1818#include "commands/seclabel.h"
1919#include "executor/executor.h"
2020#include "fmgr.h"
21- #include "libpq/auth.h"
2221#include "miscadmin.h"
2322#include "tcop/utility.h"
2423#include "utils/guc.h"
@@ -36,10 +35,7 @@ void_PG_init(void);
3635 * Saved hook entries (if stacked)
3736 */
3837static object_access_hook_type next_object_access_hook = NULL ;
39- static ClientAuthentication_hook_type next_client_auth_hook = NULL ;
4038static ExecutorCheckPerms_hook_type next_exec_check_perms_hook = NULL ;
41- static needs_fmgr_hook_type next_needs_fmgr_hook = NULL ;
42- static fmgr_hook_type next_fmgr_hook = NULL ;
4339static ProcessUtility_hook_type next_ProcessUtility_hook = NULL ;
4440static ExecutorStart_hook_type next_ExecutorStart_hook = NULL ;
4541
@@ -81,48 +77,6 @@ sepgsql_get_debug_audit(void)
8177return sepgsql_debug_audit ;
8278}
8379
84- /*
85- * sepgsql_client_auth
86- *
87- * Entrypoint of the client authentication hook.
88- * It switches the client label according to getpeercon(), and the current
89- * performing mode according to the GUC setting.
90- */
91- static void
92- sepgsql_client_auth (Port * port ,int status )
93- {
94- char * context ;
95-
96- if (next_client_auth_hook )
97- (* next_client_auth_hook ) (port ,status );
98-
99- /*
100- * In the case when authentication failed, the supplied socket shall be
101- * closed soon, so we don't need to do anything here.
102- */
103- if (status != STATUS_OK )
104- return ;
105-
106- /*
107- * Getting security label of the peer process using API of libselinux.
108- */
109- if (getpeercon_raw (port -> sock ,& context )< 0 )
110- ereport (FATAL ,
111- (errcode (ERRCODE_INTERNAL_ERROR ),
112- errmsg ("SELinux: unable to get peer label: %m" )));
113-
114- sepgsql_set_client_label (context );
115-
116- /*
117- * Switch the current performing mode from INTERNAL to either DEFAULT or
118- * PERMISSIVE.
119- */
120- if (sepgsql_permissive )
121- sepgsql_set_mode (SEPGSQL_MODE_PERMISSIVE );
122- else
123- sepgsql_set_mode (SEPGSQL_MODE_DEFAULT );
124- }
125-
12680/*
12781 * sepgsql_object_access
12882 *
@@ -220,121 +174,6 @@ sepgsql_exec_check_perms(List *rangeTabls, bool abort)
220174return true;
221175}
222176
223- /*
224- * sepgsql_needs_fmgr_hook
225- *
226- * It informs the core whether the supplied function is trusted procedure,
227- * or not. If true, sepgsql_fmgr_hook shall be invoked at start, end, and
228- * abort time of function invocation.
229- */
230- static bool
231- sepgsql_needs_fmgr_hook (Oid functionId )
232- {
233- ObjectAddress object ;
234-
235- if (next_needs_fmgr_hook &&
236- (* next_needs_fmgr_hook ) (functionId ))
237- return true;
238-
239- /*
240- * SELinux needs the function to be called via security_definer wrapper,
241- * if this invocation will take a domain-transition. We call these
242- * functions as trusted-procedure, if the security policy has a rule that
243- * switches security label of the client on execution.
244- */
245- if (sepgsql_avc_trusted_proc (functionId )!= NULL )
246- return true;
247-
248- /*
249- * Even if not a trusted-procedure, this function should not be inlined
250- * unless the client has db_procedure:{execute} permission. Please note
251- * that it shall be actually failed later because of same reason with
252- * ACL_EXECUTE.
253- */
254- object .classId = ProcedureRelationId ;
255- object .objectId = functionId ;
256- object .objectSubId = 0 ;
257- if (!sepgsql_avc_check_perms (& object ,
258- SEPG_CLASS_DB_PROCEDURE ,
259- SEPG_DB_PROCEDURE__EXECUTE ,
260- SEPGSQL_AVC_NOAUDIT , false))
261- return true;
262-
263- return false;
264- }
265-
266- /*
267- * sepgsql_fmgr_hook
268- *
269- * It switches security label of the client on execution of trusted
270- * procedures.
