PostgreSQL Source Code  git master
schema.c File Reference
#include "postgres.h"
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "access/table.h"
#include "catalog/dependency.h"
#include "catalog/indexing.h"
#include "catalog/pg_database.h"
#include "catalog/pg_namespace.h"
#include "commands/seclabel.h"
#include "lib/stringinfo.h"
#include "miscadmin.h"
#include "sepgsql.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/lsyscache.h"
#include "utils/snapmgr.h"
Include dependency graph for schema.c:

Go to the source code of this file.

Functions

void sepgsql_schema_post_create (Oid namespaceId)
 
void sepgsql_schema_drop (Oid namespaceId)
 
void sepgsql_schema_relabel (Oid namespaceId, const char *seclabel)
 
static bool check_schema_perms (Oid namespaceId, uint32 required, bool abort_on_violation)
 
void sepgsql_schema_setattr (Oid namespaceId)
 
bool sepgsql_schema_search (Oid namespaceId, bool abort_on_violation)
 
void sepgsql_schema_add_name (Oid namespaceId)
 
void sepgsql_schema_remove_name (Oid namespaceId)
 
void sepgsql_schema_rename (Oid namespaceId)
 

Function Documentation

◆ check_schema_perms()

static bool check_schema_perms ( Oid  namespaceId,
uint32  required,
bool  abort_on_violation 
)
static

Definition at line 180 of file schema.c.

References ObjectAddress::classId, getObjectIdentity(), pfree(), SEPG_CLASS_DB_SCHEMA, and sepgsql_avc_check_perms().

Referenced by sepgsql_schema_add_name(), sepgsql_schema_remove_name(), sepgsql_schema_rename(), sepgsql_schema_search(), and sepgsql_schema_setattr().

181 {
182  ObjectAddress object;
183  char *audit_name;
184  bool result;
185 
186  object.classId = NamespaceRelationId;
187  object.objectId = namespaceId;
188  object.objectSubId = 0;
189  audit_name = getObjectIdentity(&object);
190 
191  result = sepgsql_avc_check_perms(&object,
193  required,
194  audit_name,
195  abort_on_violation);
196  pfree(audit_name);
197 
198  return result;
199 }
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:419
#define SEPG_CLASS_DB_SCHEMA
Definition: sepgsql.h:45
void pfree(void *pointer)
Definition: mcxt.c:1056
char * getObjectIdentity(const ObjectAddress *object)

◆ sepgsql_schema_add_name()

void sepgsql_schema_add_name ( Oid  namespaceId)

Definition at line 218 of file schema.c.

References check_schema_perms(), and SEPG_DB_SCHEMA__ADD_NAME.

Referenced by sepgsql_proc_setattr(), and sepgsql_relation_setattr().

219 {
220  check_schema_perms(namespaceId, SEPG_DB_SCHEMA__ADD_NAME, true);
221 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:180
#define SEPG_DB_SCHEMA__ADD_NAME
Definition: sepgsql.h:134

◆ sepgsql_schema_drop()

void sepgsql_schema_drop ( Oid  namespaceId)

Definition at line 115 of file schema.c.

References ObjectAddress::classId, getObjectIdentity(), pfree(), SEPG_CLASS_DB_SCHEMA, SEPG_DB_SCHEMA__DROP, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().

116 {
117  ObjectAddress object;
118  char *audit_name;
119 
120  /*
121  * check db_schema:{drop} permission
122  */
123  object.classId = NamespaceRelationId;
124  object.objectId = namespaceId;
125  object.objectSubId = 0;
126  audit_name = getObjectIdentity(&object);
127 
128  sepgsql_avc_check_perms(&object,
131  audit_name,
132  true);
133  pfree(audit_name);
134 }
#define SEPG_DB_SCHEMA__DROP
Definition: sepgsql.h:128
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:419
#define SEPG_CLASS_DB_SCHEMA
Definition: sepgsql.h:45
void pfree(void *pointer)
Definition: mcxt.c:1056
char * getObjectIdentity(const ObjectAddress *object)

◆ sepgsql_schema_post_create()

void sepgsql_schema_post_create ( Oid  namespaceId)

Definition at line 37 of file schema.c.

