PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
schema.c File Reference
#include "postgres.h"
#include "access/genam.h"
#include "access/heapam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "catalog/dependency.h"
#include "catalog/indexing.h"
#include "catalog/pg_database.h"
#include "catalog/pg_namespace.h"
#include "commands/seclabel.h"
#include "lib/stringinfo.h"
#include "miscadmin.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/lsyscache.h"
#include "utils/tqual.h"
#include "sepgsql.h"
Include dependency graph for schema.c:

Go to the source code of this file.

Functions

void sepgsql_schema_post_create (Oid namespaceId)
 
void sepgsql_schema_drop (Oid namespaceId)
 
void sepgsql_schema_relabel (Oid namespaceId, const char *seclabel)
 
static bool check_schema_perms (Oid namespaceId, uint32 required, bool abort_on_violation)
 
void sepgsql_schema_setattr (Oid namespaceId)
 
bool sepgsql_schema_search (Oid namespaceId, bool abort_on_violation)
 
void sepgsql_schema_add_name (Oid namespaceId)
 
void sepgsql_schema_remove_name (Oid namespaceId)
 
void sepgsql_schema_rename (Oid namespaceId)
 

Function Documentation

static bool check_schema_perms ( Oid  namespaceId,
uint32  required,
bool  abort_on_violation 
)
static

Definition at line 181 of file schema.c.

References getObjectIdentity(), NamespaceRelationId, pfree(), result, SEPG_CLASS_DB_SCHEMA, and sepgsql_avc_check_perms().

Referenced by sepgsql_schema_add_name(), sepgsql_schema_remove_name(), sepgsql_schema_rename(), sepgsql_schema_search(), and sepgsql_schema_setattr().

182 {
183  ObjectAddress object;
184  char *audit_name;
185  bool result;
186 
187  object.classId = NamespaceRelationId;
188  object.objectId = namespaceId;
189  object.objectSubId = 0;
190  audit_name = getObjectIdentity(&object);
191 
192  result = sepgsql_avc_check_perms(&object,
194  required,
195  audit_name,
196  abort_on_violation);
197  pfree(audit_name);
198 
199  return result;
200 }
#define NamespaceRelationId
Definition: pg_namespace.h:34
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:428
return result
Definition: formatting.c:1632
#define SEPG_CLASS_DB_SCHEMA
Definition: sepgsql.h:45
void pfree(void *pointer)
Definition: mcxt.c:950
char * getObjectIdentity(const ObjectAddress *object)
void sepgsql_schema_add_name ( Oid  namespaceId)

Definition at line 219 of file schema.c.

References check_schema_perms(), and SEPG_DB_SCHEMA__ADD_NAME.

Referenced by sepgsql_proc_setattr(), and sepgsql_relation_setattr().

220 {
221  check_schema_perms(namespaceId, SEPG_DB_SCHEMA__ADD_NAME, true);
222 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:181
#define SEPG_DB_SCHEMA__ADD_NAME
Definition: sepgsql.h:134
void sepgsql_schema_drop ( Oid  namespaceId)

Definition at line 116 of file schema.c.

References ObjectAddress::classId, getObjectIdentity(), NamespaceRelationId, pfree(), SEPG_CLASS_DB_SCHEMA, SEPG_DB_SCHEMA__DROP, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().

117 {
118  ObjectAddress object;
119  char *audit_name;
120 
121  /*
122  * check db_schema:{drop} permission
123  */
124  object.classId = NamespaceRelationId;
125  object.objectId = namespaceId;
126  object.objectSubId = 0;
127  audit_name = getObjectIdentity(&object);
128 
129  sepgsql_avc_check_perms(&object,
132  audit_name,
133  true);
134  pfree(audit_name);
135 }
#define SEPG_DB_SCHEMA__DROP
Definition: sepgsql.h:128
#define NamespaceRelationId
Definition: pg_namespace.h:34
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:428
#define SEPG_CLASS_DB_SCHEMA
Definition: sepgsql.h:45
void pfree(void *pointer)
Definition: mcxt.c:950
char * getObjectIdentity(const ObjectAddress *object)
void sepgsql_schema_post_create ( Oid  namespaceId)

Definition at line 38 of file schema.c.

