PostgreSQL Source Code  git master
seclabel.c File Reference
#include "postgres.h"
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/relation.h"
#include "access/table.h"
#include "catalog/catalog.h"
#include "catalog/indexing.h"
#include "catalog/pg_seclabel.h"
#include "catalog/pg_shseclabel.h"
#include "commands/seclabel.h"
#include "miscadmin.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/memutils.h"
#include "utils/rel.h"
Include dependency graph for seclabel.c:

Go to the source code of this file.

Data Structures

struct  LabelProvider
 

Functions

static bool SecLabelSupportsObjectType (ObjectType objtype)
 
ObjectAddress ExecSecLabelStmt (SecLabelStmt *stmt)
 
static char * GetSharedSecurityLabel (const ObjectAddress *object, const char *provider)
 
char * GetSecurityLabel (const ObjectAddress *object, const char *provider)
 
static void SetSharedSecurityLabel (const ObjectAddress *object, const char *provider, const char *label)
 
void SetSecurityLabel (const ObjectAddress *object, const char *provider, const char *label)
 
void DeleteSharedSecurityLabel (Oid objectId, Oid classId)
 
void DeleteSecurityLabel (const ObjectAddress *object)
 
void register_label_provider (const char *provider_name, check_object_relabel_type hook)
 

Variables

static Listlabel_provider_list = NIL
 

Function Documentation

◆ DeleteSecurityLabel()

void DeleteSecurityLabel ( const ObjectAddress object)

Definition at line 521 of file seclabel.c.

References Assert, BTEqualStrategyNumber, CatalogTupleDelete(), ObjectAddress::classId, DeleteSharedSecurityLabel(), HeapTupleIsValid, Int32GetDatum, IsSharedRelation(), ObjectAddress::objectId, ObjectIdGetDatum, ObjectAddress::objectSubId, RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), and table_open().

Referenced by deleteOneObject().

522 {
523  Relation pg_seclabel;
524  ScanKeyData skey[3];
525  SysScanDesc scan;
526  HeapTuple oldtup;
527  int nkeys;
528 
529  /* Shared objects have their own security label catalog. */
530  if (IsSharedRelation(object->classId))
531  {
532  Assert(object->objectSubId == 0);
533  DeleteSharedSecurityLabel(object->objectId, object->classId);
534  return;
535  }
536 
537  ScanKeyInit(&skey[0],
538  Anum_pg_seclabel_objoid,
539  BTEqualStrategyNumber, F_OIDEQ,
540  ObjectIdGetDatum(object->objectId));
541  ScanKeyInit(&skey[1],
542  Anum_pg_seclabel_classoid,
543  BTEqualStrategyNumber, F_OIDEQ,
544  ObjectIdGetDatum(object->classId));
545  if (object->objectSubId != 0)
546  {
547  ScanKeyInit(&skey[2],
548  Anum_pg_seclabel_objsubid,
549  BTEqualStrategyNumber, F_INT4EQ,
550  Int32GetDatum(object->objectSubId));
551  nkeys = 3;
552  }
553  else
554  nkeys = 2;
555 
556  pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
557 
558  scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
559  NULL, nkeys, skey);
560  while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
561  CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
562  systable_endscan(scan);
563 
564  table_close(pg_seclabel, RowExclusiveLock);
565 }
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:595
void CatalogTupleDelete(Relation heapRel, ItemPointer tid)
Definition: indexing.c:350
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:383
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:502
#define ObjectIdGetDatum(X)
Definition: postgres.h:551
ItemPointerData t_self
Definition: htup.h:65
#define RowExclusiveLock
Definition: lockdefs.h:38
bool IsSharedRelation(Oid relationId)
Definition: catalog.c:244
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
#define Assert(condition)
Definition: c.h:804
void DeleteSharedSecurityLabel(Oid objectId, Oid classId)
Definition: seclabel.c:489
#define Int32GetDatum(X)
Definition: postgres.h:523
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
#define BTEqualStrategyNumber
Definition: stratnum.h:31

◆ DeleteSharedSecurityLabel()

void DeleteSharedSecurityLabel ( Oid  objectId,
Oid  classId 
)

Definition at line 489 of file seclabel.c.

