DBSecWorx: DBMS_SFW_ACL

Oracle DBMS_SFW_ACL_ADMIN Built-In Package Versions 12.2 - 19.4

Security Advisory

According to the Oracle on-line Types and Packages reference documentation:

"The DBMS_SFW_ACL_ADMIN package provides interfaces for administering and managing access control policies for the "database service firewall" feature. Each policy is represented by an access control list (ACL) containing hosts that are allowed access to a specific database service. Local listeners and server processes validate all inbound client connections against the ACL.

It appears that this package provides the APIs to administer service Access Control List (ACL) that are used to control access to DB services by external Virtual Machines (VMs) or host networks.

There are two types of ACL: Exadirect and IP. Exadirect ACL is used to grant access to VMs; where as, IP ACL is used to grant access to host networks.

Exadirect APIs are prefixed by 'ed_'.
IP APIs are prefixed by 'ip_'.
APIs w/o prefix are generic.

This package is part of Oracle's built-in security for Exadata and ExaCC virtual machines. The objects in this package can only be run by the DBSFWUSER schema and request for the ability to log on as DBSFWUSER should be treated with great suspicion and lead to an in-depth evaluation of that request by the office of the CISO.

We suspect that "ED" which is the prefix for most of the objects in this package is short for "ExaData."

Recommended Security Rules

NEVER

Grant execute on this package to any user or role

WITH GREAT CARE

Check regularly to determine if execute on this package has been granted and if so treat it as highly suspicious: It should raise alarms.

CAUTIONS

How Oracle Works

N/A N/A

DBMS_SFW_ACL_ADMIN Package Information

AUTHID CURRENT_USER

Constants

Name	Data Type	Value
General
DOMAIN_MASK	-- Hostname mask: *.???.???...??? VARCHAR2(80)	'\(\.[^\.\:\/\]+)*'
HOSTNAME_MASK	-- Hostname mask: ???.???.???...??? VARCHAR2(80)	'[^\.\:\/\]+(\.[^\.\:\/\]+)*'
IP_ADDR_MASK	-- IP address mask: xxx.xxx.xxx.xxx VARCHAR2(80)	'([[:digit:]]+\.){3}[[:digit:]]+'
IP_SUBNET_MASK	-- IP submet mask: xxx.xxx...* VARCHAR2(80)	'([[:digit:]]+\.){0,3}\*'

Data Types -- Used in batch operation.
TYPE table_type IS TABLE OF VARCHAR(300) INDEX BY BINARY_INTEGER;

Dependencies

ACL$_OBJ	DUAL	XS$ACE_LIST
CDB_SERVICE$	EXADIRECT_ACL	XS$ACE_TYPE
DBA_XS_ACES	IP_ACL	XS$NAME_LIST
DBA_XS_ACLS	PLITBLM	XS_ACL
DBA_XS_OBJECTS	V_$DATABASE	XS_ADMIN_UTIL
DBMS_ASSERT	V_$PARAMETER	XS_SECURITY_CLASS
DBMS_STANDARD	V_$PDBS

Documented in Types & Packages Yes

Exceptions

Error Code	Reason
ORA-20001	exadirect_sgid_in_used
ORA-20002	exadirect_dup_svc_and_uuid
ORA-20003	exadirect_null_service
ORA-20004	exadirect_null_uuid
ORA-20005	exadirect_unknown
ORA-20006	exadirect_bad_sgid
ORA-20007	exadirect_ids_mismatch
ORA-20008	exadirect_insufficient_priv
ORA-20009	ip_host_exists
ORA-20010	ip_invalid_host
ORA-20011	ip_no_host
ORA-20012	container_not_root
ORA-20013	not_exadata

First Available 12.2.0.1

Security Model Owned by DBSFWUSER with no privileges granted

Source {ORACLE_HOME}/rdbms/admin/dbms acl srv.sql

Subprograms

COMMIT_ACL	ED_IS_ACL_ENABLED	ED_UPDATE_PDB_ACE
ED_ADD_ACE	ED_REMOVE_ACES_BY_SGID	GET_CDB_SVCS
ED_ADD_PDB_ACE	ED_REMOVE_ACES_BY_UUID	IP_ADD_ACE
ED_BREMOVE_COMMIT_BY_UUIDS	ED_REMOVE_ACE_BY_SGID	IP_ADD_PDB_ACE
ED_BUPDATE_COMMIT	ED_REMOVE_ACE_BY_UUID	IP_GET_ACL
ED_ENABLE_ACL	ED_REMOVE_ACL	IP_GET_ACL_SVCS_BY_HOST
ED_GET_ACES_BY_SGID	ED_REMOVE_PDB_ACE_BY_SGID	IP_REMOVE_ACE
ED_GET_ACES_BY_SVC	ED_REMOVE_PDB_ACE_BY_UUID	IP_REMOVE_ACL
ED_GET_ACES_BY_UUID	ED_REMOVE_PDB_ACL	IP_REMOVE_PDB_ACE
ED_GET_ACES_BY_UUID_SGID	ED_UPDATE_ACE	IP_REMOVE_PDB_ACL

