Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit1cea9bb

Browse files
committed
sepgsql: Support for new post-ALTER access hook.
KaiGai Kohei
1 parentbc5334d commit1cea9bb

File tree

12 files changed

+693
-13
lines changed

12 files changed

+693
-13
lines changed

‎contrib/sepgsql/database.c

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,6 +148,33 @@ sepgsql_database_drop(Oid databaseId)
148148
pfree(audit_name);
149149
}
150150

151+
/*
152+
* sepgsql_database_post_alter
153+
*
154+
* It checks privileges to alter the supplied database
155+
*/
156+
void
157+
sepgsql_database_setattr(OiddatabaseId)
158+
{
159+
ObjectAddressobject;
160+
char*audit_name;
161+
162+
/*
163+
* check db_database:{setattr} permission
164+
*/
165+
object.classId=DatabaseRelationId;
166+
object.objectId=databaseId;
167+
object.objectSubId=0;
168+
audit_name=getObjectDescription(&object);
169+
170+
sepgsql_avc_check_perms(&object,
171+
SEPG_CLASS_DB_DATABASE,
172+
SEPG_DB_DATABASE__SETATTR,
173+
audit_name,
174+
true);
175+
pfree(audit_name);
176+
}
177+
151178
/*
152179
* sepgsql_database_relabel
153180
*

‎contrib/sepgsql/expected/alter.out

Lines changed: 192 additions & 0 deletions
Large diffs are not rendered by default.

‎contrib/sepgsql/expected/ddl.out

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,11 @@
11
--
22
-- Regression Test for DDL of Object Permission Checks
33
--
4+
-- clean-up in case a prior regression run failed
5+
SET client_min_messages TO 'warning';
6+
DROP DATABASE IF EXISTS regtest_sepgsql_test_database;
7+
DROP USER IF EXISTS regtest_sepgsql_test_user;
8+
RESET client_min_messages;
49
-- confirm required permissions using audit messages
510
SELECT sepgsql_getcon();-- confirm client privilege
611
sepgsql_getcon
@@ -36,6 +41,7 @@ LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_
3641
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column y"
3742
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"
3843
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table"
44+
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="sequence regtest_table_x_seq"
3945
ALTER TABLE regtest_table ADD COLUMN z int;
4046
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column z"
4147
CREATE TABLE regtest_table_2 (a int) WITH OIDS;
@@ -61,6 +67,7 @@ CREATE SEQUENCE regtest_seq;
6167
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"
6268
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="sequence regtest_seq"
6369
CREATE TYPE regtest_comptype AS (a int, b text);
70+
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"
6471
CREATE FUNCTION regtest_func(text,int[]) RETURNS bool LANGUAGE plpgsql
6572
AS 'BEGIN RAISE NOTICE ''regtest_func => %'', $1; RETURN true; END';
6673
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"
@@ -86,6 +93,7 @@ LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_
8693
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_3 column ctid"
8794
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_3 column x"
8895
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_3 column y"
96+
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="sequence regtest_table_3_y_seq"
8997
CREATE VIEW regtest_view_2 AS SELECT * FROM regtest_table_3 WHERE x < y;
9098
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"
9199
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_view_t:s0 tclass=db_view name="view regtest_view_2"
@@ -118,6 +126,7 @@ CREATE INDEX regtest_index_tbl4_z ON regtest_table_4(z);
118126
LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"
119127
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"
120128
ALTER TABLE regtest_table_4 ALTER COLUMN y TYPE float;
129+
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column y"
121130
DROP INDEX regtest_index_tbl4_y;
122131
LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"
123132
LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"

‎contrib/sepgsql/hooks.c

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,54 @@ sepgsql_object_access(ObjectAccessType access,
188188
}
189189
break;
190190

191+
caseOAT_POST_ALTER:
192+
{
193+
ObjectAccessPostAlter*pa_arg=arg;
194+
boolis_internal=pa_arg->is_internal;
195+
196+
switch (classId)
197+
{
198+
caseDatabaseRelationId:
199+
Assert(!is_internal);
200+
sepgsql_database_setattr(objectId);
201+
break;
202+
203+
caseNamespaceRelationId:
204+
Assert(!is_internal);
205+
sepgsql_schema_setattr(objectId);
206+
break;
207+
208+
caseRelationRelationId:
209+
if (subId==0)
210+
{
211+
/*
212+
* A case when we don't want to apply permission
213+
* check is that relation is internally altered
214+
* without user's intention. E.g, no need to
215+
* check on toast table/index to be renamed at
216+
* end of the table rewrites.
217+
*/
218+
if (is_internal)
219+
break;
220+
221+
sepgsql_relation_setattr(objectId);
222+
}
223+
else
224+
sepgsql_attribute_setattr(objectId,subId);
225+
break;
226+
227+
caseProcedureRelationId:
228+
Assert(!is_internal);
229+
sepgsql_proc_setattr(objectId);
230+
break;
231+
232+
default:
233+
/* Ignore unsupported object classes */
234+
break;
235+
}
236+
}
237+
break;
238+
191239
default:
192240
elog(ERROR,"unexpected object access type: %d", (int)access);
193241
break;