References BTEqualStrategyNumber, CatalogTupleDelete(), HeapTupleIsValid, ObjectIdGetDatum, RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), and table_open().

Referenced by DeleteSecurityLabel(), dropdb(), DropRole(), and DropTableSpace().

490 {
491  Relation pg_shseclabel;
492  ScanKeyData skey[2];
493  SysScanDesc scan;
494  HeapTuple oldtup;
495 
496  ScanKeyInit(&skey[0],
497  Anum_pg_shseclabel_objoid,
498  BTEqualStrategyNumber, F_OIDEQ,
499  ObjectIdGetDatum(objectId));
500  ScanKeyInit(&skey[1],
501  Anum_pg_shseclabel_classoid,
502  BTEqualStrategyNumber, F_OIDEQ,
503  ObjectIdGetDatum(classId));
504 
505  pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
506 
507  scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
508  NULL, 2, skey);
509  while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
510  CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
511  systable_endscan(scan);
512 
513  table_close(pg_shseclabel, RowExclusiveLock);
514 }
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:595
void CatalogTupleDelete(Relation heapRel, ItemPointer tid)
Definition: indexing.c:350
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:383
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:502
#define ObjectIdGetDatum(X)
Definition: postgres.h:551
ItemPointerData t_self
Definition: htup.h:65
#define RowExclusiveLock
Definition: lockdefs.h:38
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
#define BTEqualStrategyNumber
Definition: stratnum.h:31

◆ ExecSecLabelStmt()

ObjectAddress ExecSecLabelStmt ( SecLabelStmt stmt)

Definition at line 113 of file seclabel.c.

References check_object_ownership(), ereport, errcode(), errdetail_relkind_not_supported(), errmsg(), ERROR, get_object_address(), GetUserId(), LabelProvider::hook, SecLabelStmt::label, lfirst, linitial, list_length(), NIL, NoLock, SecLabelStmt::object, OBJECT_COLUMN, SecLabelStmt::objtype, provider, SecLabelStmt::provider, LabelProvider::provider_name, RelationData::rd_rel, relation_close(), RelationGetRelationName, SecLabelSupportsObjectType(), SetSecurityLabel(), and ShareUpdateExclusiveLock.

Referenced by ProcessUtilitySlow(), and standard_ProcessUtility().

