Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc7689ee

Browse files
committed
Various sepgsql corrections.
KaiGai Kohei
1 parent4262278 commitc7689ee

File tree

12 files changed

+127
-49
lines changed

12 files changed

+127
-49
lines changed

‎contrib/sepgsql/dml.c‎

Lines changed: 26 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
#include"access/tupdesc.h"
1515
#include"catalog/catalog.h"
1616
#include"catalog/heap.h"
17+
#include"catalog/dependency.h"
1718
#include"catalog/pg_attribute.h"
1819
#include"catalog/pg_class.h"
1920
#include"catalog/pg_inherits_fn.h"
@@ -151,6 +152,7 @@ check_relation_privileges(Oid relOid,
151152
charrelkind=get_rel_relkind(relOid);
152153
char*scontext=sepgsql_get_client_label();
153154
char*tcontext;
155+
char*audit_name;
154156
Bitmapset*columns;
155157
intindex;
156158
boolresult= true;
@@ -183,17 +185,16 @@ check_relation_privileges(Oid relOid,
183185
* Check permissions on the relation
184186
*/
185187
tcontext=sepgsql_get_label(RelationRelationId,relOid,0);
188+
audit_name=getObjectDescriptionOids(RelationRelationId,relOid);
186189
switch (relkind)
187190
{
188191
caseRELKIND_RELATION:
189192
result=sepgsql_check_perms(scontext,
190193
tcontext,
191194
SEPG_CLASS_DB_TABLE,
192195
required,
193-
get_rel_name(relOid),
196+
audit_name,
194197
abort);
195-
if (!result)
196-
return false;
197198
break;
198199

199200
caseRELKIND_SEQUENCE:
@@ -204,23 +205,31 @@ check_relation_privileges(Oid relOid,
204205
tcontext,
205206
SEPG_CLASS_DB_SEQUENCE,
206207
SEPG_DB_SEQUENCE__GET_VALUE,
207-
get_rel_name(relOid),
208+
audit_name,
208209
abort);
209-
returnresult;
210+
break;
210211

211212
caseRELKIND_VIEW:
212213
result=sepgsql_check_perms(scontext,
213214
tcontext,
214215
SEPG_CLASS_DB_VIEW,
215216
SEPG_DB_VIEW__EXPAND,
216-
get_rel_name(relOid),
217+
audit_name,
217218
abort);
218-
returnresult;
219+
break;
219220

220221
default:
221222
/* nothing to be checked */
222-
return true;
223+
break;
223224
}
225+
pfree(tcontext);
226+
pfree(audit_name);
227+
228+
/*
229+
* Only columns owned by relations shall be checked
230+
*/
231+
if (relkind!=RELKIND_RELATION)
232+
return true;
224233

225234
/*
226235
* Check permissions on the columns
@@ -233,7 +242,7 @@ check_relation_privileges(Oid relOid,
233242
{
234243
AttrNumberattnum;
235244
uint32column_perms=0;
236-
charaudit_name[NAMEDATALEN*2+10];
245+
ObjectAddressobject;
237246

238247
if (bms_is_member(index,selected))
239248
column_perms |=SEPG_DB_COLUMN__SELECT;
@@ -250,15 +259,21 @@ check_relation_privileges(Oid relOid,
250259
/* obtain column's permission */
251260
attnum=index+FirstLowInvalidHeapAttributeNumber;
252261
tcontext=sepgsql_get_label(RelationRelationId,relOid,attnum);
253-
snprintf(audit_name,sizeof(audit_name),"%s.%s",
254-
get_rel_name(relOid),get_attname(relOid,attnum));
262+
263+
object.classId=RelationRelationId;
264+
object.objectId=relOid;
265+
object.objectSubId=attnum;
266+
audit_name=getObjectDescription(&object);
255267

256268
result=sepgsql_check_perms(scontext,
257269
tcontext,
258270
SEPG_CLASS_DB_COLUMN,
259271
column_perms,
260272
audit_name,
261273
abort);
274+
pfree(tcontext);
275+
pfree(audit_name);
276+
262277
if (!result)
263278
returnresult;
264279
}

‎contrib/sepgsql/expected/dml.out‎

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,15 +42,15 @@ SELECT objtype, objname, label FROM pg_seclabels
4242
table | t3 | system_u:object_r:sepgsql_fixed_table_t:s0
4343
table | t4 | system_u:object_r:sepgsql_secret_table_t:s0
4444
table | t5 | system_u:object_r:sepgsql_table_t:s0
45-
column | t5.g | system_u:object_r:sepgsql_secret_table_t:s0
46-
column | t5.f | system_u:object_r:sepgsql_ro_table_t:s0
4745
column | t5.e | system_u:object_r:sepgsql_table_t:s0
46+
column | t5.f | system_u:object_r:sepgsql_ro_table_t:s0
47+
column | t5.g | system_u:object_r:sepgsql_secret_table_t:s0
4848
(8 rows)
4949