271- */
272- static void
273- sepgsql_fmgr_hook (FmgrHookEventType event ,
274- FmgrInfo * flinfo ,Datum * private )
275- {
276- struct
277- {
278- char * old_label ;
279- char * new_label ;
280- Datum next_private ;
281- }* stack ;
282-
283- switch (event )
284- {
285- case FHET_START :
286- stack = (void * )DatumGetPointer (* private );
287- if (!stack )
288- {
289- MemoryContext oldcxt ;
290-
291- oldcxt = MemoryContextSwitchTo (flinfo -> fn_mcxt );
292- stack = palloc (sizeof (* stack ));
293- stack -> old_label = NULL ;
294- stack -> new_label = sepgsql_avc_trusted_proc (flinfo -> fn_oid );
295- stack -> next_private = 0 ;
296-
297- MemoryContextSwitchTo (oldcxt );
298-
299- /*
300- * process:transition permission between old and new label,
301- * when user tries to switch security label of the client
302- * on execution of trusted procedure.
303- */
304- if (stack -> new_label )
305- sepgsql_avc_check_perms_label (stack -> new_label ,
306- SEPG_CLASS_PROCESS ,
307- SEPG_PROCESS__TRANSITION ,
308- NULL , true);
309-
310- * private = PointerGetDatum (stack );
311- }
312- Assert (!stack -> old_label );
313- if (stack -> new_label )
314- stack -> old_label = sepgsql_set_client_label (stack -> new_label );
315-
316- if (next_fmgr_hook )
317- (* next_fmgr_hook ) (event ,flinfo ,& stack -> next_private );
318- break ;
319-
320- case FHET_END :
321- case FHET_ABORT :
322- stack = (void * )DatumGetPointer (* private );
323-
324- if (next_fmgr_hook )
325- (* next_fmgr_hook ) (event ,flinfo ,& stack -> next_private );
326-
327- if (stack -> old_label )
328- sepgsql_set_client_label (stack -> old_label );
329- stack -> old_label = NULL ;
330- break ;
331-
332- default :
333- elog (ERROR ,"unexpected event type: %d" , (int )event );
334- break ;
335- }
336- }
337-
338177/*
339178 * sepgsql_executor_start
340179 *
@@ -465,8 +304,6 @@ sepgsql_utility_command(Node *parsetree,
465304void
466305_PG_init (void )
467306{
468- char * context ;
469-
470307/*
471308 * We allow to load the SE-PostgreSQL module on single-user-mode or
472309 * shared_preload_libraries settings only.
@@ -522,33 +359,16 @@ _PG_init(void)
522359NULL ,
523360NULL );
524361
525- /*
526- * Set up dummy client label.
527- *
528- * XXX - note that PostgreSQL launches background worker process like
529- * autovacuum without authentication steps. So, we initialize sepgsql_mode
530- * with SEPGSQL_MODE_INTERNAL, and client_label with the security context
531- * of server process. Later, it also launches background of user session.
532- * In this case, the process is always hooked on post-authentication, and
533- * we can initialize the sepgsql_mode and client_label correctly.
534- */
535- if (getcon_raw (& context )< 0 )
536- ereport (ERROR ,
537- (errcode (ERRCODE_INTERNAL_ERROR ),
538- errmsg ("SELinux: failed to get server security label: %m" )));
539- sepgsql_set_client_label (context );
540-
541362/* Initialize userspace access vector cache */
542363sepgsql_avc_init ();
543364
365+ /* Initialize security label of the client and related stuff */
366+ sepgsql_init_client_label ();
367+
544368/* Security label provider hook */
545369register_label_provider (SEPGSQL_LABEL_TAG ,
546370sepgsql_object_relabel );
547371
548- /* Client authentication hook */
549- next_client_auth_hook = ClientAuthentication_hook ;
550- ClientAuthentication_hook = sepgsql_client_auth ;
551-
552372/* Object access hook */
553373next_object_access_hook = object_access_hook ;
554374object_access_hook = sepgsql_object_access ;
@@ -557,13 +377,6 @@ _PG_init(void)
557377next_exec_check_perms_hook = ExecutorCheckPerms_hook ;
558378ExecutorCheckPerms_hook = sepgsql_exec_check_perms ;
559379
560- /* Trusted procedure hooks */
561- next_needs_fmgr_hook = needs_fmgr_hook ;
562- needs_fmgr_hook = sepgsql_needs_fmgr_hook ;
563-
564- next_fmgr_hook = fmgr_hook ;
565- fmgr_hook = sepgsql_fmgr_hook ;
566-
567380/* ProcessUtility hook */
568381next_ProcessUtility_hook = ProcessUtility_hook ;
569382ProcessUtility_hook = sepgsql_utility_command ;