114 {
115  LabelProvider *provider = NULL;
116  ObjectAddress address;
117  Relation relation;
118  ListCell *lc;
119 
120  /*
121  * Find the named label provider, or if none specified, check whether
122  * there's exactly one, and if so use it.
123  */
124  if (stmt->provider == NULL)
125  {
126  if (label_provider_list == NIL)
127  ereport(ERROR,
128  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
129  errmsg("no security label providers have been loaded")));
131  ereport(ERROR,
132  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
133  errmsg("must specify provider when multiple security label providers have been loaded")));
135  }
136  else
137  {
138  foreach(lc, label_provider_list)
139  {
140  LabelProvider *lp = lfirst(lc);
141 
142  if (strcmp(stmt->provider, lp->provider_name) == 0)
143  {
144  provider = lp;
145  break;
146  }
147  }
148  if (provider == NULL)
149  ereport(ERROR,
150  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
151  errmsg("security label provider \"%s\" is not loaded",
152  stmt->provider)));
153  }
154 
156  ereport(ERROR,
157  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
158  errmsg("security labels are not supported for this type of object")));
159 
160  /*
161  * Translate the parser representation which identifies this object into
162  * an ObjectAddress. get_object_address() will throw an error if the
163  * object does not exist, and will also acquire a lock on the target to
164  * guard against concurrent modifications.
165  */
166  address = get_object_address(stmt->objtype, stmt->object,
167  &relation, ShareUpdateExclusiveLock, false);
168 
169  /* Require ownership of the target object. */
170  check_object_ownership(GetUserId(), stmt->objtype, address,
171  stmt->object, relation);
172 
173  /* Perform other integrity checks as needed. */
174  switch (stmt->objtype)
175  {
176  case OBJECT_COLUMN:
177 
178  /*
179  * Allow security labels only on columns of tables, views,
180  * materialized views, composite types, and foreign tables (which
181  * are the only relkinds for which pg_dump will dump labels).
182  */
183  if (relation->rd_rel->relkind != RELKIND_RELATION &&
184  relation->rd_rel->relkind != RELKIND_VIEW &&
185  relation->rd_rel->relkind != RELKIND_MATVIEW &&
186  relation->rd_rel->relkind != RELKIND_COMPOSITE_TYPE &&
187  relation->rd_rel->relkind != RELKIND_FOREIGN_TABLE &&
188  relation->rd_rel->relkind != RELKIND_PARTITIONED_TABLE)
189  ereport(ERROR,
190  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
191  errmsg("cannot set security label on relation \"%s\"",
192  RelationGetRelationName(relation)),
193  errdetail_relkind_not_supported(relation->rd_rel->relkind)));
194  break;
195  default:
196  break;
197  }
198 
199  /* Provider gets control here, may throw ERROR to veto new label. */
200  provider->hook(&address, stmt->label);
201 
202  /* Apply new label. */
203  SetSecurityLabel(&address, provider->provider_name, stmt->label);
204 
205  /*
206  * If get_object_address() opened the relation for us, we close it to keep
207  * the reference count correct - but we retain any locks acquired by
208  * get_object_address() until commit time, to guard against concurrent
209  * activity.
210  */
211  if (relation != NULL)
212  relation_close(relation, NoLock);
213 
214  return address;
215 }
int errdetail_relkind_not_supported(char relkind)
Definition: pg_class.c:24
#define NIL
Definition: pg_list.h:65
ObjectType objtype
Definition: parsenodes.h:2792
Node * object
Definition: parsenodes.h:2793
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:402
Oid GetUserId(void)
Definition: miscinit.c:478
char * provider
Definition: parsenodes.h:2794
int errcode(int sqlerrcode)
Definition: elog.c:698
const char * provider_name
Definition: seclabel.c:30
Form_pg_class rd_rel
Definition: rel.h:109
static List * label_provider_list
Definition: seclabel.c:34
#define linitial(l)
Definition: pg_list.h:174
#define ERROR
Definition: elog.h:46
char * label
Definition: parsenodes.h:2795
static JitProviderCallbacks provider
Definition: jit.c:43
#define NoLock
Definition: lockdefs.h:34
#define RelationGetRelationName(relation)
Definition: rel.h:511
check_object_relabel_type hook
Definition: seclabel.c:31
#define ereport(elevel,...)
Definition: elog.h:157
#define ShareUpdateExclusiveLock
Definition: lockdefs.h:39
void relation_close(Relation relation, LOCKMODE lockmode)
Definition: relation.c:206
#define lfirst(lc)
Definition: pg_list.h:169
ObjectAddress get_object_address(ObjectType objtype, Node *object, Relation *relp, LOCKMODE lockmode, bool missing_ok)
static int list_length(const List *l)
Definition: pg_list.h:149
void check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address, Node *object, Relation relation)
int errmsg(const char *fmt,...)
Definition: elog.c:909
static bool SecLabelSupportsObjectType(ObjectType objtype)
Definition: seclabel.c:37

◆ GetSecurityLabel()

char* GetSecurityLabel ( const ObjectAddress object,
const char *  provider 
)

Definition at line 270 of file seclabel.c.

References AccessShareLock, BTEqualStrategyNumber, ObjectAddress::classId, CStringGetTextDatum, GetSharedSecurityLabel(), heap_getattr, HeapTupleIsValid, Int32GetDatum, IsSharedRelation(), ObjectAddress::objectId, ObjectIdGetDatum, ObjectAddress::objectSubId, RelationGetDescr, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and TextDatumGetCString.

Referenced by sepgsql_avc_check_perms(), sepgsql_avc_trusted_proc(), and sepgsql_get_label().