‎contrib/sepgsql/proc.c

Lines changed: 88 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
#include"utils/builtins.h"
2424
#include"utils/fmgroids.h"
2525
#include"utils/lsyscache.h"
26+
#include"utils/syscache.h"
2627
#include"utils/tqual.h"
2728

2829
#include"sepgsql.h"
@@ -43,6 +44,7 @@ sepgsql_proc_post_create(Oid functionId)
4344
char*scontext;
4445
char*tcontext;
4546
char*ncontext;
47+
uint32required;
4648
inti;
4749
StringInfoDataaudit_name;
4850
ObjectAddressobject;
@@ -96,7 +98,7 @@ sepgsql_proc_post_create(Oid functionId)
9698
SEPG_CLASS_DB_PROCEDURE);
9799

98100
/*
99-
* check db_procedure:{create} permission
101+
* check db_procedure:{create (install)} permission
100102
*/
101103
initStringInfo(&audit_name);
102104
appendStringInfo(&audit_name,"function %s(",NameStr(proForm->proname));
@@ -110,9 +112,13 @@ sepgsql_proc_post_create(Oid functionId)
110112
}
111113
appendStringInfoChar(&audit_name,')');
112114

115+
required=SEPG_DB_PROCEDURE__CREATE;
116+
if (proForm->proleakproof)
117+
required |=SEPG_DB_PROCEDURE__INSTALL;
118+
113119
sepgsql_avc_check_perms_label(ncontext,
114120
SEPG_CLASS_DB_PROCEDURE,
115-
SEPG_DB_PROCEDURE__CREATE,
121+
required,
116122
audit_name.data,
117123
true);
118124

@@ -214,3 +220,83 @@ sepgsql_proc_relabel(Oid functionId, const char *seclabel)
214220
true);
215221
pfree(audit_name);
216222
}
223+
224+
/*
225+
* sepgsql_proc_setattr
226+
*
227+
* It checks privileges to alter the supplied function.
228+
*/
229+
void
230+
sepgsql_proc_setattr(OidfunctionId)
231+
{
232+
Relationrel;
233+
ScanKeyDataskey;
234+
SysScanDescsscan;
235+
HeapTupleoldtup;
236+
HeapTuplenewtup;
237+
Form_pg_procoldform;
238+
Form_pg_procnewform;
239+
uint32required;
240+
ObjectAddressobject;
241+
char*audit_name;
242+
243+
/*
244+
* Fetch newer catalog
245+
*/
246+
rel=heap_open(ProcedureRelationId,AccessShareLock);
247+
248+
ScanKeyInit(&skey,
249+
ObjectIdAttributeNumber,
250+
BTEqualStrategyNumber,F_OIDEQ,
251+
ObjectIdGetDatum(functionId));
252+
253+
sscan=systable_beginscan(rel,ProcedureOidIndexId, true,
254+
SnapshotSelf,1,&skey);
255+
newtup=systable_getnext(sscan);
256+
if (!HeapTupleIsValid(newtup))
257+
elog(ERROR,"catalog lookup failed for function %u",functionId);
258+
newform= (Form_pg_proc)GETSTRUCT(newtup);
259+
260+
/*
261+
* Fetch older catalog
262+
*/
263+
oldtup=SearchSysCache1(PROCOID,ObjectIdGetDatum(functionId));
264+
if (!HeapTupleIsValid(oldtup))
265+
elog(ERROR,"cache lookup failed for function %u",functionId);
266+
oldform= (Form_pg_proc)GETSTRUCT(oldtup);
267+
268+
/*
269+
* Does this ALTER command takes operation to namespace?
270+
*/
271+
if (newform->pronamespace!=oldform->pronamespace)
272+
{
273+
sepgsql_schema_remove_name(oldform->pronamespace);
274+
sepgsql_schema_add_name(oldform->pronamespace);
275+
}
276+
if (strcmp(NameStr(newform->proname),NameStr(oldform->proname))!=0)
277+
sepgsql_schema_rename(oldform->pronamespace);
278+
279+
/*
280+
* check db_procedure:{setattr (install)} permission
281+
*/
282+
required=SEPG_DB_PROCEDURE__SETATTR;
283+
if (!oldform->proleakproof&&newform->proleakproof)
284+
required |=SEPG_DB_PROCEDURE__INSTALL;
285+
286+
object.classId=ProcedureRelationId;
287+
object.objectId=functionId;
288+
object.objectSubId=0;
289+
audit_name=getObjectDescription(&object);
290+
291+
sepgsql_avc_check_perms(&object,
292+
SEPG_CLASS_DB_PROCEDURE,
293+
required,
294+
audit_name,
295+
true);
296+
/* cleanups */
297+
pfree(audit_name);
298+
299+
ReleaseSysCache(oldtup);
300+
systable_endscan(sscan);
301+
heap_close(rel,AccessShareLock);
302+
}

