#include "postgres.h"
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "access/table.h"
#include "catalog/dependency.h"
#include "catalog/pg_database.h"
#include "catalog/pg_namespace.h"
#include "commands/seclabel.h"
#include "lib/stringinfo.h"
#include "miscadmin.h"
#include "sepgsql.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/lsyscache.h"
#include "utils/snapmgr.h"

Include dependency graph for schema.c:

Function Documentation

◆ check_schema_perms()

static bool check_schema_perms	(	Oid	namespaceId,
		uint32	required,
		bool	abort_on_violation
	)

static

Definition at line 179 of file schema.c.

{
    ObjectAddress object;
    char       *audit_name;
    bool        result;
 
    object.classId = NamespaceRelationId;
    object.objectId = namespaceId;
    object.objectSubId = 0;
    audit_name = getObjectIdentity(&object, false);
 
    result = sepgsql_avc_check_perms(&object,
                                     SEPG_CLASS_DB_SCHEMA,
                                     required,
                                     audit_name,
                                     abort_on_violation);
    pfree(audit_name);
 
    return result;
}

References ObjectAddress::classId, fb(), getObjectIdentity(), pfree(), SEPG_CLASS_DB_SCHEMA, and sepgsql_avc_check_perms().

Referenced by sepgsql_schema_add_name(), sepgsql_schema_remove_name(), sepgsql_schema_rename(), sepgsql_schema_search(), and sepgsql_schema_setattr().

◆ sepgsql_schema_add_name()

void sepgsql_schema_add_name ( Oid namespaceId )

Definition at line 217 of file schema.c.

{
    check_schema_perms(namespaceId, SEPG_DB_SCHEMA__ADD_NAME, true);
}

References check_schema_perms(), fb(), and SEPG_DB_SCHEMA__ADD_NAME.

Referenced by sepgsql_proc_setattr(), and sepgsql_relation_setattr().

◆ sepgsql_schema_drop()

void sepgsql_schema_drop ( Oid namespaceId )

Definition at line 114 of file schema.c.

{
    ObjectAddress object;
    char       *audit_name;
 
    /*
     * check db_schema:{drop} permission
     */
    object.classId = NamespaceRelationId;
    object.objectId = namespaceId;
    object.objectSubId = 0;
    audit_name = getObjectIdentity(&object, false);
 
    sepgsql_avc_check_perms(&object,
                            SEPG_CLASS_DB_SCHEMA,
                            SEPG_DB_SCHEMA__DROP,
                            audit_name,
                            true);
    pfree(audit_name);
}

References ObjectAddress::classId, fb(), getObjectIdentity(), pfree(), SEPG_CLASS_DB_SCHEMA, SEPG_DB_SCHEMA__DROP, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().

◆ sepgsql_schema_post_create()

void sepgsql_schema_post_create ( Oid namespaceId )

Definition at line 36 of file schema.c.

{
    Relation    rel;
    ScanKeyData skey;
    SysScanDesc sscan;
    HeapTuple   tuple;
    char       *tcontext;
    char       *ncontext;
    const char *nsp_name;
    ObjectAddress object;
    Form_pg_namespace nspForm;
    StringInfoData audit_name;
 
    /*
     * Compute a default security label when we create a new schema object
     * under the working database.
     *
     * XXX - upcoming version of libselinux supports to take object name to
     * handle special treatment on default security label; such as special
     * label on "pg_temp" schema.
     */
    rel = table_open(NamespaceRelationId, AccessShareLock);
 
    ScanKeyInit(&skey,
                Anum_pg_namespace_oid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(namespaceId));
 
    sscan = systable_beginscan(rel, NamespaceOidIndexId, true,
                               SnapshotSelf, 1, &skey);
    tuple = systable_getnext(sscan);
    if (!HeapTupleIsValid(tuple))
        elog(ERROR, "could not find tuple for namespace %u", namespaceId);
 
    nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
    nsp_name = NameStr(nspForm->nspname);
    if (strncmp(nsp_name, "pg_temp_", 8) == 0)
        nsp_name = "pg_temp";
    else if (strncmp(nsp_name, "pg_toast_temp_", 14) == 0)
        nsp_name = "pg_toast_temp";
 
    tcontext = sepgsql_get_label(DatabaseRelationId, MyDatabaseId, 0);
    ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
                                      tcontext,
                                      SEPG_CLASS_DB_SCHEMA,
                                      nsp_name);
 
    /*
     * check db_schema:{create}
     */
    initStringInfo(&audit_name);
    appendStringInfoString(&audit_name, quote_identifier(nsp_name));
    sepgsql_avc_check_perms_label(ncontext,
                                  SEPG_CLASS_DB_SCHEMA,
                                  SEPG_DB_SCHEMA__CREATE,
                                  audit_name.data,
                                  true);
    systable_endscan(sscan);
    table_close(rel, AccessShareLock);
 
    /*
     * Assign the default security label on a new procedure
     */
    object.classId = NamespaceRelationId;
    object.objectId = namespaceId;
    object.objectSubId = 0;
    SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
 
    pfree(ncontext);
    pfree(tcontext);
}

References AccessShareLock, appendStringInfoString(), BTEqualStrategyNumber, elog, ERROR, fb(), GETSTRUCT(), HeapTupleIsValid, initStringInfo(), MyDatabaseId, NameStr, ObjectIdGetDatum(), pfree(), quote_identifier(), ScanKeyInit(), SEPG_CLASS_DB_SCHEMA, SEPG_DB_SCHEMA__CREATE, sepgsql_avc_check_perms_label(), sepgsql_compute_create(), sepgsql_get_client_label(), sepgsql_get_label(), SEPGSQL_LABEL_TAG, SetSecurityLabel(), SnapshotSelf, systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), and table_open().

