1 /* ------------------------------------------------------------------------- 2 * 3 * contrib/sepgsql/sepgsql.h 4 * 5 * Definitions corresponding to SE-PostgreSQL 6 * 7 * Copyright (c) 2010-2020, PostgreSQL Global Development Group 8 * 9 * ------------------------------------------------------------------------- 10 */ 11 #ifndef SEPGSQL_H 12 #define SEPGSQL_H 13 14 #include "catalog/objectaddress.h" 15 #include "fmgr.h" 16 17 #include <selinux/selinux.h> 18 #include <selinux/avc.h> 19 20 /* 21 * SE-PostgreSQL Label Tag 22 */ 23 #define SEPGSQL_LABEL_TAG "selinux" 24 25 /* 26 * SE-PostgreSQL performing mode 27 */ 28 #define SEPGSQL_MODE_DEFAULT 1 29 #define SEPGSQL_MODE_PERMISSIVE 2 30 #define SEPGSQL_MODE_INTERNAL 3 31 #define SEPGSQL_MODE_DISABLED 4 32 33 /* 34 * Internally used code of object classes 35 */ 36 #define SEPG_CLASS_PROCESS 0 37 #define SEPG_CLASS_FILE 1 38 #define SEPG_CLASS_DIR 2 39 #define SEPG_CLASS_LNK_FILE 3 40 #define SEPG_CLASS_CHR_FILE 4 41 #define SEPG_CLASS_BLK_FILE 5 42 #define SEPG_CLASS_SOCK_FILE 6 43 #define SEPG_CLASS_FIFO_FILE 7 44 #define SEPG_CLASS_DB_DATABASE 8 45 #define SEPG_CLASS_DB_SCHEMA 9 46 #define SEPG_CLASS_DB_TABLE 10 47 #define SEPG_CLASS_DB_SEQUENCE 11 48 #define SEPG_CLASS_DB_PROCEDURE 12 49 #define SEPG_CLASS_DB_COLUMN 13 50 #define SEPG_CLASS_DB_TUPLE 14 51 #define SEPG_CLASS_DB_BLOB 15 52 #define SEPG_CLASS_DB_LANGUAGE 16 53 #define SEPG_CLASS_DB_VIEW 17 54 #define SEPG_CLASS_MAX 18 55 56 /* 57 * Internally used code of access vectors 58 */ 59 #define SEPG_PROCESS__TRANSITION (1<<0) 60 #define SEPG_PROCESS__DYNTRANSITION (1<<1) 61 #define SEPG_PROCESS__SETCURRENT (1<<2) 62 63 #define SEPG_FILE__READ (1<<0) 64 #define SEPG_FILE__WRITE (1<<1) 65 #define SEPG_FILE__CREATE (1<<2) 66 #define SEPG_FILE__GETATTR (1<<3) 67 #define SEPG_FILE__UNLINK (1<<4) 68 #define SEPG_FILE__RENAME (1<<5) 69 #define SEPG_FILE__APPEND (1<<6) 70 71 #define SEPG_DIR__READ (SEPG_FILE__READ) 72 #define SEPG_DIR__WRITE (SEPG_FILE__WRITE) 73 #define SEPG_DIR__CREATE (SEPG_FILE__CREATE) 74 #define SEPG_DIR__GETATTR (SEPG_FILE__GETATTR) 75 #define SEPG_DIR__UNLINK (SEPG_FILE__UNLINK) 76 #define SEPG_DIR__RENAME (SEPG_FILE__RENAME) 77 #define SEPG_DIR__SEARCH (1<<6) 78 #define SEPG_DIR__ADD_NAME (1<<7) 79 #define SEPG_DIR__REMOVE_NAME (1<<8) 80 #define SEPG_DIR__RMDIR (1<<9) 81 #define SEPG_DIR__REPARENT (1<<10) 82 83 #define SEPG_LNK_FILE__READ (SEPG_FILE__READ) 84 #define SEPG_LNK_FILE__WRITE (SEPG_FILE__WRITE) 85 #define SEPG_LNK_FILE__CREATE (SEPG_FILE__CREATE) 86 #define SEPG_LNK_FILE__GETATTR (SEPG_FILE__GETATTR) 87 #define SEPG_LNK_FILE__UNLINK (SEPG_FILE__UNLINK) 88 #define SEPG_LNK_FILE__RENAME (SEPG_FILE__RENAME) 89 90 #define SEPG_CHR_FILE__READ (SEPG_FILE__READ) 91 #define SEPG_CHR_FILE__WRITE (SEPG_FILE__WRITE) 92 #define SEPG_CHR_FILE__CREATE (SEPG_FILE__CREATE) 93 #define SEPG_CHR_FILE__GETATTR (SEPG_FILE__GETATTR) 94 #define SEPG_CHR_FILE__UNLINK (SEPG_FILE__UNLINK) 95 #define SEPG_CHR_FILE__RENAME (SEPG_FILE__RENAME) 96 97 #define SEPG_BLK_FILE__READ (SEPG_FILE__READ) 98 #define SEPG_BLK_FILE__WRITE (SEPG_FILE__WRITE) 99 #define SEPG_BLK_FILE__CREATE (SEPG_FILE__CREATE) 100 #define SEPG_BLK_FILE__GETATTR (SEPG_FILE__GETATTR) 101 #define