271 {
272  Relation pg_seclabel;
273  ScanKeyData keys[4];
274  SysScanDesc scan;
275  HeapTuple tuple;
276  Datum datum;
277  bool isnull;
278  char *seclabel = NULL;
279 
280  /* Shared objects have their own security label catalog. */
281  if (IsSharedRelation(object->classId))
282  return GetSharedSecurityLabel(object, provider);
283 
284  /* Must be an unshared object, so examine pg_seclabel. */
285  ScanKeyInit(&keys[0],
286  Anum_pg_seclabel_objoid,
287  BTEqualStrategyNumber, F_OIDEQ,
288  ObjectIdGetDatum(object->objectId));
289  ScanKeyInit(&keys[1],
290  Anum_pg_seclabel_classoid,
291  BTEqualStrategyNumber, F_OIDEQ,
292  ObjectIdGetDatum(object->classId));
293  ScanKeyInit(&keys[2],
294  Anum_pg_seclabel_objsubid,
295  BTEqualStrategyNumber, F_INT4EQ,
296  Int32GetDatum(object->objectSubId));
297  ScanKeyInit(&keys[3],
298  Anum_pg_seclabel_provider,
299  BTEqualStrategyNumber, F_TEXTEQ,
301 
302  pg_seclabel = table_open(SecLabelRelationId, AccessShareLock);
303 
304  scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
305  NULL, 4, keys);
306 
307  tuple = systable_getnext(scan);
308  if (HeapTupleIsValid(tuple))
309  {
310  datum = heap_getattr(tuple, Anum_pg_seclabel_label,
311  RelationGetDescr(pg_seclabel), &isnull);
312  if (!isnull)
313  seclabel = TextDatumGetCString(datum);
314  }
315  systable_endscan(scan);
316 
317  table_close(pg_seclabel, AccessShareLock);
318 
319  return seclabel;
320 }
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:595
#define RelationGetDescr(relation)
Definition: rel.h:503
static char * GetSharedSecurityLabel(const ObjectAddress *object, const char *provider)
Definition: seclabel.c:222
#define AccessShareLock
Definition: lockdefs.h:36
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:383
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:502
#define ObjectIdGetDatum(X)
Definition: postgres.h:551
static JitProviderCallbacks provider
Definition: jit.c:43
#define heap_getattr(tup, attnum, tupleDesc, isnull)
Definition: htup_details.h:761
#define TextDatumGetCString(d)
Definition: builtins.h:83
uintptr_t Datum
Definition: postgres.h:411
bool IsSharedRelation(Oid relationId)
Definition: catalog.c:244
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
#define Int32GetDatum(X)
Definition: postgres.h:523
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
#define CStringGetTextDatum(s)
Definition: builtins.h:82
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
#define BTEqualStrategyNumber
Definition: stratnum.h:31

◆ GetSharedSecurityLabel()

static char* GetSharedSecurityLabel ( const ObjectAddress object,
const char *  provider 
)
static

Definition at line 222 of file seclabel.c.

References AccessShareLock, BTEqualStrategyNumber, ObjectAddress::classId, CStringGetTextDatum, heap_getattr, HeapTupleIsValid, ObjectAddress::objectId, ObjectIdGetDatum, RelationGetDescr, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and TextDatumGetCString.

Referenced by GetSecurityLabel().