‎contrib/sepgsql/relation.c

Lines changed: 84 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -190,6 +190,36 @@ sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
190190
pfree(audit_name);
191191
}
192192

193+
/*
194+
* sepgsql_attribute_setattr
195+
*
196+
* It checks privileges to alter the supplied column.
197+
*/
198+
void
199+
sepgsql_attribute_setattr(OidrelOid,AttrNumberattnum)
200+
{
201+
ObjectAddressobject;
202+
char*audit_name;
203+
204+
if (get_rel_relkind(relOid)!=RELKIND_RELATION)
205+
return;
206+
207+
/*
208+
* check db_column:{setattr} permission
209+
*/
210+
object.classId=RelationRelationId;
211+
object.objectId=relOid;
212+
object.objectSubId=attnum;
213+
audit_name=getObjectDescription(&object);
214+
215+
sepgsql_avc_check_perms(&object,
216+
SEPG_CLASS_DB_COLUMN,
217+
SEPG_DB_COLUMN__SETATTR,
218+
audit_name,
219+
true);
220+
pfree(audit_name);
221+
}
222+
193223
/*
194224
* sepgsql_relation_post_create
195225
*
@@ -529,6 +559,13 @@ sepgsql_relation_relabel(Oid relOid, const char *seclabel)
529559
void
530560
sepgsql_relation_setattr(OidrelOid)
531561
{
562+
Relationrel;
563+
ScanKeyDataskey;
564+
SysScanDescsscan;
565+
HeapTupleoldtup;
566+
HeapTuplenewtup;
567+
Form_pg_classoldform;
568+
Form_pg_classnewform;
532569
ObjectAddressobject;
533570
char*audit_name;
534571
uint16_ttclass;
@@ -553,26 +590,66 @@ sepgsql_relation_setattr(Oid relOid)
553590
return;
554591
}
555592

556-
object.classId=RelationRelationId;
557-
object.objectId=relOid;
558-
object.objectSubId=0;
559-
audit_name=getObjectDescription(&object);
593+
/*
594+
* Fetch newer catalog
595+
*/
596+
rel=heap_open(RelationRelationId,AccessShareLock);
597+
598+
ScanKeyInit(&skey,
599+
ObjectIdAttributeNumber,
600+
BTEqualStrategyNumber,F_OIDEQ,
601+
ObjectIdGetDatum(relOid));
602+
603+
sscan=systable_beginscan(rel,ClassOidIndexId, true,
604+
SnapshotSelf,1,&skey);
605+
606+
newtup=systable_getnext(sscan);
607+
if (!HeapTupleIsValid(newtup))
608+
elog(ERROR,"catalog lookup failed for relation %u",relOid);
609+
newform= (Form_pg_class)GETSTRUCT(newtup);
560610

561611
/*
562-
* XXX - we should add checks related to namespace stuff, when
563-
* object_access_hook get support for ALTER statement. Right now, there is
564-
* no invocation path on ALTER ... RENAME TO / SET SCHEMA.
612+
* Fetch older catalog
613+
*/
614+
oldtup=SearchSysCache1(RELOID,ObjectIdGetDatum(relOid));
615+
if (!HeapTupleIsValid(oldtup))
616+
elog(ERROR,"cache lookup failed for relation %u",relOid);
617+
oldform= (Form_pg_class)GETSTRUCT(oldtup);
618+
619+
/*
620+
* Does this ALTER command takes operation to namespace?
621+
*/
622+
if (newform->relnamespace!=oldform->relnamespace)
623+
{
624+
sepgsql_schema_remove_name(oldform->relnamespace);
625+
sepgsql_schema_add_name(newform->relnamespace);
626+
}
627+
if (strcmp(NameStr(newform->relname),NameStr(oldform->relname))!=0)
628+
sepgsql_schema_rename(oldform->relnamespace);
629+
630+
/*
631+
* XXX - In the future version, db_tuple:{use} of system catalog entry
632+
* shall be checked, if tablespace configuration is changed.
565633
*/
566634

567635
/*
568636
* check db_xxx:{setattr} permission
569637
*/
638+
object.classId=RelationRelationId;
639+
object.objectId=relOid;
640+
object.objectSubId=0;
641+
audit_name=getObjectDescription(&object);
642+
570643
sepgsql_avc_check_perms(&object,
571644
tclass,
572645
SEPG_DB_TABLE__SETATTR,
573646
audit_name,
574647
true);
575648
pfree(audit_name);
649+
650+
ReleaseSysCache(oldtup);
651+
systable_endscan(sscan);
652+
heap_close(rel,AccessShareLock);
576653
}
577654

578655
/*

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp