PostgreSQL Source Code  git master
seclabel.c File Reference
#include "postgres.h"
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/relation.h"
#include "access/table.h"
#include "catalog/catalog.h"
#include "catalog/indexing.h"
#include "catalog/pg_seclabel.h"
#include "catalog/pg_shseclabel.h"
#include "commands/seclabel.h"
#include "miscadmin.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/memutils.h"
#include "utils/rel.h"
Include dependency graph for seclabel.c:

Go to the source code of this file.

Data Structures

struct  LabelProvider
 

Functions

static bool SecLabelSupportsObjectType (ObjectType objtype)
 
ObjectAddress ExecSecLabelStmt (SecLabelStmt *stmt)
 
static char * GetSharedSecurityLabel (const ObjectAddress *object, const char *provider)
 
char * GetSecurityLabel (const ObjectAddress *object, const char *provider)
 
static void SetSharedSecurityLabel (const ObjectAddress *object, const char *provider, const char *label)
 
void SetSecurityLabel (const ObjectAddress *object, const char *provider, const char *label)
 
void DeleteSharedSecurityLabel (Oid objectId, Oid classId)
 
void DeleteSecurityLabel (const ObjectAddress *object)
 
void register_label_provider (const char *provider_name, check_object_relabel_type hook)
 

Variables

static Listlabel_provider_list = NIL
 

Function Documentation

◆ DeleteSecurityLabel()

void DeleteSecurityLabel ( const ObjectAddress object)

Definition at line 523 of file seclabel.c.

524 {
525  Relation pg_seclabel;
526  ScanKeyData skey[3];
527  SysScanDesc scan;
528  HeapTuple oldtup;
529  int nkeys;
530 
531  /* Shared objects have their own security label catalog. */
532  if (IsSharedRelation(object->classId))
533  {
534  Assert(object->objectSubId == 0);
535  DeleteSharedSecurityLabel(object->objectId, object->classId);
536  return;
537  }
538 
539  ScanKeyInit(&skey[0],
540  Anum_pg_seclabel_objoid,
541  BTEqualStrategyNumber, F_OIDEQ,
542  ObjectIdGetDatum(object->objectId));
543  ScanKeyInit(&skey[1],
544  Anum_pg_seclabel_classoid,
545  BTEqualStrategyNumber, F_OIDEQ,
546  ObjectIdGetDatum(object->classId));
547  if (object->objectSubId != 0)
548  {
549  ScanKeyInit(&skey[2],
550  Anum_pg_seclabel_objsubid,
551  BTEqualStrategyNumber, F_INT4EQ,
552  Int32GetDatum(object->objectSubId));
553  nkeys = 3;
554  }
555  else
556  nkeys = 2;
557 
558  pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
559 
560  scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
561  NULL, nkeys, skey);
562  while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
563  CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
564  systable_endscan(scan);
565 
566  table_close(pg_seclabel, RowExclusiveLock);
567 }
bool IsSharedRelation(Oid relationId)
Definition: catalog.c:245
void systable_endscan(SysScanDesc sysscan)
Definition: genam.c:599
HeapTuple systable_getnext(SysScanDesc sysscan)
Definition: genam.c:506
SysScanDesc systable_beginscan(Relation heapRelation, Oid indexId, bool indexOK, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:387
#define HeapTupleIsValid(tuple)
Definition: htup.h:78
void CatalogTupleDelete(Relation heapRel, ItemPointer tid)
Definition: indexing.c:350
Assert(fmt[strlen(fmt) - 1] !='\n')
#define RowExclusiveLock
Definition: lockdefs.h:38
static Datum ObjectIdGetDatum(Oid X)
Definition: postgres.h:600
static Datum Int32GetDatum(int32 X)
Definition: postgres.h:560
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
void DeleteSharedSecurityLabel(Oid objectId, Oid classId)
Definition: seclabel.c:491
#define BTEqualStrategyNumber
Definition: stratnum.h:31
ItemPointerData t_self
Definition: htup.h:65
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40

References Assert(), BTEqualStrategyNumber, CatalogTupleDelete(), ObjectAddress::classId, DeleteSharedSecurityLabel(), HeapTupleIsValid, Int32GetDatum(), IsSharedRelation(), ObjectAddress::objectId, ObjectIdGetDatum(), ObjectAddress::objectSubId, RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), and table_open().

