#include "postgres.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "access/tupdesc.h"
#include "catalog/catalog.h"
#include "catalog/dependency.h"
#include "catalog/heap.h"
#include "catalog/pg_attribute.h"
#include "catalog/pg_class.h"
#include "catalog/pg_inherits.h"
#include "commands/seclabel.h"
#include "commands/tablecmds.h"
#include "executor/executor.h"
#include "nodes/bitmapset.h"
#include "parser/parsetree.h"
#include "sepgsql.h"
#include "utils/lsyscache.h"
#include "utils/syscache.h"

Include dependency graph for dml.c:

Functions
static Bitmapset *	fixup_whole_row_references (Oid relOid, Bitmapset *columns)

static Bitmapset *	fixup_inherited_columns (Oid parentId, Oid childId, Bitmapset *columns)

static bool	check_relation_privileges (Oid relOid, Bitmapset selected, Bitmapset inserted, Bitmapset *updated, uint32 required, bool abort_on_violation)

bool	sepgsql_dml_privileges (List rangeTbls, List rteperminfos, bool abort_on_violation)

Function Documentation

◆ check_relation_privileges()

static bool check_relation_privileges	(	Oid	relOid,
		Bitmapset *	selected,
		Bitmapset *	inserted,
		Bitmapset *	updated,
		uint32	required,
		bool	abort_on_violation
	)

static

Definition at line 142 of file dml.c.

{
    ObjectAddress object;
    char       *audit_name;
    Bitmapset  *columns;
    int         index;
    char        relkind = get_rel_relkind(relOid);
    bool        result = true;
 
    /*
     * Hardwired Policies: SE-PostgreSQL enforces - clients cannot modify
     * system catalogs using DMLs - clients cannot reference/modify toast
     * relations using DMLs
     */
    if (sepgsql_getenforce() > 0)
    {
        if ((required & (SEPG_DB_TABLE__UPDATE |
                         SEPG_DB_TABLE__INSERT |
                         SEPG_DB_TABLE__DELETE)) != 0 &&
            IsCatalogRelationOid(relOid))
            ereport(ERROR,
                    (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                     errmsg("SELinux: hardwired security policy violation")));
 
        if (relkind == RELKIND_TOASTVALUE)
            ereport(ERROR,
                    (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                     errmsg("SELinux: hardwired security policy violation")));
    }
 
    /*
     * Check permissions on the relation
     */
    object.classId = RelationRelationId;
    object.objectId = relOid;
    object.objectSubId = 0;
    audit_name = getObjectIdentity(&object, false);
    switch (relkind)
    {
        case RELKIND_RELATION:
        case RELKIND_PARTITIONED_TABLE:
            result = sepgsql_avc_check_perms(&object,
                                             SEPG_CLASS_DB_TABLE,
                                             required,
                                             audit_name,
                                             abort_on_violation);
            break;
 
        case RELKIND_SEQUENCE:
            Assert((required & ~SEPG_DB_TABLE__SELECT) == 0);
 
            if (required & SEPG_DB_TABLE__SELECT)
                result = sepgsql_avc_check_perms(&object,
                                                 SEPG_CLASS_DB_SEQUENCE,
                                                 SEPG_DB_SEQUENCE__GET_VALUE,
                                                 audit_name,
                                                 abort_on_violation);
            break;
 
        case RELKIND_VIEW:
            result = sepgsql_avc_check_perms(&object,
                                             SEPG_CLASS_DB_VIEW,
                                             SEPG_DB_VIEW__EXPAND,
                                             audit_name,
                                             abort_on_violation);
            break;
 
        default:
            /* nothing to be checked */
            break;
    }
    pfree(audit_name);
 
    /*
     * Only columns owned by relations shall be checked
     */
    if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
        return true;
 
    /*
     * Check permissions on the columns
     */
    selected = fixup_whole_row_references(relOid, selected);
    inserted = fixup_whole_row_references(relOid, inserted);
    updated = fixup_whole_row_references(relOid, updated);
    columns = bms_union(selected, bms_union(inserted, updated));
 
    index = -1;
    while ((index = bms_next_member(columns, index)) >= 0)
    {
        AttrNumber  attnum;
        uint32      column_perms = 0;
 
        if (bms_is_member(index, selected))
            column_perms |= SEPG_DB_COLUMN__SELECT;
        if (bms_is_member(index, inserted))
        {
            if (required & SEPG_DB_TABLE__INSERT)
                column_perms |= SEPG_DB_COLUMN__INSERT;
        }
        if (bms_is_member(index, updated))
        {
            if (required & SEPG_DB_TABLE__UPDATE)
                column_perms |= SEPG_DB_COLUMN__UPDATE;
        }
        if (column_perms == 0)
            continue;
 