5050
-- Hardwired Rules
5151
UPDATE pg_attribute SET attisdropped = true
5252
WHERE attrelid = 't5'::regclass AND attname = 'f';-- failed
53-
ERROR:selinux: hardwired security policy violation
53+
ERROR:SELinux: hardwired security policy violation
5454
--
5555
-- Simple DML statements
5656
--

‎contrib/sepgsql/expected/label.out‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,8 +56,8 @@ SELECT sepgsql_getcon();-- confirm client privilege
5656
SECURITY LABEL ON TABLE t1
5757
IS 'system_u:object_r:sepgsql_ro_table_t:s0';-- ok
5858
SECURITY LABEL ON TABLE t2
59-
IS 'invalidseuciryt context';-- be failed
60-
ERROR: invalid security label: "invalidseuciryt context"
59+
IS 'invalidsecurity context';-- be failed
60+
ERROR:SELinux:invalid security label: "invalidsecurity context"
6161
SECURITY LABEL ON COLUMN t2
6262
IS 'system_u:object_r:sepgsql_ro_table_t:s0';-- be failed
6363
ERROR: improper relation name (too many dotted names):

‎contrib/sepgsql/expected/misc.out‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22
-- Regression Test for Misc Permission Checks
33
--
44
LOAD '$libdir/sepgsql';-- failed
5-
ERROR: SELinux: LOAD is notallowed anyway.
5+
ERROR: SELinux: LOAD is notpermitted

‎contrib/sepgsql/hooks.c‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ sepgsql_client_auth(Port *port, int status)
9191
if (getpeercon_raw(port->sock,&context)<0)
9292
ereport(FATAL,
9393
(errcode(ERRCODE_INTERNAL_ERROR),
94-
errmsg("SELinux: unable to get peer label")));
94+
errmsg("SELinux: unable to get peer label: %m")));
9595

9696
sepgsql_set_client_label(context);
9797

@@ -414,7 +414,7 @@ _PG_init(void)
414414
if (getcon_raw(&context)<0)
415415
ereport(ERROR,
416416
(errcode(ERRCODE_INTERNAL_ERROR),
417-
errmsg("SELinux: failed to get server security label")));
417+
errmsg("SELinux: failed to get server security label: %m")));
418418
sepgsql_set_client_label(context);
419419

420420
/* Security label provider hook */

‎contrib/sepgsql/label.c‎

Lines changed: 71 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
8181
if (security_get_initial_context_raw("unlabeled",&unlabeled)<0)
8282
ereport(ERROR,
8383
(errcode(ERRCODE_INTERNAL_ERROR),
84-
errmsg("SELinux: failed to get initial security label")));
84+
errmsg("SELinux: failed to get initial security label: %m")));
8585
PG_TRY();
8686
{
8787
label=pstrdup(unlabeled);
@@ -184,7 +184,7 @@ sepgsql_mcstrans_in(PG_FUNCTION_ARGS)
184184
&raw_label)<0)
185185
ereport(ERROR,
186186
(errcode(ERRCODE_INTERNAL_ERROR),
187-
errmsg("SELinux: could not translate security label")));
187+
errmsg("SELinux: could not translate security label: %m")));
188188

189189
PG_TRY();
190190
{
@@ -224,7 +224,7 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
224224
&qual_label)<0)
225225
ereport(ERROR,
226226
(errcode(ERRCODE_INTERNAL_ERROR),
227-
errmsg("SELinux: could not translate security label")));
227+
errmsg("SELinux: could not translate security label: %m")));
228228

229229
PG_TRY();
230230
{
@@ -241,6 +241,51 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
241241
PG_RETURN_TEXT_P(cstring_to_text(result));
242242
}
243243

244+
/*
245+
* quote_object_names
246+
*
247+
* It tries to quote the supplied identifiers
248+
*/
249+
staticchar*
250+
quote_object_name(constchar*src1,constchar*src2,
251+
constchar*src3,constchar*src4)
252+
{
253+
StringInfoDataresult;
254+
constchar*temp;
255+
256+
initStringInfo(&result);
257+
258+
if (src1)
259+
{
260+
temp=quote_identifier(src1);
261+
appendStringInfo(&result,"%s",temp);
262+
if (src1!=temp)
263+
pfree((void*)temp);
264+
}
265+
if (src2)
266+
{
267+
temp=quote_identifier(src2);
268+
appendStringInfo(&result,".%s",temp);
269+
if (src2!=temp)
270+
pfree((void*)temp);
271+
}
272+
if (src3)
273+
{
274+
temp=quote_identifier(src3);
275+
appendStringInfo(&result,".%s",temp);
276+
if (src3!=temp)
277+
pfree((void*)temp);
278+
}
279+
if (src4)
280+
{
281+
temp=quote_identifier(src4);
282+
appendStringInfo(&result,".%s",temp);
283+
if (src4!=temp)
284+
pfree((void*)temp);
285+
}
286+
returnresult.data;
287+
}
288+
244289
/*
245290
* exec_object_restorecon
246291
*
@@ -273,7 +318,7 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
273318
Form_pg_classrelForm;
274319
Form_pg_attributeattForm;
275320
Form_pg_procproForm;
276-
charobjname[NAMEDATALEN*4+10];
321+
char*objname;
277322
intobjtype=1234;
278323
ObjectAddressobject;
279324
security_context_tcontext;
@@ -288,8 +333,10 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
288333
nspForm= (Form_pg_namespace)GETSTRUCT(tuple);
289334