SEPG_BLK_FILE__UNLINK (SEPG_FILE__UNLINK) 102 #define SEPG_BLK_FILE__RENAME (SEPG_FILE__RENAME) 103 104 #define SEPG_SOCK_FILE__READ (SEPG_FILE__READ) 105 #define SEPG_SOCK_FILE__WRITE (SEPG_FILE__WRITE) 106 #define SEPG_SOCK_FILE__CREATE (SEPG_FILE__CREATE) 107 #define SEPG_SOCK_FILE__GETATTR (SEPG_FILE__GETATTR) 108 #define SEPG_SOCK_FILE__UNLINK (SEPG_FILE__UNLINK) 109 #define SEPG_SOCK_FILE__RENAME (SEPG_FILE__RENAME) 110 111 #define SEPG_FIFO_FILE__READ (SEPG_FILE__READ) 112 #define SEPG_FIFO_FILE__WRITE (SEPG_FILE__WRITE) 113 #define SEPG_FIFO_FILE__CREATE (SEPG_FILE__CREATE) 114 #define SEPG_FIFO_FILE__GETATTR (SEPG_FILE__GETATTR) 115 #define SEPG_FIFO_FILE__UNLINK (SEPG_FILE__UNLINK) 116 #define SEPG_FIFO_FILE__RENAME (SEPG_FILE__RENAME) 117 118 #define SEPG_DB_DATABASE__CREATE (1<<0) 119 #define SEPG_DB_DATABASE__DROP (1<<1) 120 #define SEPG_DB_DATABASE__GETATTR (1<<2) 121 #define SEPG_DB_DATABASE__SETATTR (1<<3) 122 #define SEPG_DB_DATABASE__RELABELFROM (1<<4) 123 #define SEPG_DB_DATABASE__RELABELTO (1<<5) 124 #define SEPG_DB_DATABASE__ACCESS (1<<6) 125 #define SEPG_DB_DATABASE__LOAD_MODULE (1<<7) 126 127 #define SEPG_DB_SCHEMA__CREATE (SEPG_DB_DATABASE__CREATE) 128 #define SEPG_DB_SCHEMA__DROP (SEPG_DB_DATABASE__DROP) 129 #define SEPG_DB_SCHEMA__GETATTR (SEPG_DB_DATABASE__GETATTR) 130 #define SEPG_DB_SCHEMA__SETATTR (SEPG_DB_DATABASE__SETATTR) 131 #define SEPG_DB_SCHEMA__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 132 #define SEPG_DB_SCHEMA__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 133 #define SEPG_DB_SCHEMA__SEARCH (1<<6) 134 #define SEPG_DB_SCHEMA__ADD_NAME (1<<7) 135 #define SEPG_DB_SCHEMA__REMOVE_NAME (1<<8) 136 137 #define SEPG_DB_TABLE__CREATE (SEPG_DB_DATABASE__CREATE) 138 #define SEPG_DB_TABLE__DROP (SEPG_DB_DATABASE__DROP) 139 #define SEPG_DB_TABLE__GETATTR (SEPG_DB_DATABASE__GETATTR) 140 #define SEPG_DB_TABLE__SETATTR (SEPG_DB_DATABASE__SETATTR) 141 #define SEPG_DB_TABLE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 142 #define SEPG_DB_TABLE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 143 #define SEPG_DB_TABLE__SELECT (1<<6) 144 #define SEPG_DB_TABLE__UPDATE (1<<7) 145 #define SEPG_DB_TABLE__INSERT (1<<8) 146 #define SEPG_DB_TABLE__DELETE (1<<9) 147 #define SEPG_DB_TABLE__LOCK (1<<10) 148 #define SEPG_DB_TABLE__TRUNCATE (1<<11) 149 150 #define SEPG_DB_SEQUENCE__CREATE (SEPG_DB_DATABASE__CREATE) 151 #define SEPG_DB_SEQUENCE__DROP (SEPG_DB_DATABASE__DROP) 152 #define SEPG_DB_SEQUENCE__GETATTR (SEPG_DB_DATABASE__GETATTR) 153 #define SEPG_DB_SEQUENCE__SETATTR (SEPG_DB_DATABASE__SETATTR) 154 #define SEPG_DB_SEQUENCE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 155 #define SEPG_DB_SEQUENCE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 156 #define SEPG_DB_SEQUENCE__GET_VALUE (1<<6) 157 #define SEPG_DB_SEQUENCE__NEXT_VALUE (1<<7) 158 #define SEPG_DB_SEQUENCE__SET_VALUE (1<<8) 159 160 #define SEPG_DB_PROCEDURE__CREATE (SEPG_DB_DATABASE__CREATE) 161 #define SEPG_DB_PROCEDURE__DROP (SEPG_DB_DATABASE__DROP) 162 #define SEPG_DB_PROCEDURE__GETATTR (SEPG_DB_DATABASE__GETATTR) 163 #define SEPG_DB_PROCEDURE__SETATTR (SEPG_DB_DATABASE__SETATTR) 164 #define SEPG_DB_PROCEDURE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 