        /* obtain column's permission */
        attnum = index + FirstLowInvalidHeapAttributeNumber;
 
        object.classId = RelationRelationId;
        object.objectId = relOid;
        object.objectSubId = attnum;
        audit_name = getObjectDescription(&object, false);
 
        result = sepgsql_avc_check_perms(&object,
                                         SEPG_CLASS_DB_COLUMN,
                                         column_perms,
                                         audit_name,
                                         abort_on_violation);
        pfree(audit_name);
 
        if (!result)
            return result;
    }
    return true;
}

References Assert(), attnum, bms_is_member(), bms_next_member(), bms_union(), ereport, errcode(), errmsg(), ERROR, FirstLowInvalidHeapAttributeNumber, fixup_whole_row_references(), get_rel_relkind(), getObjectDescription(), getObjectIdentity(), IsCatalogRelationOid(), pfree(), generate_unaccent_rules::required, SEPG_CLASS_DB_COLUMN, SEPG_CLASS_DB_SEQUENCE, SEPG_CLASS_DB_TABLE, SEPG_CLASS_DB_VIEW, SEPG_DB_COLUMN__INSERT, SEPG_DB_COLUMN__SELECT, SEPG_DB_COLUMN__UPDATE, SEPG_DB_SEQUENCE__GET_VALUE, SEPG_DB_TABLE__DELETE, SEPG_DB_TABLE__INSERT, SEPG_DB_TABLE__SELECT, SEPG_DB_TABLE__UPDATE, SEPG_DB_VIEW__EXPAND, sepgsql_avc_check_perms(), and sepgsql_getenforce().

Referenced by sepgsql_dml_privileges().

◆ fixup_inherited_columns()

static Bitmapset * fixup_inherited_columns	(	Oid	parentId,
		Oid	childId,
		Bitmapset *	columns
	)

static

Definition at line 93 of file dml.c.

{
    Bitmapset  *result = NULL;
    int         index;
 
    /*
     * obviously, no need to do anything here
     */
    if (parentId == childId)
        return columns;
 
    index = -1;
    while ((index = bms_next_member(columns, index)) >= 0)
    {
        /* bit numbers are offset by FirstLowInvalidHeapAttributeNumber */
        AttrNumber  attno = index + FirstLowInvalidHeapAttributeNumber;
        char       *attname;
 
        /*
         * whole-row-reference shall be fixed-up later
         */
        if (attno == InvalidAttrNumber)
        {
            result = bms_add_member(result, index);
            continue;
        }
 
        attname = get_attname(parentId, attno, false);
        attno = get_attnum(childId, attname);
        if (attno == InvalidAttrNumber)
            elog(ERROR, "cache lookup failed for attribute %s of relation %u",
                 attname, childId);
 
        result = bms_add_member(result,
                                attno - FirstLowInvalidHeapAttributeNumber);
 
        pfree(attname);
    }
 
    return result;
}

References attname, bms_add_member(), bms_next_member(), elog, ERROR, FirstLowInvalidHeapAttributeNumber, get_attname(), get_attnum(), InvalidAttrNumber, and pfree().

Referenced by sepgsql_dml_privileges().

◆ fixup_whole_row_references()

static Bitmapset * fixup_whole_row_references	(	Oid	relOid,
		Bitmapset *	columns
	)

static

Definition at line 39 of file dml.c.

{
    Bitmapset  *result;
    HeapTuple   tuple;
    AttrNumber  natts;
    AttrNumber  attno;
    int         index;
 
    /* if no whole-row references, nothing to do */
    index = InvalidAttrNumber - FirstLowInvalidHeapAttributeNumber;
    if (!bms_is_member(index, columns))
        return columns;
 
    /* obtain number of attributes */
    tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relOid));
    if (!HeapTupleIsValid(tuple))
        elog(ERROR, "cache lookup failed for relation %u", relOid);
    natts = ((Form_pg_class) GETSTRUCT(tuple))->relnatts;
    ReleaseSysCache(tuple);
 
