PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
database.c File Reference
#include "postgres.h"
#include "access/genam.h"
#include "access/heapam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "catalog/dependency.h"
#include "catalog/pg_database.h"
#include "catalog/indexing.h"
#include "commands/dbcommands.h"
#include "commands/seclabel.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/tqual.h"
#include "sepgsql.h"
Include dependency graph for database.c:

Go to the source code of this file.

Functions

void sepgsql_database_post_create (Oid databaseId, const char *dtemplate)
 
void sepgsql_database_drop (Oid databaseId)
 
void sepgsql_database_setattr (Oid databaseId)
 
void sepgsql_database_relabel (Oid databaseId, const char *seclabel)
 

Function Documentation

void sepgsql_database_drop ( Oid  databaseId)

Definition at line 134 of file database.c.

References ObjectAddress::classId, DatabaseRelationId, getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__DROP, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().

135 {
136  ObjectAddress object;
137  char *audit_name;
138 
139  /*
140  * check db_database:{drop} permission
141  */
142  object.classId = DatabaseRelationId;
143  object.objectId = databaseId;
144  object.objectSubId = 0;
145  audit_name = getObjectIdentity(&object);
146 
147  sepgsql_avc_check_perms(&object,
150  audit_name,
151  true);
152  pfree(audit_name);
153 }
#define DatabaseRelationId
Definition: pg_database.h:29
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:428
#define SEPG_CLASS_DB_DATABASE
Definition: sepgsql.h:44
void pfree(void *pointer)
Definition: mcxt.c:949
char * getObjectIdentity(const ObjectAddress *object)
#define SEPG_DB_DATABASE__DROP
Definition: sepgsql.h:119
void sepgsql_database_post_create ( Oid  databaseId,
const char *  dtemplate 
)

Definition at line 34 of file database.c.

References AccessShareLock, appendStringInfo(), BTEqualStrategyNumber, StringInfoData::data, DatabaseOidIndexId, DatabaseRelationId, elog, ERROR, get_database_oid(), GETSTRUCT, heap_close, heap_open(), HeapTupleIsValid, initStringInfo(), NameStr, ObjectIdAttributeNumber, ObjectIdGetDatum, pfree(), quote_identifier(), resetStringInfo(), ScanKeyInit(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__CREATE, SEPG_DB_DATABASE__GETATTR, sepgsql_avc_check_perms_label(), sepgsql_compute_create(), sepgsql_get_client_label(), sepgsql_get_label(), SEPGSQL_LABEL_TAG, SetSecurityLabel(), SnapshotSelf, systable_beginscan(), systable_endscan(), and systable_getnext().

Referenced by sepgsql_object_access().