223 {
224  Relation pg_shseclabel;
225  ScanKeyData keys[3];
226  SysScanDesc scan;
227  HeapTuple tuple;
228  Datum datum;
229  bool isnull;
230  char *seclabel = NULL;
231 
232  ScanKeyInit(&keys[0],
233  Anum_pg_shseclabel_objoid,
234  BTEqualStrategyNumber, F_OIDEQ,
235  ObjectIdGetDatum(object->objectId));
236  ScanKeyInit(&keys[1],
237  Anum_pg_shseclabel_classoid,
238  BTEqualStrategyNumber, F_OIDEQ,
239  ObjectIdGetDatum(object->classId));
240  ScanKeyInit(&keys[2],
241  Anum_pg_shseclabel_provider,
242  BTEqualStrategyNumber, F_TEXTEQ,
244 
245  pg_shseclabel = table_open(SharedSecLabelRelationId, AccessShareLock);
246 
247  scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
248  NULL, 3, keys);
249 
250  tuple = systable_getnext(scan);
251  if (HeapTupleIsValid(tuple))
252  {
253  datum = heap_getattr(tuple, Anum_pg_shseclabel_label,
254  RelationGetDescr(pg_shseclabel), &isnull);
255  if (!isnull)
256  seclabel = TextDatumGetCString(datum);
257  }
258  systable_endscan(scan);
259 
260  table_close(pg_shseclabel, AccessShareLock);
261 
262  return seclabel;
263 }
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:595
#define RelationGetDescr(relation)
Definition: rel.h:503
#define AccessShareLock
Definition: lockdefs.h:36
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:383
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:502
#define ObjectIdGetDatum(X)
Definition: postgres.h:551
static JitProviderCallbacks provider
Definition: jit.c:43
#define heap_getattr(tup, attnum, tupleDesc, isnull)
Definition: htup_details.h:761
#define TextDatumGetCString(d)
Definition: builtins.h:83
uintptr_t Datum
Definition: postgres.h:411
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
#define CStringGetTextDatum(s)
Definition: builtins.h:82
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
#define BTEqualStrategyNumber
Definition: stratnum.h:31

◆ register_label_provider()

void register_label_provider ( const char *  provider_name,
check_object_relabel_type  hook 
)

Definition at line 568 of file seclabel.c.

References LabelProvider::hook, lappend(), MemoryContextSwitchTo(), palloc(), provider, LabelProvider::provider_name, pstrdup(), and TopMemoryContext.

Referenced by _PG_init().

569 {
571  MemoryContext oldcxt;
572 
574  provider = palloc(sizeof(LabelProvider));
575  provider->provider_name = pstrdup(provider_name);
576  provider->hook = hook;
578  MemoryContextSwitchTo(oldcxt);
579 }
char * pstrdup(const char *in)
Definition: mcxt.c:1299
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
const char * provider_name
Definition: seclabel.c:30
static List * label_provider_list
Definition: seclabel.c:34
static JitProviderCallbacks provider
Definition: jit.c:43
MemoryContext TopMemoryContext
Definition: mcxt.c:48
List * lappend(List *list, void *datum)
Definition: list.c:336
check_object_relabel_type hook
Definition: seclabel.c:31
void * palloc(Size size)
Definition: mcxt.c:1062

◆ SecLabelSupportsObjectType()

static bool SecLabelSupportsObjectType ( ObjectType  objtype)
static

Definition at line 37 of file seclabel.c.

References OBJECT_ACCESS_METHOD, OBJECT_AGGREGATE, OBJECT_AMOP, OBJECT_AMPROC, OBJECT_ATTRIBUTE, OBJECT_CAST, OBJECT_COLLATION, OBJECT_COLUMN, OBJECT_CONVERSION, OBJECT_DATABASE, OBJECT_DEFACL, OBJECT_DEFAULT, OBJECT_DOMAIN, OBJECT_DOMCONSTRAINT, OBJECT_EVENT_TRIGGER, OBJECT_EXTENSION, OBJECT_FDW, OBJECT_FOREIGN_SERVER, OBJECT_FOREIGN_TABLE, OBJECT_FUNCTION, OBJECT_INDEX, OBJECT_LANGUAGE, OBJECT_LARGEOBJECT, OBJECT_MATVIEW, OBJECT_OPCLASS, OBJECT_OPERATOR, OBJECT_OPFAMILY, OBJECT_POLICY, OBJECT_PROCEDURE, OBJECT_PUBLICATION, OBJECT_PUBLICATION_REL, OBJECT_ROLE, OBJECT_ROUTINE, OBJECT_RULE, OBJECT_SCHEMA, OBJECT_SEQUENCE, OBJECT_STATISTIC_EXT, OBJECT_SUBSCRIPTION, OBJECT_TABCONSTRAINT, OBJECT_TABLE, OBJECT_TABLESPACE, OBJECT_TRANSFORM, OBJECT_TRIGGER, OBJECT_TSCONFIGURATION, OBJECT_TSDICTIONARY, OBJECT_TSPARSER, OBJECT_TSTEMPLATE, OBJECT_TYPE, OBJECT_USER_MAPPING, and OBJECT_VIEW.

