/*
* sepgsql_client_auth
*
* Entrypoint of the client authentication hook.
* It switches the client label according to getpeercon(), and the current
* performing mode according to the GUC setting.
*/
static void
sepgsql_client_auth(Port *port, int status)
{
if (next_client_auth_hook)
(*next_client_auth_hook) (port, status);
/*
* In the case when authentication failed, the supplied socket shall be
* closed soon, so we don't need to do anything here.
*/
if (status != STATUS_OK)
return;
/*
* Getting security label of the peer process using API of libselinux.
*/
if (getpeercon_raw(port->sock, &client_label) < 0)
ereport(FATAL,
(errcode(ERRCODE_INTERNAL_ERROR),
errmsg("SELinux: unable to get peer label: %m")));
/*
* Switch the current performing mode from INTERNAL to either DEFAULT or
* PERMISSIVE.
*/
if (sepgsql_get_permissive())
sepgsql_set_mode(SEPGSQL_MODE_PERMISSIVE);
else
sepgsql_set_mode(SEPGSQL_MODE_DEFAULT);
}
static void
mselinux_on_connect(const void *cookie,
ENGINE_EVENT_TYPE type,
const void *event_data,
const void *cb_data)
{
selinux_engine_t *se = (selinux_engine_t *)cb_data;
security_context_t context;
security_id_t ssid;
int sockfd;
sockfd = se->server.core->get_socket_fd(cookie);
if (getpeercon_raw(sockfd, &context) < 0)
context = "user_u:user_r:user_t:s0";
if (avc_context_to_sid(context, &ssid) < 0)
ssid = NULL;
se->server.core->store_engine_specific(cookie, ssid);
}
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
int r = -EOPNOTSUPP;
#ifdef HAVE_SELINUX
_cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
security_class_t sclass;
const char *range = NULL;
assert(socket_fd >= 0);
assert(exe);
assert(label);
if (!mac_selinux_have())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
if (r < 0)
return -errno;
r = getpeercon_raw(socket_fd, &peercon);
if (r < 0)
return -errno;
if (!exec_label) {
/* If there is no context set for next exec let's use context
of target executable */
r = getfilecon_raw(exe, &fcon);
if (r < 0)
return -errno;
}
bcon = context_new(mycon);
if (!bcon)
return -ENOMEM;
pcon = context_new(peercon);
if (!pcon)
return -ENOMEM;
range = context_range_get(pcon);
if (!range)
return -errno;
r = context_range_set(bcon, range);
if (r)
return -errno;
freecon(mycon);
mycon = strdup(context_str(bcon));
if (!mycon)
return -ENOMEM;
sclass = string_to_security_class("process");
r = security_compute_create_raw(mycon, fcon, sclass, label);
if (r < 0)
return -errno;
#endif
return r;
}