35 {
36  Relation rel;
37  ScanKeyData skey;
38  SysScanDesc sscan;
39  HeapTuple tuple;
40  char *tcontext;
41  char *ncontext;
42  ObjectAddress object;
43  Form_pg_database datForm;
44  StringInfoData audit_name;
45 
46  /*
47  * Oid of the source database is not saved in pg_database catalog, so we
48  * collect its identifier using contextual information. If NULL, its
49  * default is "template1" according to createdb().
50  */
51  if (!dtemplate)
52  dtemplate = "template1";
53 
54  object.classId = DatabaseRelationId;
55  object.objectId = get_database_oid(dtemplate, false);
56  object.objectSubId = 0;
57 
58  tcontext = sepgsql_get_label(object.classId,
59  object.objectId,
60  object.objectSubId);
61 
62  /*
63  * check db_database:{getattr} permission
64  */
65  initStringInfo(&audit_name);
66  appendStringInfo(&audit_name, "%s", quote_identifier(dtemplate));
70  audit_name.data,
71  true);
72 
73  /*
74  * Compute a default security label of the newly created database based on
75  * a pair of security label of client and source database.
76  *
77  * XXX - uncoming version of libselinux supports to take object name to
78  * handle special treatment on default security label.
79  */
81 
82  ScanKeyInit(&skey,
84  BTEqualStrategyNumber, F_OIDEQ,
85  ObjectIdGetDatum(databaseId));
86 
87  sscan = systable_beginscan(rel, DatabaseOidIndexId, true,
88  SnapshotSelf, 1, &skey);
89  tuple = systable_getnext(sscan);
90  if (!HeapTupleIsValid(tuple))
91  elog(ERROR, "could not find tuple for database %u", databaseId);
92 
93  datForm = (Form_pg_database) GETSTRUCT(tuple);
94 
96  tcontext,
98  NameStr(datForm->datname));
99 
100  /*
101  * check db_database:{create} permission
102  */
103  resetStringInfo(&audit_name);
104  appendStringInfo(&audit_name, "%s",
105  quote_identifier(NameStr(datForm->datname)));
109  audit_name.data,
110  true);
111 
112  systable_endscan(sscan);
114 
115  /*
116  * Assign the default security label on the new database
117  */
118  object.classId = DatabaseRelationId;
119  object.objectId = databaseId;
120  object.objectSubId = 0;
121 
122  SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
123 
124  pfree(ncontext);
125  pfree(tcontext);
126 }
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:346
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:499
#define GETSTRUCT(TUP)
Definition: htup_details.h:656
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:327
const char * quote_identifier(const char *ident)
Definition: ruleutils.c:10390
#define ObjectIdAttributeNumber
Definition: sysattr.h:22
FormData_pg_database * Form_pg_database
Definition: pg_database.h:57
#define DatabaseRelationId
Definition: pg_database.h:29
char * sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
Definition: label.c:463
#define AccessShareLock
Definition: lockdefs.h:36
#define heap_close(r, l)
Definition: heapam.h:97
#define SEPG_CLASS_DB_DATABASE
Definition: sepgsql.h:44
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:328
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:416
#define SEPG_DB_DATABASE__CREATE
Definition: sepgsql.h:118
void pfree(void *pointer)
Definition: mcxt.c:949
void appendStringInfo(StringInfo str, const char *fmt,...)
Definition: stringinfo.c:78
#define ObjectIdGetDatum(X)
Definition: postgres.h:513
#define ERROR
Definition: elog.h:43
#define DatabaseOidIndexId
Definition: indexing.h:142
#define SEPGSQL_LABEL_TAG
Definition: sepgsql.h:23
void resetStringInfo(StringInfo str)
Definition: stringinfo.c:62
#define SnapshotSelf
Definition: tqual.h:27
#define SEPG_DB_DATABASE__GETATTR
Definition: sepgsql.h:120
void initStringInfo(StringInfo str)
Definition: stringinfo.c:46
Relation heap_open(Oid relationId, LOCKMODE lockmode)
Definition: heapam.c:1290
Oid get_database_oid(const char *dbname, bool missing_ok)
Definition: dbcommands.c:2009
#define HeapTupleIsValid(tuple)
Definition: htup.h:77
char * sepgsql_get_client_label(void)
Definition: label.c:91
char * sepgsql_compute_create(const char *scontext, const char *tcontext, uint16 tclass, const char *objname)
Definition: selinux.c:837
#define NameStr(name)
Definition: c.h:493
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
#define elog
Definition: elog.h:219
#define BTEqualStrategyNumber
Definition: stratnum.h:31
void sepgsql_database_relabel ( Oid  databaseId,
const char *  seclabel 
)

Definition at line 188 of file database.c.

References ObjectAddress::classId, DatabaseRelationId, getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__RELABELFROM, SEPG_DB_DATABASE__RELABELTO, SEPG_DB_DATABASE__SETATTR, sepgsql_avc_check_perms(), and sepgsql_avc_check_perms_label().

Referenced by sepgsql_object_relabel().

189 {
190  ObjectAddress object;
191  char *audit_name;
192 
193  object.classId = DatabaseRelationId;
194  object.objectId = databaseId;
195  object.objectSubId = 0;
196  audit_name = getObjectIdentity(&object);
197 
198  /*
199  * check db_database:{setattr relabelfrom} permission
200  */
201  sepgsql_avc_check_perms(&object,
205  audit_name,
206  true);
207 
208  /*
209  * check db_database:{relabelto} permission
210  */
214  audit_name,
215  true);
216  pfree(audit_name);
217 }
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:346
#define DatabaseRelationId
Definition: pg_database.h:29
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:428
#define SEPG_DB_DATABASE__RELABELFROM
Definition: sepgsql.h:122
#define SEPG_CLASS_DB_DATABASE
Definition: sepgsql.h:44
void pfree(void *pointer)
Definition: mcxt.c:949
char * getObjectIdentity(const ObjectAddress *object)
#define SEPG_DB_DATABASE__SETATTR
Definition: sepgsql.h:121
#define SEPG_DB_DATABASE__RELABELTO
Definition: sepgsql.h:123
void sepgsql_database_setattr ( Oid  databaseId)

Definition at line 161 of file database.c.

References ObjectAddress::classId, DatabaseRelationId, getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__SETATTR, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().

162 {
163  ObjectAddress object;
164  char *audit_name;
165 
166  /*
167  * check db_database:{setattr} permission
168  */
169  object.classId = DatabaseRelationId;
170  object.objectId = databaseId;
171  object.objectSubId = 0;
172  audit_name = getObjectIdentity(&object);
173 
174  sepgsql_avc_check_perms(&object,
177  audit_name,
178  true);
179  pfree(audit_name);
180 }
#define DatabaseRelationId
Definition: pg_database.h:29
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:428
#define SEPG_CLASS_DB_DATABASE
Definition: sepgsql.h:44
void pfree(void *pointer)
Definition: mcxt.c:949
char * getObjectIdentity(const ObjectAddress *object)
#define SEPG_DB_DATABASE__SETATTR
Definition: sepgsql.h:121