`380`	`relation_name=get_rel_name(attForm->attrelid);`
`333`		`-snprintf(objname,sizeof(objname),"%s.%s.%s.%s",`
`334`		`-database_name,namespace_name,`
`335`		`-relation_name,NameStr(attForm->attname));`
`336`		`-pfree(relation_name);`
	`381`	`+objname=quote_object_name(database_name,`
	`382`	`+namespace_name,`
	`383`	`+relation_name,`
	`384`	`+NameStr(attForm->attname));`
`337`	`385`	`pfree(namespace_name);`
	`386`	`+pfree(relation_name);`
`338`	`387`
`339`	`388`	`object.classId=RelationRelationId;`
`340`	`389`	`object.objectId=attForm->attrelid;`
`@@ -347,9 +396,10 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)`
`347`	`396`	`objtype=SELABEL_DB_PROCEDURE;`
`348`	`397`
`349`	`398`	`namespace_name=get_namespace_name(proForm->pronamespace);`
`350`		`-snprintf(objname,sizeof(objname),"%s.%s.%s",`
`351`		`-database_name,namespace_name,`
`352`		`-NameStr(proForm->proname));`
	`399`	`+objname=quote_object_name(database_name,`
	`400`	`+namespace_name,`
	`401`	`+NameStr(proForm->proname),`
	`402`	`+NULL);`
`353`	`403`	`pfree(namespace_name);`
`354`	`404`
`355`	`405`	`object.classId=ProcedureRelationId;`
`@@ -359,6 +409,7 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)`
`359`	`409`
`360`	`410`	`default:`
`361`	`411`	`elog(ERROR,"unexpected catalog id: %u",catalogId);`
	`412`	`+objname=NULL;/* for compiler quiet */`
`362`	`413`	`break;`
`363`	`414`	`}`
`364`	`415`
`@@ -389,7 +440,9 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)`
`389`	`440`	`else`
`390`	`441`	`ereport(ERROR,`
`391`	`442`	`(errcode(ERRCODE_INTERNAL_ERROR),`
`392`		`-errmsg("SELinux: could not determine initial security label for %s (type=%d)",objname,objtype)));`
	`443`	`+errmsg("SELinux: could not determine initial security label for %s (type=%d): %m",objname,objtype)));`
	`444`	`+`
	`445`	`+pfree(objname);`
`393`	`446`	`}`
`394`	`447`	`systable_endscan(sscan);`
`395`	`448`
`@@ -449,7 +502,7 @@ sepgsql_restorecon(PG_FUNCTION_ARGS)`
`449`	`502`	`if (!sehnd)`
`450`	`503`	`ereport(ERROR,`
`451`	`504`	`(errcode(ERRCODE_INTERNAL_ERROR),`
`452`		`-errmsg("SELinux: failed to initialize labeling handle")));`
	`505`	`+errmsg("SELinux: failed to initialize labeling handle: %m")));`
`453`	`506`	`PG_TRY();`
`454`	`507`	`{`
`455`	`508`	`/*`

`‎contrib/sepgsql/launcher`

100644100755

File mode changed.

`‎contrib/sepgsql/proc.c`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`	`#include"access/genam.h"`
`14`	`14`	`#include"access/heapam.h"`
`15`	`15`	`#include"access/sysattr.h"`
	`16`	`+#include"catalog/dependency.h"`
`16`	`17`	`#include"catalog/indexing.h"`
`17`	`18`	`#include"catalog/pg_namespace.h"`
`18`	`19`	`#include"catalog/pg_proc.h"`
`@@ -99,7 +100,7 @@ sepgsql_proc_relabel(Oid functionId, const char *seclabel)`
`99`	`100`	`char*tcontext;`
`100`	`101`	`char*audit_name;`
`101`	`102`
`102`		`-audit_name=get_func_name(functionId);`
	`103`	`+audit_name=getObjectDescriptionOids(ProcedureRelationId,functionId);`
`103`	`104`
`104`	`105`	`/*`
`105`	`106`	`* check db_procedure:{setattr relabelfrom} permission`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc7689ee

File tree

12 files changed

12 files changed

`‎contrib/sepgsql/dml.c`

`‎contrib/sepgsql/expected/dml.out`

`‎contrib/sepgsql/expected/label.out`

`‎contrib/sepgsql/expected/misc.out`

`‎contrib/sepgsql/hooks.c`

`‎contrib/sepgsql/label.c`

`‎contrib/sepgsql/launcher`

`‎contrib/sepgsql/proc.c`

0 commit comments