165 #define SEPG_DB_PROCEDURE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 166 #define SEPG_DB_PROCEDURE__EXECUTE (1<<6) 167 #define SEPG_DB_PROCEDURE__ENTRYPOINT (1<<7) 168 #define SEPG_DB_PROCEDURE__INSTALL (1<<8) 169 170 #define SEPG_DB_COLUMN__CREATE (SEPG_DB_DATABASE__CREATE) 171 #define SEPG_DB_COLUMN__DROP (SEPG_DB_DATABASE__DROP) 172 #define SEPG_DB_COLUMN__GETATTR (SEPG_DB_DATABASE__GETATTR) 173 #define SEPG_DB_COLUMN__SETATTR (SEPG_DB_DATABASE__SETATTR) 174 #define SEPG_DB_COLUMN__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 175 #define SEPG_DB_COLUMN__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 176 #define SEPG_DB_COLUMN__SELECT (1<<6) 177 #define SEPG_DB_COLUMN__UPDATE (1<<7) 178 #define SEPG_DB_COLUMN__INSERT (1<<8) 179 180 #define SEPG_DB_TUPLE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 181 #define SEPG_DB_TUPLE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 182 #define SEPG_DB_TUPLE__SELECT (SEPG_DB_DATABASE__GETATTR) 183 #define SEPG_DB_TUPLE__UPDATE (SEPG_DB_DATABASE__SETATTR) 184 #define SEPG_DB_TUPLE__INSERT (SEPG_DB_DATABASE__CREATE) 185 #define SEPG_DB_TUPLE__DELETE (SEPG_DB_DATABASE__DROP) 186 187 #define SEPG_DB_BLOB__CREATE (SEPG_DB_DATABASE__CREATE) 188 #define SEPG_DB_BLOB__DROP (SEPG_DB_DATABASE__DROP) 189 #define SEPG_DB_BLOB__GETATTR (SEPG_DB_DATABASE__GETATTR) 190 #define SEPG_DB_BLOB__SETATTR (SEPG_DB_DATABASE__SETATTR) 191 #define SEPG_DB_BLOB__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 192 #define SEPG_DB_BLOB__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 193 #define SEPG_DB_BLOB__READ (1<<6) 194 #define SEPG_DB_BLOB__WRITE (1<<7) 195 #define SEPG_DB_BLOB__IMPORT (1<<8) 196 #define SEPG_DB_BLOB__EXPORT (1<<9) 197 198 #define SEPG_DB_LANGUAGE__CREATE (SEPG_DB_DATABASE__CREATE) 199 #define SEPG_DB_LANGUAGE__DROP (SEPG_DB_DATABASE__DROP) 200 #define SEPG_DB_LANGUAGE__GETATTR (SEPG_DB_DATABASE__GETATTR) 201 #define SEPG_DB_LANGUAGE__SETATTR (SEPG_DB_DATABASE__SETATTR) 202 #define SEPG_DB_LANGUAGE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 203 #define SEPG_DB_LANGUAGE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 204 #define SEPG_DB_LANGUAGE__IMPLEMENT (1<<6) 205 #define SEPG_DB_LANGUAGE__EXECUTE (1<<7) 206 207 #define SEPG_DB_VIEW__CREATE (SEPG_DB_DATABASE__CREATE) 208 #define SEPG_DB_VIEW__DROP (SEPG_DB_DATABASE__DROP) 209 #define SEPG_DB_VIEW__GETATTR (SEPG_DB_DATABASE__GETATTR) 210 #define SEPG_DB_VIEW__SETATTR (SEPG_DB_DATABASE__SETATTR) 211 #define SEPG_DB_VIEW__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 212 #define SEPG_DB_VIEW__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 213 #define SEPG_DB_VIEW__EXPAND (1<<6) 214 215 /* 216 * hooks.c 217 */ 218 extern bool sepgsql_get_permissive(void); 219 extern bool sepgsql_get_debug_audit(void); 220 221 /* 222 * selinux.c 223 */ 224 extern bool sepgsql_is_enabled(void); 225 extern int sepgsql_get_mode(void); 226 extern int sepgsql_set_mode(int new_mode); 227 extern bool sepgsql_getenforce(void); 228 229 extern void sepgsql_audit_log(bool denied, 230 const char *scontext, 231 const char *tcontext, 232 uint16 tclass, 233 uint32 audited, 234 const char *audit_name); 235 236 extern void