Referenced by ExecSecLabelStmt().

38 {
39  switch (objtype)
40  {
41  case OBJECT_AGGREGATE:
42  case OBJECT_COLUMN:
43  case OBJECT_DATABASE:
44  case OBJECT_DOMAIN:
47  case OBJECT_FUNCTION:
48  case OBJECT_LANGUAGE:
49  case OBJECT_LARGEOBJECT:
50  case OBJECT_MATVIEW:
51  case OBJECT_PROCEDURE:
52  case OBJECT_PUBLICATION:
53  case OBJECT_ROLE:
54  case OBJECT_ROUTINE:
55  case OBJECT_SCHEMA:
56  case OBJECT_SEQUENCE:
58  case OBJECT_TABLE:
59  case OBJECT_TABLESPACE:
60  case OBJECT_TYPE:
61  case OBJECT_VIEW:
62  return true;
63 
65  case OBJECT_AMOP:
66  case OBJECT_AMPROC:
67  case OBJECT_ATTRIBUTE:
68  case OBJECT_CAST:
69  case OBJECT_COLLATION:
70  case OBJECT_CONVERSION:
71  case OBJECT_DEFAULT:
72  case OBJECT_DEFACL:
74  case OBJECT_EXTENSION:
75  case OBJECT_FDW:
77  case OBJECT_INDEX:
78  case OBJECT_OPCLASS:
79  case OBJECT_OPERATOR:
80  case OBJECT_OPFAMILY:
81  case OBJECT_POLICY:
83  case OBJECT_RULE:
86  case OBJECT_TRANSFORM:
87  case OBJECT_TRIGGER:
90  case OBJECT_TSPARSER:
91  case OBJECT_TSTEMPLATE:
93  return false;
94 
95  /*
96  * There's intentionally no default: case here; we want the
97  * compiler to warn if a new ObjectType hasn't been handled above.
98  */
99  }
100 
101  /* Shouldn't get here, but if we do, say "no support" */
102  return false;
103 }

◆ SetSecurityLabel()

void SetSecurityLabel ( const ObjectAddress object,
const char *  provider,
const char *  label 
)

Definition at line 402 of file seclabel.c.

References BTEqualStrategyNumber, CatalogTupleDelete(), CatalogTupleInsert(), CatalogTupleUpdate(), ObjectAddress::classId, CStringGetTextDatum, heap_form_tuple(), heap_freetuple(), heap_modify_tuple(), HeapTupleIsValid, Int32GetDatum, IsSharedRelation(), ObjectAddress::objectId, ObjectIdGetDatum, ObjectAddress::objectSubId, RelationGetDescr, RowExclusiveLock, ScanKeyInit(), SetSharedSecurityLabel(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), table_open(), and values.

Referenced by exec_object_restorecon(), ExecSecLabelStmt(), sepgsql_attribute_post_create(), sepgsql_database_post_create(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), and sepgsql_schema_post_create().