References AccessShareLock, appendStringInfo(), BTEqualStrategyNumber, StringInfoData::data, DatabaseRelationId, elog, ERROR, GETSTRUCT, heap_close, heap_open(), HeapTupleIsValid, initStringInfo(), MyDatabaseId, NamespaceOidIndexId, NamespaceRelationId, NameStr, ObjectIdAttributeNumber, ObjectIdGetDatum, pfree(), quote_identifier(), ScanKeyInit(), SEPG_CLASS_DB_SCHEMA, SEPG_DB_SCHEMA__CREATE, sepgsql_avc_check_perms_label(), sepgsql_compute_create(), sepgsql_get_client_label(), sepgsql_get_label(), SEPGSQL_LABEL_TAG, SetSecurityLabel(), SnapshotSelf, systable_beginscan(), systable_endscan(), and systable_getnext().

Referenced by sepgsql_object_access().

39 {
40  Relation rel;
41  ScanKeyData skey;
42  SysScanDesc sscan;
43  HeapTuple tuple;
44  char *tcontext;
45  char *ncontext;
46  const char *nsp_name;
47  ObjectAddress object;
48  Form_pg_namespace nspForm;
49  StringInfoData audit_name;
50 
51  /*
52  * Compute a default security label when we create a new schema object
53  * under the working database.
54  *
55  * XXX - uncoming version of libselinux supports to take object name to
56  * handle special treatment on default security label; such as special
57  * label on "pg_temp" schema.
58  */
60 
61  ScanKeyInit(&skey,
63  BTEqualStrategyNumber, F_OIDEQ,
64  ObjectIdGetDatum(namespaceId));
65 
66  sscan = systable_beginscan(rel, NamespaceOidIndexId, true,
67  SnapshotSelf, 1, &skey);
68  tuple = systable_getnext(sscan);
69  if (!HeapTupleIsValid(tuple))
70  elog(ERROR, "catalog lookup failed for namespace %u", namespaceId);
71 
72  nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
73  nsp_name = NameStr(nspForm->nspname);
74  if (strncmp(nsp_name, "pg_temp_", 8) == 0)
75  nsp_name = "pg_temp";
76  else if (strncmp(nsp_name, "pg_toast_temp_", 14) == 0)
77  nsp_name = "pg_toast_temp";
78 
81  tcontext,
83  nsp_name);
84 
85  /*
86  * check db_schema:{create}
87  */
88  initStringInfo(&audit_name);
89  appendStringInfo(&audit_name, "%s", quote_identifier(nsp_name));
93  audit_name.data,
94  true);
95  systable_endscan(sscan);
97 
98  /*
99  * Assign the default security label on a new procedure
100  */
101  object.classId = NamespaceRelationId;
102  object.objectId = namespaceId;
103  object.objectSubId = 0;
104  SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
105 
106  pfree(ncontext);
107  pfree(tcontext);
108 }
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:346
#define NamespaceOidIndexId
Definition: indexing.h:195
#define NamespaceRelationId
Definition: pg_namespace.h:34
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:499
#define GETSTRUCT(TUP)
Definition: htup_details.h:656
FormData_pg_namespace * Form_pg_namespace
Definition: pg_namespace.h:51
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:327
const char * quote_identifier(const char *ident)
Definition: ruleutils.c:10284
#define ObjectIdAttributeNumber
Definition: sysattr.h:22
#define DatabaseRelationId
Definition: pg_database.h:29
char * sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
Definition: label.c:463
#define AccessShareLock
Definition: lockdefs.h:36
#define heap_close(r, l)
Definition: heapam.h:97
#define SEPG_CLASS_DB_SCHEMA
Definition: sepgsql.h:45
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:328
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:416
void pfree(void *pointer)
Definition: mcxt.c:950
void appendStringInfo(StringInfo str, const char *fmt,...)
Definition: stringinfo.c:78
#define ObjectIdGetDatum(X)
Definition: postgres.h:513
#define ERROR
Definition: elog.h:43
#define SEPGSQL_LABEL_TAG
Definition: sepgsql.h:23
#define SnapshotSelf
Definition: tqual.h:27
void initStringInfo(StringInfo str)
Definition: stringinfo.c:46
Oid MyDatabaseId
Definition: globals.c:76
Relation heap_open(Oid relationId, LOCKMODE lockmode)
Definition: heapam.c:1284
#define HeapTupleIsValid(tuple)
Definition: htup.h:77
#define SEPG_DB_SCHEMA__CREATE
Definition: sepgsql.h:127
char * sepgsql_get_client_label(void)
Definition: label.c:91
char * sepgsql_compute_create(const char *scontext, const char *tcontext, uint16 tclass, const char *objname)
Definition: selinux.c:837
#define NameStr(name)
Definition: c.h:499
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
#define elog
Definition: elog.h:219
#define BTEqualStrategyNumber
Definition: stratnum.h:31
void sepgsql_schema_relabel ( Oid  namespaceId,
const char *  seclabel 
)

