Header And Logo
|
00001 /* ------------------------------------------------------------------------- 00002 * 00003 * contrib/sepgsql/sepgsql.h 00004 * 00005 * Definitions corresponding to SE-PostgreSQL 00006 * 00007 * Copyright (c) 2010-2013, PostgreSQL Global Development Group 00008 * 00009 * ------------------------------------------------------------------------- 00010 */ 00011 #ifndef SEPGSQL_H 00012 #define SEPGSQL_H 00013 00014 #include "catalog/objectaddress.h" 00015 #include "fmgr.h" 00016 00017 #include <selinux/selinux.h> 00018 #include <selinux/avc.h> 00019 00020 /* 00021 * SE-PostgreSQL Label Tag 00022 */ 00023 #define SEPGSQL_LABEL_TAG "selinux" 00024 00025 /* 00026 * SE-PostgreSQL performing mode 00027 */ 00028 #define SEPGSQL_MODE_DEFAULT 1 00029 #define SEPGSQL_MODE_PERMISSIVE 2 00030 #define SEPGSQL_MODE_INTERNAL 3 00031 #define SEPGSQL_MODE_DISABLED 4 00032 00033 /* 00034 * Internally used code of object classes 00035 */ 00036 #define SEPG_CLASS_PROCESS 0 00037 #define SEPG_CLASS_FILE 1 00038 #define SEPG_CLASS_DIR 2 00039 #define SEPG_CLASS_LNK_FILE 3 00040 #define SEPG_CLASS_CHR_FILE 4 00041 #define SEPG_CLASS_BLK_FILE 5 00042 #define SEPG_CLASS_SOCK_FILE 6 00043 #define SEPG_CLASS_FIFO_FILE 7 00044 #define SEPG_CLASS_DB_DATABASE 8 00045 #define SEPG_CLASS_DB_SCHEMA 9 00046 #define SEPG_CLASS_DB_TABLE 10 00047 #define SEPG_CLASS_DB_SEQUENCE 11 00048 #define SEPG_CLASS_DB_PROCEDURE 12 00049 #define SEPG_CLASS_DB_COLUMN 13 00050 #define SEPG_CLASS_DB_TUPLE 14 00051 #define SEPG_CLASS_DB_BLOB 15 00052 #define SEPG_CLASS_DB_LANGUAGE 16 00053 #define SEPG_CLASS_DB_VIEW 17 00054 #define SEPG_CLASS_MAX 18 00055 00056 /* 00057 * Internally used code of access vectors 00058 */ 00059 #define SEPG_PROCESS__TRANSITION (1<<0) 00060 #define SEPG_PROCESS__DYNTRANSITION (1<<1) 00061 #define SEPG_PROCESS__SETCURRENT (1<<2) 00062 00063 #define SEPG_FILE__READ (1<<0) 00064 #define SEPG_FILE__WRITE (1<<1) 00065 #define SEPG_FILE__CREATE (1<<2) 00066 #define SEPG_FILE__GETATTR (1<<3) 00067 #define SEPG_FILE__UNLINK (1<<4) 00068 #define SEPG_FILE__RENAME (1<<5) 00069 #define SEPG_FILE__APPEND (1<<6) 00070 00071 #define SEPG_DIR__READ (SEPG_FILE__READ) 00072 #define SEPG_DIR__WRITE (SEPG_FILE__WRITE) 00073 #define SEPG_DIR__CREATE (SEPG_FILE__CREATE) 00074 #define SEPG_DIR__GETATTR (SEPG_FILE__GETATTR) 00075 #define SEPG_DIR__UNLINK (SEPG_FILE__UNLINK) 00076 #define SEPG_DIR__RENAME (SEPG_FILE__RENAME) 00077 #define SEPG_DIR__SEARCH (1<<6) 00078 #define SEPG_DIR__ADD_NAME (1<<7) 00079 #define SEPG_DIR__REMOVE_NAME (1<<8) 00080 #define SEPG_DIR__RMDIR (1<<9) 00081 #define SEPG_DIR__REPARENT (1<<10) 00082 00083 #define SEPG_LNK_FILE__READ (SEPG_FILE__READ) 00084 #define SEPG_LNK_FILE__WRITE (SEPG_FILE__WRITE) 00085 #define