Referenced by deleteOneObject().

◆ DeleteSharedSecurityLabel()

void DeleteSharedSecurityLabel ( Oid  objectId,
Oid  classId 
)

Definition at line 491 of file seclabel.c.

492 {
493  Relation pg_shseclabel;
494  ScanKeyData skey[2];
495  SysScanDesc scan;
496  HeapTuple oldtup;
497 
498  ScanKeyInit(&skey[0],
499  Anum_pg_shseclabel_objoid,
500  BTEqualStrategyNumber, F_OIDEQ,
501  ObjectIdGetDatum(objectId));
502  ScanKeyInit(&skey[1],
503  Anum_pg_shseclabel_classoid,
504  BTEqualStrategyNumber, F_OIDEQ,
505  ObjectIdGetDatum(classId));
506 
507  pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
508 
509  scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
510  NULL, 2, skey);
511  while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
512  CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
513  systable_endscan(scan);
514 
515  table_close(pg_shseclabel, RowExclusiveLock);
516 }

References BTEqualStrategyNumber, CatalogTupleDelete(), HeapTupleIsValid, ObjectIdGetDatum(), RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), and table_open().

Referenced by DeleteSecurityLabel(), dropdb(), DropRole(), and DropTableSpace().

◆ ExecSecLabelStmt()

ObjectAddress ExecSecLabelStmt ( SecLabelStmt stmt)

Definition at line 115 of file seclabel.c.

116 {
117  LabelProvider *provider = NULL;
118  ObjectAddress address;
119  Relation relation;
120  ListCell *lc;
121 
122  /*
123  * Find the named label provider, or if none specified, check whether
124  * there's exactly one, and if so use it.
125  */
126  if (stmt->provider == NULL)
127  {
128  if (label_provider_list == NIL)
129  ereport(ERROR,
130  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
131  errmsg("no security label providers have been loaded")));
133  ereport(ERROR,
134  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
135  errmsg("must specify provider when multiple security label providers have been loaded")));
137  }
138  else
139  {
140  foreach(lc, label_provider_list)
141  {
142  LabelProvider *lp = lfirst(lc);
143 
144  if (strcmp(stmt->provider, lp->provider_name) == 0)
145  {
146  provider = lp;
147  break;
148  }
149  }
150  if (provider == NULL)
151  ereport(ERROR,
152  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
153  errmsg("security label provider \"%s\" is not loaded",
154  stmt->provider)));
155  }
156 
158  ereport(ERROR,
159  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
160  errmsg("security labels are not supported for this type of object")));
161 
162  /*
163  * Translate the parser representation which identifies this object into
164  * an ObjectAddress. get_object_address() will throw an error if the
165  * object does not exist, and will also acquire a lock on the target to
166  * guard against concurrent modifications.
167  */
168  address = get_object_address(stmt->objtype, stmt->object,
169  &relation, ShareUpdateExclusiveLock, false);
170 
171  /* Require ownership of the target object. */
172  check_object_ownership(GetUserId(), stmt->objtype, address,
173  stmt->object, relation);
174 
175  /* Perform other integrity checks as needed. */
176  switch (stmt->objtype)
177  {
178  case OBJECT_COLUMN:
179 
180  /*
181  * Allow security labels only on columns of tables, views,
182  * materialized views, composite types, and foreign tables (which
183  * are the only relkinds for which pg_dump will dump labels).
184  */
185  if (relation->rd_rel->relkind != RELKIND_RELATION &&
186  relation->rd_rel->relkind != RELKIND_VIEW &&
187  relation->rd_rel->relkind != RELKIND_MATVIEW &&
188  relation->rd_rel->relkind != RELKIND_COMPOSITE_TYPE &&
189  relation->rd_rel->relkind != RELKIND_FOREIGN_TABLE &&
190  relation->rd_rel->relkind != RELKIND_PARTITIONED_TABLE)
191  ereport(ERROR,
192  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
193  errmsg("cannot set security label on relation \"%s\"",
194  RelationGetRelationName(relation)),
195  errdetail_relkind_not_supported(relation->rd_rel->relkind)));
196  break;
197  default:
198  break;
199  }
200 
201  /* Provider gets control here, may throw ERROR to veto new label. */
202  provider->hook(&address, stmt->label);
203 
204  /* Apply new label. */
205  SetSecurityLabel(&address, provider->provider_name, stmt->label);
206 
207  /*
208  * If get_object_address() opened the relation for us, we close it to keep
209  * the reference count correct - but we retain any locks acquired by
210  * get_object_address() until commit time, to guard against concurrent
211  * activity.
212  */
213  if (relation != NULL)
214  relation_close(relation, NoLock);
215 
216  return address;
217 }
int errcode(int sqlerrcode)
Definition: elog.c:695
int errmsg(const char *fmt,...)
Definition: elog.c:906
#define ERROR
Definition: elog.h:35
#define ereport(elevel,...)
Definition: elog.h:145
static JitProviderCallbacks provider
Definition: jit.c:43
#define NoLock
Definition: lockdefs.h:34
#define ShareUpdateExclusiveLock
Definition: lockdefs.h:39
Oid GetUserId(void)
Definition: miscinit.c:497
void check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address, Node *object, Relation relation)
ObjectAddress get_object_address(ObjectType objtype, Node *object, Relation *relp, LOCKMODE lockmode, bool missing_ok)
@ OBJECT_COLUMN
Definition: parsenodes.h:1894
int errdetail_relkind_not_supported(char relkind)
Definition: pg_class.c:24
#define lfirst(lc)
Definition: pg_list.h:170
static int list_length(const List *l)
Definition: pg_list.h:150
#define NIL
Definition: pg_list.h:66
#define linitial(l)
Definition: pg_list.h:176
#define RelationGetRelationName(relation)
Definition: rel.h:535
void SetSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:404
static List * label_provider_list
Definition: seclabel.c:34
static bool SecLabelSupportsObjectType(ObjectType objtype)
Definition: seclabel.c:37
void relation_close(Relation relation, LOCKMODE lockmode)
Definition: relation.c:206
const char * provider_name
Definition: seclabel.c:30
Form_pg_class rd_rel
Definition: rel.h:110
ObjectType objtype
Definition: parsenodes.h:2910
Node * object
Definition: parsenodes.h:2911
char * provider
Definition: parsenodes.h:2912
char * label
Definition: parsenodes.h:2913