Definition at line 144 of file schema.c.

References ObjectAddress::classId, getObjectIdentity(), NamespaceRelationId, pfree(), SEPG_CLASS_DB_SCHEMA, SEPG_DB_SCHEMA__RELABELFROM, SEPG_DB_SCHEMA__RELABELTO, SEPG_DB_SCHEMA__SETATTR, sepgsql_avc_check_perms(), and sepgsql_avc_check_perms_label().

Referenced by sepgsql_object_relabel().

145 {
146  ObjectAddress object;
147  char *audit_name;
148 
149  object.classId = NamespaceRelationId;
150  object.objectId = namespaceId;
151  object.objectSubId = 0;
152  audit_name = getObjectIdentity(&object);
153 
154  /*
155  * check db_schema:{setattr relabelfrom} permission
156  */
157  sepgsql_avc_check_perms(&object,
161  audit_name,
162  true);
163 
164  /*
165  * check db_schema:{relabelto} permission
166  */
170  audit_name,
171  true);
172  pfree(audit_name);
173 }
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:346
#define NamespaceRelationId
Definition: pg_namespace.h:34
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:428
#define SEPG_CLASS_DB_SCHEMA
Definition: sepgsql.h:45
#define SEPG_DB_SCHEMA__RELABELFROM
Definition: sepgsql.h:131
void pfree(void *pointer)
Definition: mcxt.c:950
char * getObjectIdentity(const ObjectAddress *object)
#define SEPG_DB_SCHEMA__SETATTR
Definition: sepgsql.h:130
#define SEPG_DB_SCHEMA__RELABELTO
Definition: sepgsql.h:132
void sepgsql_schema_remove_name ( Oid  namespaceId)

Definition at line 225 of file schema.c.

References check_schema_perms(), and SEPG_DB_SCHEMA__REMOVE_NAME.

Referenced by sepgsql_proc_setattr(), and sepgsql_relation_setattr().

226 {
228 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:181
#define SEPG_DB_SCHEMA__REMOVE_NAME
Definition: sepgsql.h:135
void sepgsql_schema_rename ( Oid  namespaceId)

Definition at line 231 of file schema.c.

References check_schema_perms(), SEPG_DB_SCHEMA__ADD_NAME, and SEPG_DB_SCHEMA__REMOVE_NAME.

Referenced by sepgsql_proc_setattr(), and sepgsql_relation_setattr().

232 {
233  check_schema_perms(namespaceId,
236  true);
237 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:181
#define SEPG_DB_SCHEMA__ADD_NAME
Definition: sepgsql.h:134
#define SEPG_DB_SCHEMA__REMOVE_NAME
Definition: sepgsql.h:135
bool sepgsql_schema_search ( Oid  namespaceId,
bool  abort_on_violation 
)

Definition at line 211 of file schema.c.

References check_schema_perms(), and SEPG_DB_SCHEMA__SEARCH.

Referenced by sepgsql_object_access().

212 {
213  return check_schema_perms(namespaceId,
215  abort_on_violation);
216 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:181
#define SEPG_DB_SCHEMA__SEARCH
Definition: sepgsql.h:133
void sepgsql_schema_setattr ( Oid  namespaceId)

Definition at line 204 of file schema.c.

References check_schema_perms(), and SEPG_DB_SCHEMA__SETATTR.

Referenced by sepgsql_object_access().

205 {
206  check_schema_perms(namespaceId, SEPG_DB_SCHEMA__SETATTR, true);
207 }
static bool check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
Definition: schema.c:181
#define SEPG_DB_SCHEMA__SETATTR
Definition: sepgsql.h:130