PostgreSQL Source Code git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
database.c File Reference
#include "postgres.h"
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "access/table.h"
#include "catalog/dependency.h"
#include "catalog/pg_database.h"
#include "commands/dbcommands.h"
#include "commands/seclabel.h"
#include "sepgsql.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/snapmgr.h"
Include dependency graph for database.c:

Go to the source code of this file.

Functions

void sepgsql_database_post_create (Oid databaseId, const char *dtemplate)
 
void sepgsql_database_drop (Oid databaseId)
 
void sepgsql_database_setattr (Oid databaseId)
 
void sepgsql_database_relabel (Oid databaseId, const char *seclabel)
 

Function Documentation

◆ sepgsql_database_drop()

void sepgsql_database_drop ( Oid  databaseId)

Definition at line 133 of file database.c.

134{
135 ObjectAddress object;
136 char *audit_name;
137
138 /*
139 * check db_database:{drop} permission
140 */
141 object.classId = DatabaseRelationId;
142 object.objectId = databaseId;
143 object.objectSubId = 0;
144 audit_name = getObjectIdentity(&object, false);
145
149 audit_name,
150 true);
151 pfree(audit_name);
152}
void pfree(void *pointer)
Definition: mcxt.c:1521
char * getObjectIdentity(const ObjectAddress *object, bool missing_ok)
#define SEPG_CLASS_DB_DATABASE
Definition: sepgsql.h:44
#define SEPG_DB_DATABASE__DROP
Definition: sepgsql.h:119
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:420

References ObjectAddress::classId, getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__DROP, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().

◆ sepgsql_database_post_create()

void sepgsql_database_post_create ( Oid  databaseId,
const char *  dtemplate 
)

Definition at line 33 of file database.c.

34{
35 Relation rel;
36 ScanKeyData skey;
37 SysScanDesc sscan;
38 HeapTuple tuple;
39 char *tcontext;
40 char *ncontext;
41 ObjectAddress object;
42 Form_pg_database datForm;
43 StringInfoData audit_name;
44
45 /*
46 * Oid of the source database is not saved in pg_database catalog, so we
47 * collect its identifier using contextual information. If NULL, its
48 * default is "template1" according to createdb().
49 */
50 if (!dtemplate)
51 dtemplate = "template1";
52
53 object.classId = DatabaseRelationId;
54 object.objectId = get_database_oid(dtemplate, false);
55 object.objectSubId = 0;
56
57 tcontext = sepgsql_get_label(object.classId,
58 object.objectId,
59 object.objectSubId);
60
61 /*
62 * check db_database:{getattr} permission
63 */
64 initStringInfo(&audit_name);
65 appendStringInfoString(&audit_name, quote_identifier(dtemplate));
69 audit_name.data,
70 true);
71
72 /*
73 * Compute a default security label of the newly created database based on
74 * a pair of security label of client and source database.
75 *
76 * XXX - upcoming version of libselinux supports to take object name to
77 * handle special treatment on default security label.
78 */
79 rel = table_open(DatabaseRelationId, AccessShareLock);
80
81 ScanKeyInit(&skey,
82 Anum_pg_database_oid,
83 BTEqualStrategyNumber, F_OIDEQ,
84 ObjectIdGetDatum(databaseId));
85
86 sscan = systable_beginscan(rel, DatabaseOidIndexId, true,
87 SnapshotSelf, 1, &skey);
88 tuple = systable_getnext(sscan);
89 if (!HeapTupleIsValid(tuple))
90 elog(ERROR, "could not find tuple for database %u", databaseId);
91
92 datForm = (Form_pg_database) GETSTRUCT(tuple);
93
95 tcontext,
97 NameStr(datForm->datname));
98
99 /*
100 * check db_database:{create} permission
101 */
102 resetStringInfo(&audit_name);
103 appendStringInfoString(&audit_name,
104 quote_identifier(NameStr(datForm->datname)));
108 audit_name.data,
109 true);
110
111 systable_endscan(sscan);
113
114 /*
115 * Assign the default security label on the new database
116 */
117 object.classId = DatabaseRelationId;
118 object.objectId = databaseId;
119 object.objectSubId = 0;
120
121 SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
122
123 pfree(ncontext);
124 pfree(tcontext);
125}
#define NameStr(name)
Definition: c.h:700
Oid get_database_oid(const char *dbname, bool missing_ok)
Definition: dbcommands.c:3140
#define ERROR
Definition: elog.h:39
#define elog(elevel,...)
Definition: elog.h:225
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:606
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:513
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:387
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
#define GETSTRUCT(TUP)
Definition: htup_details.h:653
char * sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
Definition: label.c:445
char * sepgsql_get_client_label(void)
Definition: label.c:80
#define AccessShareLock
Definition: lockdefs.h:36
FormData_pg_database * Form_pg_database
Definition: pg_database.h:96
static Datum ObjectIdGetDatum(Oid X)
Definition: postgres.h:252
const char * quote_identifier(const char *ident)
Definition: ruleutils.c:12870
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:404
char * sepgsql_compute_create(const char *scontext, const char *tcontext, uint16 tclass, const char *objname)
Definition: selinux.c:842
#define SEPG_DB_DATABASE__CREATE
Definition: sepgsql.h:118
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:337
#define SEPG_DB_DATABASE__GETATTR
Definition: sepgsql.h:120
#define SEPGSQL_LABEL_TAG
Definition: sepgsql.h:23
#define SnapshotSelf
Definition: snapmgr.h:32
#define BTEqualStrategyNumber
Definition: stratnum.h:31
void resetStringInfo(StringInfo str)
Definition: stringinfo.c:75
void appendStringInfoString(StringInfo str, const char *s)
Definition: stringinfo.c:179
void initStringInfo(StringInfo str)
Definition: stringinfo.c:56
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40