References AccessShareLock, appendStringInfo(), BTEqualStrategyNumber, StringInfoData::data, elog, ERROR, GETSTRUCT, HeapTupleIsValid, initStringInfo(), MyDatabaseId, NamespaceOidIndexId, NameStr, ObjectIdGetDatum, pfree(), quote_identifier(), ScanKeyInit(), SEPG_CLASS_DB_SCHEMA, SEPG_DB_SCHEMA__CREATE, sepgsql_avc_check_perms_label(), sepgsql_compute_create(), sepgsql_get_client_label(), sepgsql_get_label(), SEPGSQL_LABEL_TAG, SetSecurityLabel(), SnapshotSelf, systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), and table_open().

Referenced by sepgsql_object_access().

38 {
39  Relation rel;
40  ScanKeyData skey;
41  SysScanDesc sscan;
42  HeapTuple tuple;
43  char *tcontext;
44  char *ncontext;
45  const char *nsp_name;
46  ObjectAddress object;
47  Form_pg_namespace nspForm;
48  StringInfoData audit_name;
49 
50  /*
51  * Compute a default security label when we create a new schema object
52  * under the working database.
53  *
54  * XXX - upcoming version of libselinux supports to take object name to
55  * handle special treatment on default security label; such as special
56  * label on "pg_temp" schema.
57  */
58  rel = table_open(NamespaceRelationId, AccessShareLock);
59 
60  ScanKeyInit(&skey,
61  Anum_pg_namespace_oid,
62  BTEqualStrategyNumber, F_OIDEQ,
63  ObjectIdGetDatum(namespaceId));
64 
65  sscan = systable_beginscan(rel, NamespaceOidIndexId, true,
66  SnapshotSelf, 1, &skey);
67  tuple = systable_getnext(sscan);
68  if (!HeapTupleIsValid(tuple))
69  elog(ERROR, "could not find tuple for namespace %u", namespaceId);
70 
71  nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
72  nsp_name = NameStr(nspForm->nspname);
73  if (strncmp(nsp_name, "pg_temp_", 8) == 0)
74  nsp_name = "pg_temp";
75  else if (strncmp(nsp_name, "pg_toast_temp_", 14) == 0)
76  nsp_name = "pg_toast_temp";
77 
78  tcontext = sepgsql_get_label(DatabaseRelationId, MyDatabaseId, 0);
80  tcontext,
82  nsp_name);
83 
84  /*
85  * check db_schema:{create}
86  */
87  initStringInfo(&audit_name);
88  appendStringInfo(&audit_name, "%s", quote_identifier(nsp_name));
92  audit_name.data,
93  true);
94  systable_endscan(sscan);
96 
97  /*
98  * Assign the default security label on a new procedure
99  */
100  object.classId = NamespaceRelationId;
101  object.objectId = namespaceId;
102  object.objectSubId = 0;
103  SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
104 
105  pfree(ncontext);
106  pfree(tcontext);
107 }
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:337
#define NamespaceOidIndexId
Definition: indexing.h:192
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:133
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:525
#define GETSTRUCT(TUP)
Definition: htup_details.h:655
FormData_pg_namespace * Form_pg_namespace
Definition: pg_namespace.h:51
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:327
const char * quote_identifier(const char *ident)
Definition: ruleutils.c:10772
char * sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
Definition: label.c:446
#define AccessShareLock
Definition: lockdefs.h:36
#define SEPG_CLASS_DB_SCHEMA
Definition: sepgsql.h:45
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:352
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:444
void pfree(void *pointer)
Definition: mcxt.c:1056
void appendStringInfo(StringInfo str, const char *fmt,...)
Definition: stringinfo.c:91
#define ObjectIdGetDatum(X)
Definition: postgres.h:507
#define ERROR
Definition: elog.h:43
#define SnapshotSelf
Definition: snapmgr.h:68
#define SEPGSQL_LABEL_TAG
Definition: sepgsql.h:23
void initStringInfo(StringInfo str)
Definition: stringinfo.c:59
Oid MyDatabaseId
Definition: globals.c:85
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
#define SEPG_DB_SCHEMA__CREATE
Definition: sepgsql.h:127
char * sepgsql_get_client_label(void)
Definition: label.c:81
char * sepgsql_compute_create(const char *scontext, const char *tcontext, uint16 tclass, const char *objname)
Definition: selinux.c:836
#define elog(elevel,...)
Definition: elog.h:228
#define NameStr(name)
Definition: c.h:616
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
#define BTEqualStrategyNumber
Definition: stratnum.h:31

◆ sepgsql_schema_relabel()

void sepgsql_schema_relabel ( Oid  namespaceId,
const char *  seclabel 
)

Definition at line 143 of file schema.c.

