Add missing check on invocation of trusted procedures.

KaiGai Kohei

contrib/sepgsql/expected/label.out

@@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text
         END;' LANGUAGE plpgsql;
 SECURITY LABEL ON FUNCTION f3()
     IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+CREATE FUNCTION f4 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f4()
+    IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
 --
 -- Tests for default labeling behavior
 --
@@ -86,6 +91,8 @@ SELECT f2();			-- trusted procedure
 
 SELECT f3();			-- trusted procedure that raises an error
 ERROR:  an exception from f3()
+SELECT f4();			-- failed on domain transition
+ERROR:  SELinux: security policy violation
 SELECT sepgsql_getcon();	-- client's label must be restored
                    sepgsql_getcon                    
 -----------------------------------------------------
@@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
 DROP FUNCTION IF EXISTS f1() CASCADE;
 DROP FUNCTION IF EXISTS f2() CASCADE;
 DROP FUNCTION IF EXISTS f3() CASCADE;
+DROP FUNCTION IF EXISTS f4() CASCADE;

contrib/sepgsql/hooks.c

@@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
 			if (!stack)
 			{
 				MemoryContext	oldcxt;
+				const char	   *cur_label = sepgsql_get_client_label();
 
 				oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
 				stack = palloc(sizeof(*stack));
@@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
 
 				MemoryContextSwitchTo(oldcxt);
 
+				if (strcmp(cur_label, stack->new_label) != 0)
+				{
+					/*
+					 * process:transition permission between old and new
+					 * label, when user tries to switch security label of
+					 * the client on execution of trusted procedure.
+					 */
+					sepgsql_check_perms(cur_label, stack->new_label,
+										SEPG_CLASS_PROCESS,
+										SEPG_PROCESS__TRANSITION,
+										NULL, true);
+				}
+
 				*private = PointerGetDatum(stack);
 			}
 			Assert(!stack->old_label);

contrib/sepgsql/sepgsql-regtest.te

-policy_module(sepgsql-regtest, 1.01)
+policy_module(sepgsql-regtest, 1.02)
+
+gen_require(`
+	all_userspace_class_perms
+')
 
 ## <desc>
 ## <p>
@@ -8,6 +12,12 @@ policy_module(sepgsql-regtest, 1.01)
 ## </desc>
 gen_tunable(sepgsql_regression_test_mode, false)
 
+#
+# Type definitions for regression test
+#
+type sepgsql_regtest_trusted_proc_exec_t;
+postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
+
 #
 # Test domains for database administrators
 #
@@ -57,3 +67,19 @@ optional_policy(`
 	role unconfined_r types sepgsql_regtest_user_t;
 	role unconfined_r types sepgsql_trusted_proc_t;
 ')
+
+#
+# Rule to check 
+#
+optional_policy(`
+	# These rules intends sepgsql_regtest_user_t domain to translate
+	# sepgsql_regtest_dba_t on execution of procedures labeled as
+	# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
+	# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
+	#
+	gen_require(`
+		attribute sepgsql_client_type;
+	')
+	allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
+	type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
+')

contrib/sepgsql/sql/label.sql

@@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text
 SECURITY LABEL ON FUNCTION f3()
     IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
 
+CREATE FUNCTION f4 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f4()
+    IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
+
 --
 -- Tests for default labeling behavior
 --
@@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b
 SELECT f1();			-- normal procedure
 SELECT f2();			-- trusted procedure
 SELECT f3();			-- trusted procedure that raises an error
+SELECT f4();			-- failed on domain transition
 SELECT sepgsql_getcon();	-- client's label must be restored
 
 --
@@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
 DROP FUNCTION IF EXISTS f1() CASCADE;
 DROP FUNCTION IF EXISTS f2() CASCADE;
 DROP FUNCTION IF EXISTS f3() CASCADE;
+DROP FUNCTION IF EXISTS f4() CASCADE;