SEPG_LNK_FILE__CREATE (SEPG_FILE__CREATE) 00086 #define SEPG_LNK_FILE__GETATTR (SEPG_FILE__GETATTR) 00087 #define SEPG_LNK_FILE__UNLINK (SEPG_FILE__UNLINK) 00088 #define SEPG_LNK_FILE__RENAME (SEPG_FILE__RENAME) 00089 00090 #define SEPG_CHR_FILE__READ (SEPG_FILE__READ) 00091 #define SEPG_CHR_FILE__WRITE (SEPG_FILE__WRITE) 00092 #define SEPG_CHR_FILE__CREATE (SEPG_FILE__CREATE) 00093 #define SEPG_CHR_FILE__GETATTR (SEPG_FILE__GETATTR) 00094 #define SEPG_CHR_FILE__UNLINK (SEPG_FILE__UNLINK) 00095 #define SEPG_CHR_FILE__RENAME (SEPG_FILE__RENAME) 00096 00097 #define SEPG_BLK_FILE__READ (SEPG_FILE__READ) 00098 #define SEPG_BLK_FILE__WRITE (SEPG_FILE__WRITE) 00099 #define SEPG_BLK_FILE__CREATE (SEPG_FILE__CREATE) 00100 #define SEPG_BLK_FILE__GETATTR (SEPG_FILE__GETATTR) 00101 #define SEPG_BLK_FILE__UNLINK (SEPG_FILE__UNLINK) 00102 #define SEPG_BLK_FILE__RENAME (SEPG_FILE__RENAME) 00103 00104 #define SEPG_SOCK_FILE__READ (SEPG_FILE__READ) 00105 #define SEPG_SOCK_FILE__WRITE (SEPG_FILE__WRITE) 00106 #define SEPG_SOCK_FILE__CREATE (SEPG_FILE__CREATE) 00107 #define SEPG_SOCK_FILE__GETATTR (SEPG_FILE__GETATTR) 00108 #define SEPG_SOCK_FILE__UNLINK (SEPG_FILE__UNLINK) 00109 #define SEPG_SOCK_FILE__RENAME (SEPG_FILE__RENAME) 00110 00111 #define SEPG_FIFO_FILE__READ (SEPG_FILE__READ) 00112 #define SEPG_FIFO_FILE__WRITE (SEPG_FILE__WRITE) 00113 #define SEPG_FIFO_FILE__CREATE (SEPG_FILE__CREATE) 00114 #define SEPG_FIFO_FILE__GETATTR (SEPG_FILE__GETATTR) 00115 #define SEPG_FIFO_FILE__UNLINK (SEPG_FILE__UNLINK) 00116 #define SEPG_FIFO_FILE__RENAME (SEPG_FILE__RENAME) 00117 00118 #define SEPG_DB_DATABASE__CREATE (1<<0) 00119 #define SEPG_DB_DATABASE__DROP (1<<1) 00120 #define SEPG_DB_DATABASE__GETATTR (1<<2) 00121 #define SEPG_DB_DATABASE__SETATTR (1<<3) 00122 #define SEPG_DB_DATABASE__RELABELFROM (1<<4) 00123 #define SEPG_DB_DATABASE__RELABELTO (1<<5) 00124 #define SEPG_DB_DATABASE__ACCESS (1<<6) 00125 #define SEPG_DB_DATABASE__LOAD_MODULE (1<<7) 00126 00127 #define SEPG_DB_SCHEMA__CREATE (SEPG_DB_DATABASE__CREATE) 00128 #define SEPG_DB_SCHEMA__DROP (SEPG_DB_DATABASE__DROP) 00129 #define SEPG_DB_SCHEMA__GETATTR (SEPG_DB_DATABASE__GETATTR) 00130 #define SEPG_DB_SCHEMA__SETATTR (SEPG_DB_DATABASE__SETATTR) 00131 #define SEPG_DB_SCHEMA__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 00132 #define SEPG_DB_SCHEMA__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 00133 #define SEPG_DB_SCHEMA__SEARCH (1<<6) 00134 #define SEPG_DB_SCHEMA__ADD_NAME (1<<7) 00135 #define SEPG_DB_SCHEMA__REMOVE_NAME (1<<8) 00136 00137 #define SEPG_DB_TABLE__CREATE (SEPG_DB_DATABASE__CREATE) 00138 #define SEPG_DB_TABLE__DROP (SEPG_DB_DATABASE__DROP) 00139 #define SEPG_DB_TABLE__GETATTR (SEPG_DB_DATABASE__GETATTR) 00140 #define SEPG_DB_TABLE__SETATTR (SEPG_DB_DATABASE__SETATTR) 00141 #define SEPG_DB_TABLE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 00142 #define SEPG_DB_TABLE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 00143 #define SEPG_DB_TABLE__SELECT (1<<6) 00144 #define SEPG_DB_TABLE__UPDATE (1<<7) 00145 #define SEPG_DB_TABLE__INSERT (1<<8) 00146 #define SEPG_DB_TABLE__DELETE (1<<9) 00147 #define SEPG_DB_TABLE__LOCK (1<<10) 00148 00149 #define SEPG_DB_SEQUENCE__CREATE (SEPG_DB_DATABASE__CREATE) 00150 #define SEPG_DB_SEQUENCE__DROP (SEPG_DB_DATABASE__DROP) 00151 #define SEPG_DB_SEQUENCE__GETATTR (SEPG_DB_DATABASE__GETATTR) 00152 #define SEPG_DB_SEQUENCE__SETATTR (SEPG_DB_DATABASE__SETATTR) 00153 #define SEPG_DB_SEQUENCE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 00154 #define SEPG_DB_SEQUENCE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 00155 #define SEPG_DB_SEQUENCE__GET_VALUE (1<<6) 00156 #define SEPG_DB_SEQUENCE__NEXT_VALUE (1<<7) 00157 #define SEPG_DB_SEQUENCE__SET_VALUE (1<<8) 00158 00159 #define SEPG_DB_PROCEDURE__CREATE (SEPG_DB_DATABASE__CREATE) 00160 #define SEPG_DB_PROCEDURE__DROP (SEPG_DB_DATABASE__DROP) 00161 #define SEPG_DB_PROCEDURE__GETATTR (SEPG_DB_DATABASE__GETATTR) 00162 #define SEPG_DB_PROCEDURE__SETATTR (SEPG_DB_DATABASE__SETATTR) 00163 #define SEPG_DB_PROCEDURE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 00164 #define SEPG_DB_PROCEDURE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 00165 #define SEPG_DB_PROCEDURE__EXECUTE (1<<6) 00166 #define SEPG_DB_PROCEDURE__ENTRYPOINT (1<<7) 00167 #define SEPG_DB_PROCEDURE__INSTALL (1<<8) 00168 00169 #define SEPG_DB_COLUMN__CREATE (SEPG_DB_DATABASE__CREATE) 00170 #define SEPG_DB_COLUMN__DROP (SEPG_DB_DATABASE__DROP) 00171 #define SEPG_DB_COLUMN__GETATTR (SEPG_DB_DATABASE__GETATTR) 00172 #define SEPG_DB_COLUMN__SETATTR (SEPG_DB_DATABASE__SETATTR) 00173 #define SEPG_DB_COLUMN__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 00174 #define SEPG_DB_COLUMN__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 00175 #define SEPG_DB_COLUMN__SELECT (1<<6) 00176 #define SEPG_DB_COLUMN__UPDATE (1<<7) 00177 #define SEPG_DB_COLUMN__INSERT (1<<8) 00178 00179 #define SEPG_DB_TUPLE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 00180 #define SEPG_DB_TUPLE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 00181 #define SEPG_DB_TUPLE__SELECT (SEPG_DB_DATABASE__GETATTR) 00182 #define SEPG_DB_TUPLE__UPDATE (SEPG_DB_DATABASE__SETATTR) 00183 #define SEPG_DB_TUPLE__INSERT (SEPG_DB_DATABASE__CREATE) 00184 #define SEPG_DB_TUPLE__DELETE (SEPG_DB_DATABASE__DROP) 00185 00186 #define SEPG_DB_BLOB__CREATE (SEPG_DB_DATABASE__CREATE) 00187 #define SEPG_DB_BLOB__DROP (SEPG_DB_DATABASE__DROP) 00188 #define SEPG_DB_BLOB__GETATTR (SEPG_DB_DATABASE__GETATTR) 00189 #define SEPG_DB_BLOB__SETATTR (SEPG_DB_DATABASE__SETATTR) 00190 #define SEPG_DB_BLOB__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 00191 #define SEPG_DB_BLOB__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 00192 #define SEPG_DB_BLOB__READ (1<<6) 00193 #define SEPG_DB_BLOB__WRITE (1<<7) 00194 #define SEPG_DB_BLOB__IMPORT (1<<8) 00195 #define SEPG_DB_BLOB__EXPORT (1<<9) 00196 00197 #define SEPG_DB_LANGUAGE__CREATE (SEPG_DB_DATABASE__CREATE) 00198 #define SEPG_DB_LANGUAGE__DROP (SEPG_DB_DATABASE__DROP) 00199 #define SEPG_DB_LANGUAGE__GETATTR (SEPG_DB_DATABASE__GETATTR) 00200 #define SEPG_DB_LANGUAGE__SETATTR (SEPG_DB_DATABASE__SETATTR) 00201 #define SEPG_DB_LANGUAGE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 00202 #define SEPG_DB_LANGUAGE__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 00203 #define SEPG_DB_LANGUAGE__IMPLEMENT (1<<6) 00204 #define SEPG_DB_LANGUAGE__EXECUTE (1<<7) 00205 00206 #define SEPG_DB_VIEW__CREATE (SEPG_DB_DATABASE__CREATE) 00207 #define SEPG_DB_VIEW__DROP (SEPG_DB_DATABASE__DROP) 00208 #define SEPG_DB_VIEW__GETATTR (SEPG_DB_DATABASE__GETATTR) 00209 #define SEPG_DB_VIEW__SETATTR (SEPG_DB_DATABASE__SETATTR) 00210 #define SEPG_DB_VIEW__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM) 00211 #define SEPG_DB_VIEW__RELABELTO (SEPG_DB_DATABASE__RELABELTO) 00212 #define SEPG_DB_VIEW__EXPAND (1<<6) 00213 00214 /* 00215 * hooks.c 00216 */ 00217 extern bool sepgsql_get_permissive(void); 00218 extern bool sepgsql_get_debug_audit(void); 00219 00220 /* 00221 * selinux.c 00222 */ 00223 extern bool sepgsql_is_enabled(void); 00224 extern int sepgsql_get_mode(void); 00225 extern int sepgsql_set_mode(int new_mode); 00226 extern bool sepgsql_getenforce(void); 00227 00228 extern void sepgsql_audit_log(bool denied, 00229 const char *scontext, 00230 const char *tcontext, 00231 uint16 tclass, 00232 uint32 audited, 00233 const char *audit_name); 00234 00235 extern void sepgsql_compute_avd(const char *scontext, 00236 const char *tcontext, 00237 uint16 tclass, 00238 struct av_decision * avd); 00239 00240 extern char *sepgsql_compute_create(const char *scontext, 00241 const char *tcontext, 00242 uint16 tclass, 00243 const char *objname); 00244 00245 extern bool sepgsql_check_perms(const char *scontext, 00246 const char *tcontext, 00247 uint16 tclass, 00248 uint32 required, 00249 const char *audit_name, 00250 bool abort_on_violation); 00251 00252 /* 00253 * uavc.c 00254 */ 00255 #define SEPGSQL_AVC_NOAUDIT ((void *)(-1)) 00256 extern bool sepgsql_avc_check_perms_label(const char *tcontext, 00257 uint16 tclass, 00258 uint32 required, 00259 const char *audit_name, 00260 bool abort_on_violation); 00261 extern bool sepgsql_avc_check_perms(const ObjectAddress *tobject, 00262 uint16 tclass, 00263 uint32 required, 00264 const char *audit_name, 00265 bool abort_on_violation); 00266 extern char *sepgsql_avc_trusted_proc(Oid functionId); 00267 extern void sepgsql_avc_init(void); 00268 00269 /* 00270 * label.c 00271 */ 00272 extern char *sepgsql_get_client_label(void); 00273 extern void sepgsql_init_client_label(void); 00274 extern char *sepgsql_get_label(Oid relOid, Oid objOid, int32 subId); 00275 00276 extern void sepgsql_object_relabel(const ObjectAddress *object, 00277 const char *seclabel); 00278 00279 extern Datum sepgsql_getcon(PG_FUNCTION_ARGS); 00280 extern Datum sepgsql_setcon(PG_FUNCTION_ARGS); 00281 extern Datum sepgsql_mcstrans_in(PG_FUNCTION_ARGS); 00282 extern Datum sepgsql_mcstrans_out(PG_FUNCTION_ARGS); 00283 extern Datum sepgsql_restorecon(PG_FUNCTION_ARGS); 00284 00285 /* 00286 * dml.c 00287 */ 00288 extern bool sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation); 00289 00290 /* 00291 * database.c 00292 */ 00293 extern void sepgsql_database_post_create(Oid databaseId, 00294 const char *dtemplate); 00295 extern void sepgsql_database_drop(Oid databaseId); 00296 extern void sepgsql_database_relabel(Oid databaseId, const char *seclabel); 00297 extern void sepgsql_database_setattr(Oid databaseId); 00298 00299 /* 00300 * schema.c 00301 */ 00302 extern void sepgsql_schema_post_create(Oid namespaceId); 00303 extern void sepgsql_schema_drop(Oid namespaceId); 00304 extern void sepgsql_schema_relabel(Oid namespaceId, const char *seclabel); 00305 extern void sepgsql_schema_setattr(Oid namespaceId); 00306 extern bool sepgsql_schema_search(Oid namespaceId, bool abort_on_violation); 00307 extern void sepgsql_schema_add_name(Oid namespaceId); 00308 extern void sepgsql_schema_remove_name(Oid namespaceId); 00309 extern void sepgsql_schema_rename(Oid namespaceId); 00310 00311 /* 00312 * relation.c 00313 */ 00314 extern void sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum); 00315 extern void sepgsql_attribute_drop(Oid relOid, AttrNumber attnum); 00316 extern void sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum, 00317 const char *seclabel); 00318 extern void sepgsql_attribute_setattr(Oid relOid, AttrNumber attnum); 00319 extern void sepgsql_relation_post_create(Oid relOid); 00320 extern void sepgsql_relation_drop(Oid relOid); 00321 extern void sepgsql_relation_relabel(Oid relOid, const char *seclabel); 00322 extern void sepgsql_relation_setattr(Oid relOid); 00323 00324 /* 00325 * proc.c 00326 */ 00327 extern void sepgsql_proc_post_create(Oid functionId); 00328 extern void sepgsql_proc_drop(Oid functionId); 00329 extern void sepgsql_proc_relabel(Oid functionId, const char *seclabel); 00330 extern void sepgsql_proc_setattr(Oid functionId); 00331 extern void sepgsql_proc_execute(Oid functionId); 00332 00333 #endif /* SEPGSQL_H */
1.7.1