References check_object_ownership(), ereport, errcode(), errdetail_relkind_not_supported(), errmsg(), ERROR, get_object_address(), GetUserId(), SecLabelStmt::label, label_provider_list, lfirst, linitial, list_length(), NIL, NoLock, SecLabelStmt::object, OBJECT_COLUMN, SecLabelStmt::objtype, provider, SecLabelStmt::provider, LabelProvider::provider_name, RelationData::rd_rel, relation_close(), RelationGetRelationName, SecLabelSupportsObjectType(), SetSecurityLabel(), and ShareUpdateExclusiveLock.

Referenced by ProcessUtilitySlow(), and standard_ProcessUtility().

◆ GetSecurityLabel()

char* GetSecurityLabel ( const ObjectAddress object,
const char *  provider 
)

Definition at line 272 of file seclabel.c.

273 {
274  Relation pg_seclabel;
275  ScanKeyData keys[4];
276  SysScanDesc scan;
277  HeapTuple tuple;
278  Datum datum;
279  bool isnull;
280  char *seclabel = NULL;
281 
282  /* Shared objects have their own security label catalog. */
283  if (IsSharedRelation(object->classId))
284  return GetSharedSecurityLabel(object, provider);
285 
286  /* Must be an unshared object, so examine pg_seclabel. */
287  ScanKeyInit(&keys[0],
288  Anum_pg_seclabel_objoid,
289  BTEqualStrategyNumber, F_OIDEQ,
290  ObjectIdGetDatum(object->objectId));
291  ScanKeyInit(&keys[1],
292  Anum_pg_seclabel_classoid,
293  BTEqualStrategyNumber, F_OIDEQ,
294  ObjectIdGetDatum(object->classId));
295  ScanKeyInit(&keys[2],
296  Anum_pg_seclabel_objsubid,
297  BTEqualStrategyNumber, F_INT4EQ,
298  Int32GetDatum(object->objectSubId));
299  ScanKeyInit(&keys[3],
300  Anum_pg_seclabel_provider,
301  BTEqualStrategyNumber, F_TEXTEQ,
303 
304  pg_seclabel = table_open(SecLabelRelationId, AccessShareLock);
305 
306  scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
307  NULL, 4, keys);
308 
309  tuple = systable_getnext(scan);
310  if (HeapTupleIsValid(tuple))
311  {
312  datum = heap_getattr(tuple, Anum_pg_seclabel_label,
313  RelationGetDescr(pg_seclabel), &isnull);
314  if (!isnull)
315  seclabel = TextDatumGetCString(datum);
316  }
317  systable_endscan(scan);
318 
319  table_close(pg_seclabel, AccessShareLock);
320 
321  return seclabel;
322 }
#define CStringGetTextDatum(s)
Definition: builtins.h:85
#define TextDatumGetCString(d)
Definition: builtins.h:86
static Datum heap_getattr(HeapTuple tup, int attnum, TupleDesc tupleDesc, bool *isnull)
Definition: htup_details.h:788
#define AccessShareLock
Definition: lockdefs.h:36
uintptr_t Datum
Definition: postgres.h:412
#define RelationGetDescr(relation)
Definition: rel.h:527
static char * GetSharedSecurityLabel(const ObjectAddress *object, const char *provider)
Definition: seclabel.c:224

References AccessShareLock, BTEqualStrategyNumber, ObjectAddress::classId, CStringGetTextDatum, GetSharedSecurityLabel(), heap_getattr(), HeapTupleIsValid, Int32GetDatum(), IsSharedRelation(), ObjectAddress::objectId, ObjectIdGetDatum(), ObjectAddress::objectSubId, provider, RelationGetDescr, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and TextDatumGetCString.

Referenced by sepgsql_avc_check_perms(), sepgsql_avc_trusted_proc(), and sepgsql_get_label().

◆ GetSharedSecurityLabel()

static char* GetSharedSecurityLabel ( const ObjectAddress object,
const char *  provider 
)
static

Definition at line 224 of file seclabel.c.

225 {
226  Relation pg_shseclabel;
227  ScanKeyData keys[3];
228  SysScanDesc scan;
229  HeapTuple tuple;
230  Datum datum;
231  bool isnull;
232  char *seclabel = NULL;
233 
234  ScanKeyInit(&keys[0],
235  Anum_pg_shseclabel_objoid,
236  BTEqualStrategyNumber, F_OIDEQ,
237  ObjectIdGetDatum(object->objectId));
238  ScanKeyInit(&keys[1],
239  Anum_pg_shseclabel_classoid,
240  BTEqualStrategyNumber, F_OIDEQ,
241  ObjectIdGetDatum(object->classId));
242  ScanKeyInit(&keys[2],
243  Anum_pg_shseclabel_provider,
244  BTEqualStrategyNumber, F_TEXTEQ,
246 
247  pg_shseclabel = table_open(SharedSecLabelRelationId, AccessShareLock);
248 
249  scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId,
250  criticalSharedRelcachesBuilt, NULL, 3, keys);
251 
252  tuple = systable_getnext(scan);
253  if (HeapTupleIsValid(tuple))
254  {
255  datum = heap_getattr(tuple, Anum_pg_shseclabel_label,
256  RelationGetDescr(pg_shseclabel), &isnull);
257  if (!isnull)
258  seclabel = TextDatumGetCString(datum);
259  }
260  systable_endscan(scan);
261 
262  table_close(pg_shseclabel, AccessShareLock);
263 
264  return seclabel;
265 }
bool criticalSharedRelcachesBuilt
Definition: relcache.c:146

References AccessShareLock, BTEqualStrategyNumber, ObjectAddress::classId, criticalSharedRelcachesBuilt, CStringGetTextDatum, heap_getattr(), HeapTupleIsValid, ObjectAddress::objectId, ObjectIdGetDatum(), provider, RelationGetDescr, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and TextDatumGetCString.

Referenced by GetSecurityLabel().

◆ register_label_provider()

void register_label_provider ( const char *  provider_name,
check_object_relabel_type  hook 
)

Definition at line 570 of file seclabel.c.

571 {
573  MemoryContext oldcxt;
574 
576  provider = palloc(sizeof(LabelProvider));
577  provider->provider_name = pstrdup(provider_name);
578  provider->hook = hook;
580  MemoryContextSwitchTo(oldcxt);
581 }
List * lappend(List *list, void *datum)
Definition: list.c:338
char * pstrdup(const char *in)
Definition: mcxt.c:1483
MemoryContext TopMemoryContext
Definition: mcxt.c:130
void * palloc(Size size)
Definition: mcxt.c:1199
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:135

References label_provider_list, lappend(), MemoryContextSwitchTo(), palloc(), provider, pstrdup(), and TopMemoryContext.

Referenced by _PG_init().

◆ SecLabelSupportsObjectType()

static bool SecLabelSupportsObjectType ( ObjectType  objtype)
static

Definition at line 37 of file seclabel.c.

38 {
39  switch (objtype)
40  {
41  case OBJECT_AGGREGATE:
42  case OBJECT_COLUMN:
43  case OBJECT_DATABASE:
44  case OBJECT_DOMAIN:
47  case OBJECT_FUNCTION:
48  case OBJECT_LANGUAGE:
49  case OBJECT_LARGEOBJECT:
50  case OBJECT_MATVIEW:
51  case OBJECT_PROCEDURE:
52  case OBJECT_PUBLICATION:
53  case OBJECT_ROLE:
54  case OBJECT_ROUTINE:
55  case OBJECT_SCHEMA:
56  case OBJECT_SEQUENCE:
58  case OBJECT_TABLE:
59  case OBJECT_TABLESPACE:
60  case OBJECT_TYPE:
61  case OBJECT_VIEW:
62  return true;
63 
65  case OBJECT_AMOP:
66  case OBJECT_AMPROC:
67  case OBJECT_ATTRIBUTE:
68  case OBJECT_CAST:
69  case OBJECT_COLLATION:
70  case OBJECT_CONVERSION:
71  case OBJECT_DEFAULT:
72  case OBJECT_DEFACL:
74  case OBJECT_EXTENSION:
75  case OBJECT_FDW:
77  case OBJECT_INDEX:
78  case OBJECT_OPCLASS:
79  case OBJECT_OPERATOR:
80  case OBJECT_OPFAMILY:
82  case OBJECT_POLICY:
85  case OBJECT_RULE:
88  case OBJECT_TRANSFORM:
89  case OBJECT_TRIGGER:
92  case OBJECT_TSPARSER:
93  case OBJECT_TSTEMPLATE:
95  return false;
96 
97  /*
98  * There's intentionally no default: case here; we want the
99  * compiler to warn if a new ObjectType hasn't been handled above.
100  */
101  }
102 
103  /* Shouldn't get here, but if we do, say "no support" */
104  return false;
105 }
@ OBJECT_EVENT_TRIGGER
Definition: parsenodes.h:1902
@ OBJECT_FDW
Definition: parsenodes.h:1904
@ OBJECT_TSPARSER
Definition: parsenodes.h:1935
@ OBJECT_COLLATION
Definition: parsenodes.h:1895
@ OBJECT_USER_MAPPING
Definition: parsenodes.h:1938
@ OBJECT_ACCESS_METHOD
Definition: parsenodes.h:1888
@ OBJECT_OPCLASS
Definition: parsenodes.h:1912
@ OBJECT_DEFACL
Definition: parsenodes.h:1899
@ OBJECT_AGGREGATE
Definition: parsenodes.h:1889
@ OBJECT_MATVIEW
Definition: parsenodes.h:1911
@ OBJECT_SCHEMA
Definition: parsenodes.h:1924
@ OBJECT_POLICY
Definition: parsenodes.h:1916
@ OBJECT_OPERATOR
Definition: parsenodes.h:1913
@ OBJECT_FOREIGN_TABLE
Definition: parsenodes.h:1906
@ OBJECT_TSCONFIGURATION
Definition: parsenodes.h:1933
@ OBJECT_OPFAMILY
Definition: parsenodes.h:1914
@ OBJECT_DOMAIN
Definition: parsenodes.h:1900
@ OBJECT_TABLESPACE
Definition: parsenodes.h:1930
@ OBJECT_ROLE
Definition: parsenodes.h:1921
@ OBJECT_ROUTINE
Definition: parsenodes.h:1922
@ OBJECT_LARGEOBJECT
Definition: parsenodes.h:1910
@ OBJECT_PUBLICATION_NAMESPACE
Definition: parsenodes.h:1919
@ OBJECT_PROCEDURE
Definition: parsenodes.h:1917
@ OBJECT_EXTENSION
Definition: parsenodes.h:1903
@ OBJECT_INDEX
Definition: parsenodes.h:1908
@ OBJECT_DEFAULT
Definition: parsenodes.h:1898
@ OBJECT_DATABASE
Definition: parsenodes.h:1897
@ OBJECT_SEQUENCE
Definition: parsenodes.h:1925
@ OBJECT_TSTEMPLATE
Definition: parsenodes.h:1936
@ OBJECT_LANGUAGE
Definition: parsenodes.h:1909
@ OBJECT_AMOP
Definition: parsenodes.h:1890
@ OBJECT_PUBLICATION_REL
Definition: parsenodes.h:1920
@ OBJECT_FOREIGN_SERVER
Definition: parsenodes.h:1905
@ OBJECT_TSDICTIONARY
Definition: parsenodes.h:1934
@ OBJECT_ATTRIBUTE
Definition: parsenodes.h:1892
@ OBJECT_PUBLICATION
Definition: parsenodes.h:1918
@ OBJECT_RULE
Definition: parsenodes.h:1923
@ OBJECT_CONVERSION
Definition: parsenodes.h:1896
@ OBJECT_AMPROC
Definition: parsenodes.h:1891
@ OBJECT_TABLE
Definition: parsenodes.h:1929
@ OBJECT_VIEW
Definition: parsenodes.h:1939
@ OBJECT_PARAMETER_ACL
Definition: parsenodes.h:1915
@ OBJECT_TYPE
Definition: parsenodes.h:1937
@ OBJECT_FUNCTION
Definition: parsenodes.h:1907
@ OBJECT_TABCONSTRAINT
Definition: parsenodes.h:1928
@ OBJECT_DOMCONSTRAINT
Definition: parsenodes.h:1901
@ OBJECT_SUBSCRIPTION
Definition: parsenodes.h:1926
@ OBJECT_STATISTIC_EXT
Definition: parsenodes.h:1927
@ OBJECT_CAST
Definition: parsenodes.h:1893
@ OBJECT_TRIGGER
Definition: parsenodes.h:1932
@ OBJECT_TRANSFORM
Definition: parsenodes.h:1931

References OBJECT_ACCESS_METHOD, OBJECT_AGGREGATE, OBJECT_AMOP, OBJECT_AMPROC, OBJECT_ATTRIBUTE, OBJECT_CAST, OBJECT_COLLATION, OBJECT_COLUMN, OBJECT_CONVERSION, OBJECT_DATABASE, OBJECT_DEFACL, OBJECT_DEFAULT, OBJECT_DOMAIN, OBJECT_DOMCONSTRAINT, OBJECT_EVENT_TRIGGER, OBJECT_EXTENSION, OBJECT_FDW, OBJECT_FOREIGN_SERVER, OBJECT_FOREIGN_TABLE, OBJECT_FUNCTION, OBJECT_INDEX, OBJECT_LANGUAGE, OBJECT_LARGEOBJECT, OBJECT_MATVIEW, OBJECT_OPCLASS, OBJECT_OPERATOR, OBJECT_OPFAMILY, OBJECT_PARAMETER_ACL, OBJECT_POLICY, OBJECT_PROCEDURE, OBJECT_PUBLICATION, OBJECT_PUBLICATION_NAMESPACE, OBJECT_PUBLICATION_REL, OBJECT_ROLE, OBJECT_ROUTINE, OBJECT_RULE, OBJECT_SCHEMA, OBJECT_SEQUENCE, OBJECT_STATISTIC_EXT, OBJECT_SUBSCRIPTION, OBJECT_TABCONSTRAINT, OBJECT_TABLE, OBJECT_TABLESPACE, OBJECT_TRANSFORM, OBJECT_TRIGGER, OBJECT_TSCONFIGURATION, OBJECT_TSDICTIONARY, OBJECT_TSPARSER, OBJECT_TSTEMPLATE, OBJECT_TYPE, OBJECT_USER_MAPPING, and OBJECT_VIEW.

Referenced by ExecSecLabelStmt().

◆ SetSecurityLabel()

void SetSecurityLabel ( const ObjectAddress object,
const char *  provider,
const char *  label 
)

Definition at line 404 of file seclabel.c.

406 {
407  Relation pg_seclabel;
408  ScanKeyData keys[4];
409  SysScanDesc scan;
410  HeapTuple oldtup;
411  HeapTuple newtup = NULL;
412  Datum values[Natts_pg_seclabel];
413  bool nulls[Natts_pg_seclabel];
414  bool replaces[Natts_pg_seclabel];
415 
416  /* Shared objects have their own security label catalog. */
417  if (IsSharedRelation(object->classId))
418  {
420  return;
421  }
422 
423  /* Prepare to form or update a tuple, if necessary. */
424  memset(nulls, false, sizeof(nulls));
425  memset(replaces, false, sizeof(replaces));
426  values[Anum_pg_seclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
427  values[Anum_pg_seclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
428  values[Anum_pg_seclabel_objsubid - 1] = Int32GetDatum(object->objectSubId);
429  values[Anum_pg_seclabel_provider - 1] = CStringGetTextDatum(provider);
430  if (label != NULL)
431  values[Anum_pg_seclabel_label - 1] = CStringGetTextDatum(label);
432 
433  /* Use the index to search for a matching old tuple */
434  ScanKeyInit(&keys[0],
435  Anum_pg_seclabel_objoid,
436  BTEqualStrategyNumber, F_OIDEQ,
437  ObjectIdGetDatum(object->objectId));
438  ScanKeyInit(&keys[1],
439  Anum_pg_seclabel_classoid,
440  BTEqualStrategyNumber, F_OIDEQ,
441  ObjectIdGetDatum(object->classId));
442  ScanKeyInit(&keys[2],
443  Anum_pg_seclabel_objsubid,
444  BTEqualStrategyNumber, F_INT4EQ,
445  Int32GetDatum(object->objectSubId));
446  ScanKeyInit(&keys[3],
447  Anum_pg_seclabel_provider,
448  BTEqualStrategyNumber, F_TEXTEQ,
450 
451  pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
452 
453  scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
454  NULL, 4, keys);
455 
456  oldtup = systable_getnext(scan);
457  if (HeapTupleIsValid(oldtup))
458  {
459  if (label == NULL)
460  CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
461  else
462  {
463  replaces[Anum_pg_seclabel_label - 1] = true;
464  newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_seclabel),
465  values, nulls, replaces);
466  CatalogTupleUpdate(pg_seclabel, &oldtup->t_self, newtup);
467  }
468  }
469  systable_endscan(scan);
470 
471  /* If we didn't find an old tuple, insert a new one */
472  if (newtup == NULL && label != NULL)
473  {
474  newtup = heap_form_tuple(RelationGetDescr(pg_seclabel),
475  values, nulls);
476  CatalogTupleInsert(pg_seclabel, newtup);
477  }
478 
479  /* Update indexes, if necessary */
480  if (newtup != NULL)
481  heap_freetuple(newtup);
482 
483  table_close(pg_seclabel, RowExclusiveLock);
484 }
static Datum values[MAXATTR]
Definition: bootstrap.c:156
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, Datum *values, bool *isnull)
Definition: heaptuple.c:1020
HeapTuple heap_modify_tuple(HeapTuple tuple, TupleDesc tupleDesc, Datum *replValues, bool *replIsnull, bool *doReplace)
Definition: heaptuple.c:1113
void heap_freetuple(HeapTuple htup)
Definition: heaptuple.c:1338
void CatalogTupleUpdate(Relation heapRel, ItemPointer otid, HeapTuple tup)
Definition: indexing.c:301
void CatalogTupleInsert(Relation heapRel, HeapTuple tup)
Definition: indexing.c:221
static char * label
static void SetSharedSecurityLabel(const ObjectAddress *object, const char *provider, const char *label)
Definition: seclabel.c:329

References BTEqualStrategyNumber, CatalogTupleDelete(), CatalogTupleInsert(), CatalogTupleUpdate(), ObjectAddress::classId, CStringGetTextDatum, heap_form_tuple(), heap_freetuple(), heap_modify_tuple(), HeapTupleIsValid, Int32GetDatum(), IsSharedRelation(), label, ObjectAddress::objectId, ObjectIdGetDatum(), ObjectAddress::objectSubId, provider, RelationGetDescr, RowExclusiveLock, ScanKeyInit(), SetSharedSecurityLabel(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), table_open(), and values.

Referenced by exec_object_restorecon(), ExecSecLabelStmt(), sepgsql_attribute_post_create(), sepgsql_database_post_create(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), and sepgsql_schema_post_create().

◆ SetSharedSecurityLabel()

static void SetSharedSecurityLabel ( const ObjectAddress object,
const char *  provider,
const char *  label 
)
static

Definition at line 329 of file seclabel.c.

331 {
332  Relation pg_shseclabel;
333  ScanKeyData keys[4];
334  SysScanDesc scan;
335  HeapTuple oldtup;
336  HeapTuple newtup = NULL;
337  Datum values[Natts_pg_shseclabel];
338  bool nulls[Natts_pg_shseclabel];
339  bool replaces[Natts_pg_shseclabel];
340 
341  /* Prepare to form or update a tuple, if necessary. */
342  memset(nulls, false, sizeof(nulls));
343  memset(replaces, false, sizeof(replaces));
344  values[Anum_pg_shseclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
345  values[Anum_pg_shseclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
346  values[Anum_pg_shseclabel_provider - 1] = CStringGetTextDatum(provider);
347  if (label != NULL)
348  values[Anum_pg_shseclabel_label - 1] = CStringGetTextDatum(label);
349 
350  /* Use the index to search for a matching old tuple */
351  ScanKeyInit(&keys[0],
352  Anum_pg_shseclabel_objoid,
353  BTEqualStrategyNumber, F_OIDEQ,
354  ObjectIdGetDatum(object->objectId));
355  ScanKeyInit(&keys[1],
356  Anum_pg_shseclabel_classoid,
357  BTEqualStrategyNumber, F_OIDEQ,
358  ObjectIdGetDatum(object->classId));
359  ScanKeyInit(&keys[2],
360  Anum_pg_shseclabel_provider,
361  BTEqualStrategyNumber, F_TEXTEQ,
363 
364  pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
365 
366  scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
367  NULL, 3, keys);
368 
369  oldtup = systable_getnext(scan);
370  if (HeapTupleIsValid(oldtup))
371  {
372  if (label == NULL)
373  CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
374  else
375  {
376  replaces[Anum_pg_shseclabel_label - 1] = true;
377  newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_shseclabel),
378  values, nulls, replaces);
379  CatalogTupleUpdate(pg_shseclabel, &oldtup->t_self, newtup);
380  }
381  }
382  systable_endscan(scan);
383 
384  /* If we didn't find an old tuple, insert a new one */
385  if (newtup == NULL && label != NULL)
386  {
387  newtup = heap_form_tuple(RelationGetDescr(pg_shseclabel),
388  values, nulls);
389  CatalogTupleInsert(pg_shseclabel, newtup);
390  }
391 
392  if (newtup != NULL)
393  heap_freetuple(newtup);
394 
395  table_close(pg_shseclabel, RowExclusiveLock);
396 }

References BTEqualStrategyNumber, CatalogTupleDelete(), CatalogTupleInsert(), CatalogTupleUpdate(), ObjectAddress::classId, CStringGetTextDatum, heap_form_tuple(), heap_freetuple(), heap_modify_tuple(), HeapTupleIsValid, label, ObjectAddress::objectId, ObjectIdGetDatum(), provider, RelationGetDescr, RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), HeapTupleData::t_self, table_close(), table_open(), and values.

Referenced by SetSecurityLabel().

Variable Documentation

◆ label_provider_list

List* label_provider_list = NIL
static

Definition at line 34 of file seclabel.c.

Referenced by ExecSecLabelStmt(), and register_label_provider().