Referenced by sepgsql_object_access().

◆ sepgsql_schema_relabel()

void sepgsql_schema_relabel	(	Oid	namespaceId,
		const char *	seclabel
	)

Definition at line 142 of file schema.c.

{
    ObjectAddress object;
    char       *audit_name;
 
    object.classId = NamespaceRelationId;
    object.objectId = namespaceId;
    object.objectSubId = 0;
    audit_name = getObjectIdentity(&object, false);
 
    /*
     * check db_schema:{setattr relabelfrom} permission
     */
    sepgsql_avc_check_perms(&object,
                            SEPG_CLASS_DB_SCHEMA,
                            SEPG_DB_SCHEMA__SETATTR |
                            SEPG_DB_SCHEMA__RELABELFROM,
                            audit_name,
                            true);
 
    /*
     * check db_schema:{relabelto} permission
     */
    sepgsql_avc_check_perms_label(seclabel,
                                  SEPG_CLASS_DB_SCHEMA,
                                  SEPG_DB_SCHEMA__RELABELTO,
                                  audit_name,
                                  true);
    pfree(audit_name);
}

References ObjectAddress::classId, fb(), getObjectIdentity(), pfree(), SEPG_CLASS_DB_SCHEMA, SEPG_DB_SCHEMA__RELABELFROM, SEPG_DB_SCHEMA__RELABELTO, SEPG_DB_SCHEMA__SETATTR, sepgsql_avc_check_perms(), and sepgsql_avc_check_perms_label().

Referenced by sepgsql_object_relabel().

◆ sepgsql_schema_remove_name()

void sepgsql_schema_remove_name ( Oid namespaceId )

Definition at line 223 of file schema.c.

{
    check_schema_perms(namespaceId, SEPG_DB_SCHEMA__REMOVE_NAME, true);
}

References check_schema_perms(), fb(), and SEPG_DB_SCHEMA__REMOVE_NAME.

Referenced by sepgsql_proc_setattr(), and sepgsql_relation_setattr().

◆ sepgsql_schema_rename()

void sepgsql_schema_rename ( Oid namespaceId )

Definition at line 229 of file schema.c.

{
    check_schema_perms(namespaceId,
                       SEPG_DB_SCHEMA__ADD_NAME |
                       SEPG_DB_SCHEMA__REMOVE_NAME,
                       true);
}

References check_schema_perms(), fb(), SEPG_DB_SCHEMA__ADD_NAME, and SEPG_DB_SCHEMA__REMOVE_NAME.

Referenced by sepgsql_proc_setattr(), and sepgsql_relation_setattr().

◆ sepgsql_schema_search()

bool sepgsql_schema_search	(	Oid	namespaceId,
		bool	abort_on_violation
	)

Definition at line 209 of file schema.c.

{
    return check_schema_perms(namespaceId,
                              SEPG_DB_SCHEMA__SEARCH,
                              abort_on_violation);
}

References check_schema_perms(), fb(), and SEPG_DB_SCHEMA__SEARCH.

Referenced by sepgsql_object_access().

◆ sepgsql_schema_setattr()

void sepgsql_schema_setattr ( Oid namespaceId )

Definition at line 202 of file schema.c.

{
    check_schema_perms(namespaceId, SEPG_DB_SCHEMA__SETATTR, true);
}

References check_schema_perms(), fb(), and SEPG_DB_SCHEMA__SETATTR.

Referenced by sepgsql_object_access().

Functions
void	sepgsql_schema_post_create (Oid namespaceId)

void	sepgsql_schema_drop (Oid namespaceId)

void	sepgsql_schema_relabel (Oid namespaceId, const char *seclabel)

static bool	check_schema_perms (Oid namespaceId, uint32 required, bool abort_on_violation)

void	sepgsql_schema_setattr (Oid namespaceId)

bool	sepgsql_schema_search (Oid namespaceId, bool abort_on_violation)

void	sepgsql_schema_add_name (Oid namespaceId)

void	sepgsql_schema_remove_name (Oid namespaceId)

void	sepgsql_schema_rename (Oid namespaceId)

Functions

Function Documentation

◆ check_schema_perms()

◆ sepgsql_schema_add_name()

◆ sepgsql_schema_drop()

◆ sepgsql_schema_post_create()

◆ sepgsql_schema_relabel()

◆ sepgsql_schema_remove_name()

◆ sepgsql_schema_rename()

◆ sepgsql_schema_search()

◆ sepgsql_schema_setattr()