COMMIT_ACL

Commit changes to the DB ACL table and propagate them to all access control points in the DB cluster. Exadirect ACL updates are only propagated if DB ACL control is enabled. dbms_sfw_acl_admin.commit_acl;

exec dbsfwuser.dbms_sfw_acl_admin.commit_acl;

ED_ADD_ACE

Add a new Exadirect ACL entry dbms_sfw_acl_admin.ed_add_ace( p_service_name IN VARCHAR2, p_vm_uuid IN VARCHAR2, p_vm_sgid IN VARCHAR2);

TBD

ED_ADD_PDB_ACE

Add a new Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_add_pdb_ace( p_pdb_name IN VARCHAR2, p_vm_uuid IN VARCHAR2, p_vm_sgid IN VARCHAR2);

TBD

ED_BREMOVE_COMMIT_BY_UUIDS

Batch remove and commit. This is normally called when stopping a VM. dbms_sfw_acl_admin.ed_bremove_commit_by_uuids(p_vm_uuids IN table_type);

TBD

ED_BUPDATE_COMMIT

Batch update and commit. This is normally called when starting the VM dbms_sfw_acl_admin.ed_bupdate_commit( p_vm_uuids IN table_type, p_vm_sgids IN table_type, p_vm_services IN table_type);

TBD

ED_ENABLE_ACL

Enable DB ACL control, load and propagate the initial ACLs to all access control points in the DB cluster. By default, DB ACL control is disabled and all access to secure network interfaces are denied. dbms_sfw_acl_admin.ed_enable_acl;

exec dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl;

      BEGIN dbsfwuser.dbms_sfw_acl_admin.ed_enable_acl; END;

      *

      ERROR at line 1:

      ORA-20013: Must be running on EXADATA

      ORA-06512: at "DBSFWUSER.DBMS_SFW_ACL_ADMIN", line 342

      ORA-06512: at line 1

ED_GET_ACES_BY_SGID

Get all service Exadirect ACL entries for the specified VM SGID dbms_sfw_acl_admin.ed_get_aces_by_sgid( p_vm_sgid IN VARCHAR2, p_services OUT SYS_REFCURSOR);

TBD

ED_GET_ACES_BY_SVC

Get all VM UUIDs for the specified service. This call will be used by mgmt Stack to cleanup stalled service after the service has been removed by DBA. This call will be used in conjunction with remove_acl_svc_by_uuid. dbms_sfw_acl_admin.ed_get_aces_by_svc( p_service_name IN VARCHAR2, p_vm_uuids OUT SYS_REFCURSOR);

TBD

ED_GET_ACES_BY_UUID

Get all service Exadirect ACL entries for the specified VM UUID dbms_sfw_acl_admin.ed_get_aces_by_uuid( p_vm_uuid IN VARCHAR2, p_services OUT SYS_REFCURSOR);

TBD

ED_GET_ACES_BY_UUID_SGID

Get all service Exadirect ACL entries for the specified VM SGID and UUID dbms_sfw_acl_admin.ed_get_aces_by_uuid_sgid( p_vm_uuid IN VARCHAR2, p_vm_sgid IN VARCHAR2, p_services OUT SYS_REFCURSOR);

TBD

ED_IS_ACL_ENABLED

Return the state of ACL control on the database

This object does not validate that is being executed on a non-Exadata dbms_sfw_acl_admin.ed_is_acl_enabled RETURN BOOLEAN;

BEGIN

        IF dbsfwuser.dbms_sfw_acl_admin.ed_is_acl_enabled THEN

          dbms_output.put_line('ACL is enabled');

        ELSE

          dbms_output.put_line('ACL is not enabled');

        END IF;

      END;

      /

      ACL is not enabled

      

      PL/SQL procedure successfully completed.

ED_REMOVE_ACES_BY_SGID

Remove all service Exadirect ACL entries for the specified VM SGID dbms_sfw_acl_admin.ed_remove_aces_by_sgid(p_vm_sgid IN VARCHAR2);

TBD

ED_REMOVE_ACES_BY_UUID

Remove all service Exadirect ACL entries for the specified VM UUID dbms_sfw_acl_admin.ed_remove_aces_by_uuid(p_vm_uuid IN VARCHAR2);

TBD

ED_REMOVE_ACE_BY_SGID

Remove all service Exadirect ACL entries for the specified VM SGID dbms_sfw_acl_admin.ed_remove_ace_by_sgid( p_service_name IN VARCHAR2, p_vm_sgid IN VARCHAR2);

TBD

ED_REMOVE_ACE_BY_UUID

Remove an Exadirect ACL entry for the specified service name and VM UUID dbms_sfw_acl_admin.ed_remove_ace_by_uuid( p_service_name IN VARCHAR2, p_vm_uuid IN VARCHAR2);

TBD

ED_REMOVE_ACL

Remove Exadirect ACL for the specified service name

This object appears to perform no validations as it ran on a laptop with an invalid service name dbms_sfw_acl_admin.ed_remove_acl(p_service_name IN VARCHAR2);

exec dbsfwuser.dbms_sfw_acl_admin.ed_remove_acl('pdbprod');

      

      PL/SQL procedure successfully completed.

ED_REMOVE_PDB_ACE_BY_SGID

Remove an Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_remove_pdb_ace_by_sgid( p_pdb_name IN VARCHAR2, p_vm_sgid IN VARCHAR2);

TBD

ED_REMOVE_PDB_ACE_BY_UUID

Remove an Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_remove_pdb_ace_by_uuid( p_pdb_name IN VARCHAR2, p_vm_uuid IN VARCHAR2);

TBD

ED_REMOVE_PDB_ACL

Remove the Exadirect ACL for each of the service in the specified PDB

This object appears to perform no validations as it ran on a laptop with an invalid service name dbms_sfw_acl_admin.ed_remove_pdb_acl(p_pdb_name IN VARCHAR2);

exec dbsfwuser.dbms_sfw_acl_admin.ed_remove_pdb_acl('pdbprod');

      

      PL/SQL procedure successfully completed.

ED_UPDATE_ACE

Update an Exadirect ACL entry dbms_sfw_acl_admin.ed_update_ace( p_service_name IN VARCHAR2, p_vm_uuid IN VARCHAR2, p_vm_sgid IN VARCHAR2);

TBD

ED_UPDATE_PDB_ACE

Update an Exadirect ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ed_update_pdb_ace( p_pdb_name IN VARCHAR2, p_vm_uuid IN VARCHAR2, p_vm_sgid IN VARCHAR2);

TBD

GET_CDB_SVCS

Return all services for the CDB, excluding GLOBAL and INTERNAL services

This object appears to perform no validations as it ran on a laptop dbms_sfw_acl_admin.get_cdb_svcs(p_services OUT SYS_REFCURSOR);

DECLARE

       rc SYS_REFCURSOR;

      BEGIN

        dbsfwuser.dbms_sfw_acl_admin.get_cdb_svcs(rc);

      END;

      /

      

      PL/SQL procedure successfully completed.

IP_ADD_ACE

Add a new IP ACL entry

This object appears to perform no validations as it ran on a laptop with an invalid service name and all inputs were invalid dbms_sfw_acl_admin.ip_add_ace( p_service_name IN VARCHAR2, p_host IN VARCHAR2); -- can be a hostname, dotted-decimal IPv4 or hexadecimal IPv6 address. -- wildcard "*" for IPv4 and CIDR format allowed.

exec dbsfwuser.dbms_sfw_acl_admin.ip_add_ace('pdbprod', '192.168.42.15');

      

      PL/SQL procedure successfully completed.

IP_ADD_PDB_ACE

Add a new IP ACL entry for each of the service in the specified PDB

This object appears to perform no validations as it ran on a laptop with an invalid service name and all inputs were invalid dbms_sfw_acl_admin.ip_add_pdb_ace( p_pdb_name IN VARCHAR2, p_host IN VARCHAR2);

exec dbsfwuser.dbms_sfw_acl_admin.ip_add_pdb_ace('ORCL', '127.0.0.1');

      

      PL/SQL procedure successfully completed.

IP_GET_ACL

Get all IP ACL entries for the specified service name dbms_sfw_acl_admin.ip_get_acl( p_service_name IN VARCHAR2, p_hosts OUT SYS_REFCURSOR);

DECLARE

       rc SYS_REFCURSOR;

      BEGIN

        dbsfwuser.dbms_sfw_acl_admin.ip_get_acl('PDBDEV' rc)

      END;

      /

IP_GET_ACL_SVCS_BY_HOST

Get all service names for a specified host

This object appears to perform no validations as it ran on a laptop with an invalid service name and all inputs were invalid dbms_sfw_acl_admin.ip_get_acl_svcs_by_host( p_host IN VARCHAR2, p_services OUT SYS_REFCURSOR);

DECLARE

       rc SYS_REFCURSOR;

      BEGIN

        dbsfwuser.dbms_sfw_acl_admin.ip_get_acl_svcs_by_host('127.0.0.1', rc);

      END;

      /

      

      PL/SQL procedure successfully completed.

IP_REMOVE_ACE

Remove an IP ACL entry for the specified service name and host dbms_sfw_acl_admin.ip_remove_ace( p_service_name IN VARCHAR2, p_host IN VARCHAR2);

exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_ace('PDBDEV', '127.0.0.1');

IP_REMOVE_ACL

Remove all IP ACL entries for the specified service name dbms_sfw_acl_admin.ip_remove_acl(p_service_name IN VARCHAR2);

exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_acl('PDBDEV');

IP_REMOVE_PDB_ACE

Remove an IP ACL entry for each of the service in the specified PDB dbms_sfw_acl_admin.ip_remove_pdb_ace( p_pdb_name IN VARCHAR2, p_host IN VARCHAR2);

exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_pdb_ace('PDBDEV', '127.0.0.1');

IP_REMOVE_PDB_ACL

Remove the IP ACL for each of the service in the specified PDB dbms_sfw_acl_admin.ip_remove_pdb_acl(p_pdb_name IN VARCHAR2);

exec dbsfwuser.dbms_sfw_acl_admin.ip_remove_pdb_acl('PDBDEV');