References AccessShareLock, appendStringInfoString(), BTEqualStrategyNumber, StringInfoData::data, elog, ERROR, get_database_oid(), GETSTRUCT, HeapTupleIsValid, initStringInfo(), NameStr, ObjectIdGetDatum(), pfree(), quote_identifier(), resetStringInfo(), ScanKeyInit(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__CREATE, SEPG_DB_DATABASE__GETATTR, sepgsql_avc_check_perms_label(), sepgsql_compute_create(), sepgsql_get_client_label(), sepgsql_get_label(), SEPGSQL_LABEL_TAG, SetSecurityLabel(), SnapshotSelf, systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), and table_open().

Referenced by sepgsql_object_access().

◆ sepgsql_database_relabel()

void sepgsql_database_relabel ( Oid  databaseId,
const char *  seclabel 
)

Definition at line 187 of file database.c.

188{
189 ObjectAddress object;
190 char *audit_name;
191
192 object.classId = DatabaseRelationId;
193 object.objectId = databaseId;
194 object.objectSubId = 0;
195 audit_name = getObjectIdentity(&object, false);
196
197 /*
198 * check db_database:{setattr relabelfrom} permission
199 */
204 audit_name,
205 true);
206
207 /*
208 * check db_database:{relabelto} permission
209 */
213 audit_name,
214 true);
215 pfree(audit_name);
216}
#define SEPG_DB_DATABASE__SETATTR
Definition: sepgsql.h:121
#define SEPG_DB_DATABASE__RELABELTO
Definition: sepgsql.h:123
#define SEPG_DB_DATABASE__RELABELFROM
Definition: sepgsql.h:122

References ObjectAddress::classId, getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__RELABELFROM, SEPG_DB_DATABASE__RELABELTO, SEPG_DB_DATABASE__SETATTR, sepgsql_avc_check_perms(), and sepgsql_avc_check_perms_label().

Referenced by sepgsql_object_relabel().

◆ sepgsql_database_setattr()

void sepgsql_database_setattr ( Oid  databaseId)

Definition at line 160 of file database.c.

161{
162 ObjectAddress object;
163 char *audit_name;
164
165 /*
166 * check db_database:{setattr} permission
167 */
168 object.classId = DatabaseRelationId;
169 object.objectId = databaseId;
170 object.objectSubId = 0;
171 audit_name = getObjectIdentity(&object, false);
172
176 audit_name,
177 true);
178 pfree(audit_name);
179}

References ObjectAddress::classId, getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__SETATTR, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().