sepgsql_compute_avd(const char *scontext, 237 const char *tcontext, 238 uint16 tclass, 239 struct av_decision *avd); 240 241 extern char *sepgsql_compute_create(const char *scontext, 242 const char *tcontext, 243 uint16 tclass, 244 const char *objname); 245 246 extern bool sepgsql_check_perms(const char *scontext, 247 const char *tcontext, 248 uint16 tclass, 249 uint32 required, 250 const char *audit_name, 251 bool abort_on_violation); 252 253 /* 254 * uavc.c 255 */ 256 #define SEPGSQL_AVC_NOAUDIT ((void *)(-1)) 257 extern bool sepgsql_avc_check_perms_label(const char *tcontext, 258 uint16 tclass, 259 uint32 required, 260 const char *audit_name, 261 bool abort_on_violation); 262 extern bool sepgsql_avc_check_perms(const ObjectAddress *tobject, 263 uint16 tclass, 264 uint32 required, 265 const char *audit_name, 266 bool abort_on_violation); 267 extern char *sepgsql_avc_trusted_proc(Oid functionId); 268 extern void sepgsql_avc_init(void); 269 270 /* 271 * label.c 272 */ 273 extern char *sepgsql_get_client_label(void); 274 extern void sepgsql_init_client_label(void); 275 extern char *sepgsql_get_label(Oid classId, Oid objectId, int32 subId); 276 277 extern void sepgsql_object_relabel(const ObjectAddress *object, 278 const char *seclabel); 279 280 /* 281 * dml.c 282 */ 283 extern bool sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation); 284 285 /* 286 * database.c 287 */ 288 extern void sepgsql_database_post_create(Oid databaseId, 289 const char *dtemplate); 290 extern void sepgsql_database_drop(Oid databaseId); 291 extern void sepgsql_database_relabel(Oid databaseId, const char *seclabel); 292 extern void sepgsql_database_setattr(Oid databaseId); 293 294 /* 295 * schema.c 296 */ 297 extern void sepgsql_schema_post_create(Oid namespaceId); 298 extern void sepgsql_schema_drop(Oid namespaceId); 299 extern void sepgsql_schema_relabel(Oid namespaceId, const char *seclabel); 300 extern void sepgsql_schema_setattr(Oid namespaceId); 301 extern bool sepgsql_schema_search(Oid namespaceId, bool abort_on_violation); 302 extern void sepgsql_schema_add_name(Oid namespaceId); 303 extern void sepgsql_schema_remove_name(Oid namespaceId); 304 extern void sepgsql_schema_rename(Oid namespaceId); 305 306 /* 307 * relation.c 308 */ 309 extern void sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum); 310 extern void sepgsql_attribute_drop(Oid relOid, AttrNumber attnum); 311 extern void sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum, 312 const char *seclabel); 313 extern void sepgsql_attribute_setattr(Oid relOid, AttrNumber attnum); 314 extern void sepgsql_relation_post_create(Oid relOid); 315 extern void sepgsql_relation_drop(Oid relOid); 316 extern void sepgsql_relation_truncate(Oid relOid); 317 extern void sepgsql_relation_relabel(Oid relOid, const char *seclabel); 318 extern void sepgsql_relation_setattr(Oid relOid); 319 320 /* 321 * proc.c 322 */ 323 extern void sepgsql_proc_post_create(Oid functionId); 324 extern void sepgsql_proc_drop(Oid functionId); 325 extern void sepgsql_proc_relabel(Oid functionId, const char *seclabel); 326 extern void sepgsql_proc_setattr(Oid functionId); 327 extern void sepgsql_proc_execute(Oid functionId); 328 329 #endif /* SEPGSQL_H */ 330