References ObjectAddress::classId, getObjectIdentity(), pfree(), SEPG_CLASS_DB_SCHEMA, SEPG_DB_SCHEMA__RELABELFROM, SEPG_DB_SCHEMA__RELABELTO, SEPG_DB_SCHEMA__SETATTR, sepgsql_avc_check_perms(), and sepgsql_avc_check_perms_label().

Referenced by sepgsql_object_relabel().

144 {
145  ObjectAddress object;
146  char *audit_name;
147 
148  object.classId = NamespaceRelationId;
149  object.objectId = namespaceId;
150  object.objectSubId = 0;
151  audit_name = getObjectIdentity(&object);
152 
153  /*
154  * check db_schema:{setattr relabelfrom} permission
155  */
156  sepgsql_avc_check_perms(&object,
160  audit_name,
161  true);
162 
163  /*
164  * check db_schema:{relabelto} permission
165  */
169  audit_name,
170  true);
171  pfree(audit_name);
172 }
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:337
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:419
#define SEPG_CLASS_DB_SCHEMA
Definition: sepgsql.h:45
#define SEPG_DB_SCHEMA__RELABELFROM
Definition: sepgsql.h:131
void pfree(void *pointer)
Definition: mcxt.c:1056
char * getObjectIdentity(const ObjectAddress *object)
#define SEPG_DB_SCHEMA__SETATTR
Definition: sepgsql.h:130
#define SEPG_DB_SCHEMA__RELABELTO
Definition: sepgsql.h:132

◆ sepgsql_schema_remove_name()

void sepgsql_schema_remove_name ( Oid  namespaceId)

Definition at line 224 of file schema.c.

References check_schema_perms(), and SEPG_DB_SCHEMA__REMOVE_NAME.

Referenced by sepgsql_proc_setattr(), and sepgsql_relation_setattr().

225 {
227 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:180
#define SEPG_DB_SCHEMA__REMOVE_NAME
Definition: sepgsql.h:135

◆ sepgsql_schema_rename()

void sepgsql_schema_rename ( Oid  namespaceId)

Definition at line 230 of file schema.c.

References check_schema_perms(), SEPG_DB_SCHEMA__ADD_NAME, and SEPG_DB_SCHEMA__REMOVE_NAME.

Referenced by sepgsql_proc_setattr(), and sepgsql_relation_setattr().

231 {
232  check_schema_perms(namespaceId,
235  true);
236 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:180
#define SEPG_DB_SCHEMA__ADD_NAME
Definition: sepgsql.h:134
#define SEPG_DB_SCHEMA__REMOVE_NAME
Definition: sepgsql.h:135

◆ sepgsql_schema_search()

bool sepgsql_schema_search ( Oid  namespaceId,
bool  abort_on_violation 
)

Definition at line 210 of file schema.c.

References check_schema_perms(), and SEPG_DB_SCHEMA__SEARCH.

Referenced by sepgsql_object_access().

211 {
212  return check_schema_perms(namespaceId,
214  abort_on_violation);
215 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:180
#define SEPG_DB_SCHEMA__SEARCH
Definition: sepgsql.h:133

◆ sepgsql_schema_setattr()

void sepgsql_schema_setattr ( Oid  namespaceId)

Definition at line 203 of file schema.c.

References check_schema_perms(), and SEPG_DB_SCHEMA__SETATTR.

Referenced by sepgsql_object_access().

204 {
205  check_schema_perms(namespaceId, SEPG_DB_SCHEMA__SETATTR, true);
206 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:180
#define SEPG_DB_SCHEMA__SETATTR
Definition: sepgsql.h:130