    /* remove bit 0 from column set, add in all the non-dropped columns */
    result = bms_copy(columns);
    result = bms_del_member(result, index);
 
    for (attno = 1; attno <= natts; attno++)
    {
        tuple = SearchSysCache2(ATTNUM,
                                ObjectIdGetDatum(relOid),
                                Int16GetDatum(attno));
        if (!HeapTupleIsValid(tuple))
            continue;           /* unexpected case, should we error? */
 
        if (!((Form_pg_attribute) GETSTRUCT(tuple))->attisdropped)
        {
            index = attno - FirstLowInvalidHeapAttributeNumber;
            result = bms_add_member(result, index);
        }
 
        ReleaseSysCache(tuple);
    }
    return result;
}

References bms_add_member(), bms_copy(), bms_del_member(), bms_is_member(), elog, ERROR, FirstLowInvalidHeapAttributeNumber, GETSTRUCT(), HeapTupleIsValid, Int16GetDatum(), InvalidAttrNumber, ObjectIdGetDatum(), ReleaseSysCache(), SearchSysCache1(), and SearchSysCache2().

Referenced by check_relation_privileges().

◆ sepgsql_dml_privileges()

bool sepgsql_dml_privileges	(	List *	rangeTbls,
		List *	rteperminfos,
		bool	abort_on_violation
	)

Definition at line 282 of file dml.c.

{
    ListCell   *lr;
 
    foreach(lr, rteperminfos)
    {
        RTEPermissionInfo *perminfo = lfirst_node(RTEPermissionInfo, lr);
        uint32      required = 0;
        List       *tableIds;
        ListCell   *li;
 
        /*
         * Find out required permissions
         */
        if (perminfo->requiredPerms & ACL_SELECT)
            required |= SEPG_DB_TABLE__SELECT;
        if (perminfo->requiredPerms & ACL_INSERT)
            required |= SEPG_DB_TABLE__INSERT;
        if (perminfo->requiredPerms & ACL_UPDATE)
        {
            if (!bms_is_empty(perminfo->updatedCols))
                required |= SEPG_DB_TABLE__UPDATE;
            else
                required |= SEPG_DB_TABLE__LOCK;
        }
        if (perminfo->requiredPerms & ACL_DELETE)
            required |= SEPG_DB_TABLE__DELETE;
 
        /*
         * Skip, if nothing to be checked
         */
        if (required == 0)
            continue;
 
        /*
         * If this RangeTblEntry is also supposed to reference inherited
         * tables, we need to check security label of the child tables. So, we
         * expand rte->relid into list of OIDs of inheritance hierarchy, then
         * checker routine will be invoked for each relations.
         */
        if (!perminfo->inh)
            tableIds = list_make1_oid(perminfo->relid);
        else
            tableIds = find_all_inheritors(perminfo->relid, NoLock, NULL);
 
        foreach(li, tableIds)
        {
            Oid         tableOid = lfirst_oid(li);
            Bitmapset  *selectedCols;
            Bitmapset  *insertedCols;
            Bitmapset  *updatedCols;
 
            /*
             * child table has different attribute numbers, so we need to fix
             * up them.
             */
            selectedCols = fixup_inherited_columns(perminfo->relid, tableOid,
                                                   perminfo->selectedCols);
            insertedCols = fixup_inherited_columns(perminfo->relid, tableOid,
                                                   perminfo->insertedCols);
            updatedCols = fixup_inherited_columns(perminfo->relid, tableOid,
                                                  perminfo->updatedCols);
 
            /*
             * check permissions on individual tables
             */
            if (!check_relation_privileges(tableOid,
                                           selectedCols,
                                           insertedCols,
                                           updatedCols,
                                           required, abort_on_violation))
                return false;
        }
        list_free(tableIds);
    }
    return true;
}

References ACL_DELETE, ACL_INSERT, ACL_SELECT, ACL_UPDATE, bms_is_empty, check_relation_privileges(), find_all_inheritors(), fixup_inherited_columns(), RTEPermissionInfo::inh, RTEPermissionInfo::insertedCols, lfirst_node, lfirst_oid, list_free(), list_make1_oid, NoLock, RTEPermissionInfo::relid, generate_unaccent_rules::required, RTEPermissionInfo::requiredPerms, RTEPermissionInfo::selectedCols, SEPG_DB_TABLE__DELETE, SEPG_DB_TABLE__INSERT, SEPG_DB_TABLE__LOCK, SEPG_DB_TABLE__SELECT, SEPG_DB_TABLE__UPDATE, and RTEPermissionInfo::updatedCols.

Referenced by sepgsql_exec_check_perms().

Functions

Function Documentation

◆ check_relation_privileges()

◆ fixup_inherited_columns()

◆ fixup_whole_row_references()

◆ sepgsql_dml_privileges()