404 {
405  Relation pg_seclabel;
406  ScanKeyData keys[4];
407  SysScanDesc scan;
408  HeapTuple oldtup;
409  HeapTuple newtup = NULL;
410  Datum values[Natts_pg_seclabel];
411  bool nulls[Natts_pg_seclabel];
412  bool replaces[Natts_pg_seclabel];
413 
414  /* Shared objects have their own security label catalog. */
415  if (IsSharedRelation(object->classId))
416  {
418  return;
419  }
420 
421  /* Prepare to form or update a tuple, if necessary. */
422  memset(nulls, false, sizeof(nulls));
423  memset(replaces, false, sizeof(replaces));
424  values[Anum_pg_seclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
425  values[Anum_pg_seclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
426  values[Anum_pg_seclabel_objsubid - 1] = Int32GetDatum(object->objectSubId);
427  values[Anum_pg_seclabel_provider - 1] = CStringGetTextDatum(provider);
428  if (label != NULL)
429  values[Anum_pg_seclabel_label - 1] = CStringGetTextDatum(label);
430 
431  /* Use the index to search for a matching old tuple */
432  ScanKeyInit(&keys[0],
433  Anum_pg_seclabel_objoid,
434  BTEqualStrategyNumber, F_OIDEQ,
435  ObjectIdGetDatum(object->objectId));
436  ScanKeyInit(&keys[1],
437  Anum_pg_seclabel_classoid,
438  BTEqualStrategyNumber, F_OIDEQ,
439  ObjectIdGetDatum(object->classId));
440  ScanKeyInit(&keys[2],
441  Anum_pg_seclabel_objsubid,
442  BTEqualStrategyNumber, F_INT4EQ,
443  Int32GetDatum(object->objectSubId));
444  ScanKeyInit(&keys[3],
445  Anum_pg_seclabel_provider,
446  BTEqualStrategyNumber, F_TEXTEQ,
448 
449  pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
450 
451  scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
452  NULL, 4, keys);
453 
454  oldtup = systable_getnext(scan);
455  if (HeapTupleIsValid(oldtup))
456  {
457  if (label == NULL)
458  CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
459  else
460  {
461  replaces[Anum_pg_seclabel_label - 1] = true;
462  newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_seclabel),
463  values, nulls, replaces);
464  CatalogTupleUpdate(pg_seclabel, &oldtup->t_self, newtup);
465  }
466  }
467  systable_endscan(scan);
468 
469  /* If we didn't find an old tuple, insert a new one */
470  if (newtup == NULL && label != NULL)
471  {
472  newtup = heap_form_tuple(RelationGetDescr(pg_seclabel),
473  values, nulls);
474  CatalogTupleInsert(pg_seclabel, newtup);
475  }
476 
477  /* Update indexes, if necessary */
478  if (newtup != NULL)
479  heap_freetuple(newtup);
480 
481  table_close(pg_seclabel, RowExclusiveLock);
482 }
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:595
#define RelationGetDescr(relation)
Definition: rel.h:503
void CatalogTupleDelete(Relation heapRel, ItemPointer tid)
Definition: indexing.c:350
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, Datum *values, bool *isnull)
Definition: heaptuple.c:1020
void heap_freetuple(HeapTuple htup)
Definition: heaptuple.c:1338
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:383
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:502
#define ObjectIdGetDatum(X)
Definition: postgres.h:551
ItemPointerData t_self
Definition: htup.h:65
static JitProviderCallbacks provider
Definition: jit.c:43
#define RowExclusiveLock
Definition: lockdefs.h:38
uintptr_t Datum
Definition: postgres.h:411
static char * label
bool IsSharedRelation(Oid relationId)
Definition: catalog.c:244
static void SetSharedSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:327
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
void CatalogTupleUpdate(Relation heapRel, ItemPointer otid, HeapTuple tup)
Definition: indexing.c:301
static Datum values[MAXATTR]
Definition: bootstrap.c:166
#define Int32GetDatum(X)
Definition: postgres.h:523
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
#define CStringGetTextDatum(s)
Definition: builtins.h:82
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
HeapTuple heap_modify_tuple(HeapTuple tuple, TupleDesc tupleDesc, Datum *replValues, bool *replIsnull, bool *doReplace)
Definition: heaptuple.c:1113
void CatalogTupleInsert(Relation heapRel, HeapTuple tup)
Definition: indexing.c:221
#define BTEqualStrategyNumber
Definition: stratnum.h:31

◆ SetSharedSecurityLabel()

static void SetSharedSecurityLabel ( const ObjectAddress object,
const char *  provider,
const char *  label 
)
static

Definition at line 327 of file seclabel.c.

References BTEqualStrategyNumber, CatalogTupleDelete(), CatalogTupleInsert(), CatalogTupleUpdate(), ObjectAddress::classId, CStringGetTextDatum, heap_form_tuple(), heap_freetuple(), heap_modify_tuple(), HeapTupleIsValid, ObjectAddress::objectId, ObjectIdGetDatum, RelationGetDescr, RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), table_open(), and values.

Referenced by SetSecurityLabel().

329 {
330  Relation pg_shseclabel;
331  ScanKeyData keys[4];
332  SysScanDesc scan;
333  HeapTuple oldtup;
334  HeapTuple newtup = NULL;
335  Datum values[Natts_pg_shseclabel];
336  bool nulls[Natts_pg_shseclabel];
337  bool replaces[Natts_pg_shseclabel];
338 
339  /* Prepare to form or update a tuple, if necessary. */
340  memset(nulls, false, sizeof(nulls));
341  memset(replaces, false, sizeof(replaces));
342  values[Anum_pg_shseclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
343  values[Anum_pg_shseclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
344  values[Anum_pg_shseclabel_provider - 1] = CStringGetTextDatum(provider);
345  if (label != NULL)
346  values[Anum_pg_shseclabel_label - 1] = CStringGetTextDatum(label);
347 
348  /* Use the index to search for a matching old tuple */
349  ScanKeyInit(&keys[0],
350  Anum_pg_shseclabel_objoid,
351  BTEqualStrategyNumber, F_OIDEQ,
352  ObjectIdGetDatum(object->objectId));
353  ScanKeyInit(&keys[1],
354  Anum_pg_shseclabel_classoid,
355  BTEqualStrategyNumber, F_OIDEQ,
356  ObjectIdGetDatum(object->classId));
357  ScanKeyInit(&keys[2],
358  Anum_pg_shseclabel_provider,
359  BTEqualStrategyNumber, F_TEXTEQ,
361 
362  pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
363 
364  scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
365  NULL, 3, keys);
366 
367  oldtup = systable_getnext(scan);
368  if (HeapTupleIsValid(oldtup))
369  {
370  if (label == NULL)
371  CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
372  else
373  {
374  replaces[Anum_pg_shseclabel_label - 1] = true;
375  newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_shseclabel),
376  values, nulls, replaces);
377  CatalogTupleUpdate(pg_shseclabel, &oldtup->t_self, newtup);
378  }
379  }
380  systable_endscan(scan);
381 
382  /* If we didn't find an old tuple, insert a new one */
383  if (newtup == NULL && label != NULL)
384  {
385  newtup = heap_form_tuple(RelationGetDescr(pg_shseclabel),
386  values, nulls);
387  CatalogTupleInsert(pg_shseclabel, newtup);
388  }
389 
390  if (newtup != NULL)
391  heap_freetuple(newtup);
392 
393  table_close(pg_shseclabel, RowExclusiveLock);
394 }
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:595
#define RelationGetDescr(relation)
Definition: rel.h:503
void CatalogTupleDelete(Relation heapRel, ItemPointer tid)
Definition: indexing.c:350
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, Datum *values, bool *isnull)
Definition: heaptuple.c:1020
void heap_freetuple(HeapTuple htup)
Definition: heaptuple.c:1338
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:383
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:502
#define ObjectIdGetDatum(X)
Definition: postgres.h:551
ItemPointerData t_self
Definition: htup.h:65
static JitProviderCallbacks provider
Definition: jit.c:43
#define RowExclusiveLock
Definition: lockdefs.h:38
uintptr_t Datum
Definition: postgres.h:411
static char * label
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
void CatalogTupleUpdate(Relation heapRel, ItemPointer otid, HeapTuple tup)
Definition: indexing.c:301
static Datum values[MAXATTR]
Definition: bootstrap.c:166
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
#define CStringGetTextDatum(s)
Definition: builtins.h:82
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
HeapTuple heap_modify_tuple(HeapTuple tuple, TupleDesc tupleDesc, Datum *replValues, bool *replIsnull, bool *doReplace)
Definition: heaptuple.c:1113
void CatalogTupleInsert(Relation heapRel, HeapTuple tup)
Definition: indexing.c:221
#define BTEqualStrategyNumber
Definition: stratnum.h:31

Variable Documentation

◆ label_provider_list

List* label_provider_list = NIL
static

Definition at line 34 of file seclabel.c.