290335
objtype=SELABEL_DB_SCHEMA;
291-
snprintf(objname,sizeof(objname),"%s.%s",
292-
database_name,NameStr(nspForm->nspname));
336+
337+
objname=quote_object_name(database_name,
338+
NameStr(nspForm->nspname),
339+
NULL,NULL);
293340

294341
object.classId=NamespaceRelationId;
295342
object.objectId=HeapTupleGetOid(tuple);
@@ -309,9 +356,10 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
309356
continue;/* no need to assign security label */
310357

311358
namespace_name=get_namespace_name(relForm->relnamespace);
312-
snprintf(objname,sizeof(objname),"%s.%s.%s",
313-
database_name,namespace_name,
314-
NameStr(relForm->relname));
359+
objname=quote_object_name(database_name,
360+
namespace_name,
361+
NameStr(relForm->relname),
362+
NULL);
315363
pfree(namespace_name);
316364

317365
object.classId=RelationRelationId;
@@ -330,11 +378,12 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
330378
namespace_id=get_rel_namespace(attForm->attrelid);
331379
namespace_name=get_namespace_name(namespace_id);
332380
relation_name=get_rel_name(attForm->attrelid);
333-
snprintf(objname,sizeof(objname),"%s.%s.%s.%s",
334-
database_name,namespace_name,
335-
relation_name,NameStr(attForm->attname));
336-
pfree(relation_name);
381+
objname=quote_object_name(database_name,
382+
namespace_name,
383+
relation_name,
384+
NameStr(attForm->attname));
337385
pfree(namespace_name);
386+
pfree(relation_name);
338387

339388
object.classId=RelationRelationId;
340389
object.objectId=attForm->attrelid;
@@ -347,9 +396,10 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
347396
objtype=SELABEL_DB_PROCEDURE;
348397

349398
namespace_name=get_namespace_name(proForm->pronamespace);
350-
snprintf(objname,sizeof(objname),"%s.%s.%s",
351-
database_name,namespace_name,
352-
NameStr(proForm->proname));
399+
objname=quote_object_name(database_name,
400+
namespace_name,
401+
NameStr(proForm->proname),
402+
NULL);
353403
pfree(namespace_name);
354404

355405
object.classId=ProcedureRelationId;
@@ -359,6 +409,7 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
359409

360410
default:
361411
elog(ERROR,"unexpected catalog id: %u",catalogId);
412+
objname=NULL;/* for compiler quiet */
362413
break;
363414
}
364415

@@ -389,7 +440,9 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
389440
else
390441
ereport(ERROR,
391442
(errcode(ERRCODE_INTERNAL_ERROR),
392-
errmsg("SELinux: could not determine initial security label for %s (type=%d)",objname,objtype)));
443+
errmsg("SELinux: could not determine initial security label for %s (type=%d): %m",objname,objtype)));
444+
445+
pfree(objname);
393446
}
394447
systable_endscan(sscan);
395448

@@ -449,7 +502,7 @@ sepgsql_restorecon(PG_FUNCTION_ARGS)
449502
if (!sehnd)
450503
ereport(ERROR,
451504
(errcode(ERRCODE_INTERNAL_ERROR),
452-
errmsg("SELinux: failed to initialize labeling handle")));
505+
errmsg("SELinux: failed to initialize labeling handle: %m")));
453506
PG_TRY();
454507
{
455508
/*

‎contrib/sepgsql/launcher‎

100644100755
File mode changed.

‎contrib/sepgsql/proc.c‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
#include"access/genam.h"
1414
#include"access/heapam.h"
1515
#include"access/sysattr.h"
16+
#include"catalog/dependency.h"
1617
#include"catalog/indexing.h"
1718
#include"catalog/pg_namespace.h"
1819
#include"catalog/pg_proc.h"
@@ -99,7 +100,7 @@ sepgsql_proc_relabel(Oid functionId, const char *seclabel)
99100
char*tcontext;
100101
char*audit_name;
101102

102-
audit_name=get_func_name(functionId);
103+
audit_name=getObjectDescriptionOids(ProcedureRelationId,functionId);
103104

104105
/*
105106
* check db_procedure:{setattr relabelfrom} permission

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp