PostgreSQL Source Code git master
Loading...
Searching...
No Matches
Functions
database.c File Reference
#include "postgres.h"
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "access/table.h"
#include "catalog/dependency.h"
#include "catalog/pg_database.h"
#include "commands/seclabel.h"
#include "sepgsql.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/snapmgr.h"
Include dependency graph for database.c:

Go to the source code of this file.

Functions

void sepgsql_database_post_create (Oid databaseId, const char *dtemplate)
 
void sepgsql_database_drop (Oid databaseId)
 
void sepgsql_database_setattr (Oid databaseId)
 
void sepgsql_database_relabel (Oid databaseId, const char *seclabel)
 

Function Documentation

◆ sepgsql_database_drop()

void sepgsql_database_drop ( Oid  databaseId)

Definition at line 132 of file database.c.

133{
134 ObjectAddress object;
135 char *audit_name;
136
137 /*
138 * check db_database:{drop} permission
139 */
140 object.classId = DatabaseRelationId;
141 object.objectId = databaseId;
142 object.objectSubId = 0;
143 audit_name = getObjectIdentity(&object, false);
144
145 sepgsql_avc_check_perms(&object,
146 SEPG_CLASS_DB_DATABASE,
147 SEPG_DB_DATABASE__DROP,
148 audit_name,
149 true);
150 pfree(audit_name);
151}
pfree
void pfree(void *pointer)
Definition mcxt.c:1616
getObjectIdentity
char * getObjectIdentity(const ObjectAddress *object, bool missing_ok)
Definition objectaddress.c:4823
fb
static int fb(int x)
Definition preproc-init.c:92
SEPG_CLASS_DB_DATABASE
#define SEPG_CLASS_DB_DATABASE
Definition sepgsql.h:44
SEPG_DB_DATABASE__DROP
#define SEPG_DB_DATABASE__DROP
Definition sepgsql.h:119
sepgsql_avc_check_perms
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition uavc.c:420

References ObjectAddress::classId, fb(), getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__DROP, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().

◆ sepgsql_database_post_create()

void sepgsql_database_post_create ( Oid  databaseId,
const char dtemplate 
)

Definition at line 32 of file database.c.

33{
34 Relation rel;
35 ScanKeyData skey;
36 SysScanDesc sscan;
37 HeapTuple tuple;
38 char *tcontext;
39 char *ncontext;
40 ObjectAddress object;
41 Form_pg_database datForm;
42 StringInfoData audit_name;
43
44 /*
45 * Oid of the source database is not saved in pg_database catalog, so we
46 * collect its identifier using contextual information. If NULL, its
47 * default is "template1" according to createdb().
48 */
49 if (!dtemplate)
50 dtemplate = "template1";
51
52 object.classId = DatabaseRelationId;
53 object.objectId = get_database_oid(dtemplate, false);
54 object.objectSubId = 0;
55
56 tcontext = sepgsql_get_label(object.classId,
57 object.objectId,
58 object.objectSubId);
59
60 /*
61 * check db_database:{getattr} permission
62 */
63 initStringInfo(&audit_name);
64 appendStringInfoString(&audit_name, quote_identifier(dtemplate));
65 sepgsql_avc_check_perms_label(tcontext,
66 SEPG_CLASS_DB_DATABASE,
67 SEPG_DB_DATABASE__GETATTR,
68 audit_name.data,
69 true);
70
71 /*
72 * Compute a default security label of the newly created database based on
73 * a pair of security label of client and source database.
74 *
75 * XXX - upcoming version of libselinux supports to take object name to
76 * handle special treatment on default security label.
77 */
78 rel = table_open(DatabaseRelationId, AccessShareLock);
79
80 ScanKeyInit(&skey,
81 Anum_pg_database_oid,
82 BTEqualStrategyNumber, F_OIDEQ,
83 ObjectIdGetDatum(databaseId));
84
85 sscan = systable_beginscan(rel, DatabaseOidIndexId, true,
86 SnapshotSelf, 1, &skey);
87 tuple = systable_getnext(sscan);
88 if (!HeapTupleIsValid(tuple))
89 elog(ERROR, "could not find tuple for database %u", databaseId);
90
91 datForm = (Form_pg_database) GETSTRUCT(tuple);
92
93 ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
94 tcontext,
95 SEPG_CLASS_DB_DATABASE,
96 NameStr(datForm->datname));
97
98 /*
99 * check db_database:{create} permission
100 */
101 resetStringInfo(&audit_name);
102 appendStringInfoString(&audit_name,
103 quote_identifier(NameStr(datForm->datname)));
104 sepgsql_avc_check_perms_label(ncontext,
105 SEPG_CLASS_DB_DATABASE,
106 SEPG_DB_DATABASE__CREATE,
107 audit_name.data,
108 true);
109
110 systable_endscan(sscan);
111 table_close(rel, AccessShareLock);
112
113 /*
114 * Assign the default security label on the new database
115 */
116 object.classId = DatabaseRelationId;
117 object.objectId = databaseId;
118 object.objectSubId = 0;
119
120 SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
121
122 pfree(ncontext);
123 pfree(tcontext);
124}
NameStr
#define NameStr(name)
Definition c.h:765
get_database_oid
Oid get_database_oid(const char *dbname, bool missing_ok)
Definition dbcommands.c:3168
ERROR
#define ERROR
Definition elog.h:39
elog
#define elog(elevel,...)
Definition elog.h:226
systable_endscan
void systable_endscan(SysScanDesc sysscan)
Definition genam.c:603
systable_getnext
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition genam.c:514
systable_beginscan
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition genam.c:388
HeapTupleIsValid
#define HeapTupleIsValid(tuple)
Definition htup.h:78
GETSTRUCT
static void * GETSTRUCT(const HeapTupleData *tuple)
Definition htup_details.h:728
sepgsql_get_label
char * sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
Definition label.c:444
sepgsql_get_client_label
char * sepgsql_get_client_label(void)
Definition label.c:79
AccessShareLock
#define AccessShareLock
Definition lockdefs.h:36
Form_pg_database
FormData_pg_database * Form_pg_database
Definition pg_database.h:96
ObjectIdGetDatum
static Datum ObjectIdGetDatum(Oid X)
Definition postgres.h:262
quote_identifier
const char * quote_identifier(const char *ident)
Definition ruleutils.c:13060
ScanKeyInit
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition scankey.c:76
SetSecurityLabel
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition seclabel.c:404
sepgsql_compute_create
char * sepgsql_compute_create(const char *scontext, const char *tcontext, uint16 tclass, const char *objname)
Definition selinux.c:842
SEPG_DB_DATABASE__CREATE
#define SEPG_DB_DATABASE__CREATE
Definition sepgsql.h:118
sepgsql_avc_check_perms_label
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition uavc.c:337
SEPG_DB_DATABASE__GETATTR
#define SEPG_DB_DATABASE__GETATTR
Definition sepgsql.h:120
SEPGSQL_LABEL_TAG
#define SEPGSQL_LABEL_TAG
Definition sepgsql.h:23
SnapshotSelf
#define SnapshotSelf
Definition snapmgr.h:32
BTEqualStrategyNumber
#define BTEqualStrategyNumber
Definition stratnum.h:31
resetStringInfo
void resetStringInfo(StringInfo str)
Definition stringinfo.c:126
appendStringInfoString
void appendStringInfoString(StringInfo str, const char *s)
Definition stringinfo.c:230
initStringInfo
void initStringInfo(StringInfo str)
Definition stringinfo.c:97
table_close
void table_close(Relation relation, LOCKMODE lockmode)
Definition table.c:126
table_open
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition table.c:40

References AccessShareLock, appendStringInfoString(), BTEqualStrategyNumber, elog, ERROR, fb(), get_database_oid(), GETSTRUCT(), HeapTupleIsValid, initStringInfo(), NameStr, ObjectIdGetDatum(), pfree(), quote_identifier(), resetStringInfo(), ScanKeyInit(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__CREATE, SEPG_DB_DATABASE__GETATTR, sepgsql_avc_check_perms_label(), sepgsql_compute_create(), sepgsql_get_client_label(), sepgsql_get_label(), SEPGSQL_LABEL_TAG, SetSecurityLabel(), SnapshotSelf, systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), and table_open().

Referenced by sepgsql_object_access().

◆ sepgsql_database_relabel()

void sepgsql_database_relabel ( Oid  databaseId,
const char seclabel 
)

Definition at line 186 of file database.c.

187{
188 ObjectAddress object;
189 char *audit_name;
190
191 object.classId = DatabaseRelationId;
192 object.objectId = databaseId;
193 object.objectSubId = 0;
194 audit_name = getObjectIdentity(&object, false);
195
196 /*
197 * check db_database:{setattr relabelfrom} permission
198 */
199 sepgsql_avc_check_perms(&object,
200 SEPG_CLASS_DB_DATABASE,
201 SEPG_DB_DATABASE__SETATTR |
202 SEPG_DB_DATABASE__RELABELFROM,
203 audit_name,
204 true);
205
206 /*
207 * check db_database:{relabelto} permission
208 */
209 sepgsql_avc_check_perms_label(seclabel,
210 SEPG_CLASS_DB_DATABASE,
211 SEPG_DB_DATABASE__RELABELTO,
212 audit_name,
213 true);
214 pfree(audit_name);
215}
SEPG_DB_DATABASE__SETATTR
#define SEPG_DB_DATABASE__SETATTR
Definition sepgsql.h:121
SEPG_DB_DATABASE__RELABELTO
#define SEPG_DB_DATABASE__RELABELTO
Definition sepgsql.h:123
SEPG_DB_DATABASE__RELABELFROM
#define SEPG_DB_DATABASE__RELABELFROM
Definition sepgsql.h:122

References ObjectAddress::classId, fb(), getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__RELABELFROM, SEPG_DB_DATABASE__RELABELTO, SEPG_DB_DATABASE__SETATTR, sepgsql_avc_check_perms(), and sepgsql_avc_check_perms_label().

Referenced by sepgsql_object_relabel().

◆ sepgsql_database_setattr()

void sepgsql_database_setattr ( Oid  databaseId)

Definition at line 159 of file database.c.

160{
161 ObjectAddress object;
162 char *audit_name;
163
164 /*
165 * check db_database:{setattr} permission
166 */
167 object.classId = DatabaseRelationId;
168 object.objectId = databaseId;
169 object.objectSubId = 0;
170 audit_name = getObjectIdentity(&object, false);
171
172 sepgsql_avc_check_perms(&object,
173 SEPG_CLASS_DB_DATABASE,
174 SEPG_DB_DATABASE__SETATTR,
175 audit_name,
176 true);
177 pfree(audit_name);
178}

References ObjectAddress::classId, fb(), getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__SETATTR, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().