seclabel.c File Reference

#include "postgres.h"
#include "access/genam.h"
#include "access/htup_details.h"
#include "access/relation.h"
#include "access/table.h"
#include "catalog/catalog.h"
#include "catalog/indexing.h"
#include "catalog/pg_seclabel.h"
#include "catalog/pg_shseclabel.h"
#include "commands/seclabel.h"
#include "miscadmin.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/memutils.h"
#include "utils/rel.h"

Include dependency graph for seclabel.c:

Go to the source code of this file.

Data Structures
struct	LabelProvider

Functions
static bool	SecLabelSupportsObjectType (ObjectType objtype)
ObjectAddress	ExecSecLabelStmt (SecLabelStmt *stmt)
static char *	GetSharedSecurityLabel (const ObjectAddress *object, const char *provider)
char *	GetSecurityLabel (const ObjectAddress *object, const char *provider)
static void	SetSharedSecurityLabel (const ObjectAddress *object, const char *provider, const char *label)
void	SetSecurityLabel (const ObjectAddress *object, const char *provider, const char *label)
void	DeleteSharedSecurityLabel (Oid objectId, Oid classId)
void	DeleteSecurityLabel (const ObjectAddress *object)
void	register_label_provider (const char *provider_name, check_object_relabel_type hook)

Variables
static List *	label_provider_list = NIL

Function Documentation

DeleteSecurityLabel()

void DeleteSecurityLabel

(

const ObjectAddress *

object

)

Definition at line 534 of file seclabel.c.

{
    Relation    pg_seclabel;
    ScanKeyData skey[3];
    SysScanDesc scan;
    HeapTuple   oldtup;
    int         nkeys;
 
    /* Shared objects have their own security label catalog. */
    if (IsSharedRelation(object->classId))
    {
        Assert(object->objectSubId == 0);
        DeleteSharedSecurityLabel(object->objectId, object->classId);
        return;
    }
 
    ScanKeyInit(&skey[0],
                Anum_pg_seclabel_objoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->objectId));
    ScanKeyInit(&skey[1],
                Anum_pg_seclabel_classoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->classId));
    if (object->objectSubId != 0)
    {
        ScanKeyInit(&skey[2],
                    Anum_pg_seclabel_objsubid,
                    BTEqualStrategyNumber, F_INT4EQ,
                    Int32GetDatum(object->objectSubId));
        nkeys = 3;
    }
    else
        nkeys = 2;
 
    pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
 
    scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
                              NULL, nkeys, skey);
    while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
        CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
    systable_endscan(scan);
 
    table_close(pg_seclabel, RowExclusiveLock);
}

References Assert, BTEqualStrategyNumber, CatalogTupleDelete(), ObjectAddress::classId, DeleteSharedSecurityLabel(), fb(), HeapTupleIsValid, Int32GetDatum(), IsSharedRelation(), ObjectAddress::objectId, ObjectIdGetDatum(), ObjectAddress::objectSubId, RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), and table_open().

Referenced by deleteOneObject().

DeleteSharedSecurityLabel()

void DeleteSharedSecurityLabel	(	Oid	objectId,
		Oid	classId
	)

Definition at line 502 of file seclabel.c.

{
    Relation    pg_shseclabel;
    ScanKeyData skey[2];
    SysScanDesc scan;
    HeapTuple   oldtup;
 
    ScanKeyInit(&skey[0],
                Anum_pg_shseclabel_objoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(objectId));
    ScanKeyInit(&skey[1],
                Anum_pg_shseclabel_classoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(classId));
 
    pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
 
    scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
                              NULL, 2, skey);
    while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
        CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
    systable_endscan(scan);
 
    table_close(pg_shseclabel, RowExclusiveLock);
}

References BTEqualStrategyNumber, CatalogTupleDelete(), fb(), HeapTupleIsValid, ObjectIdGetDatum(), RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), and table_open().

Referenced by DeleteSecurityLabel(), dropdb(), DropRole(), and DropTableSpace().

ExecSecLabelStmt()

ObjectAddress ExecSecLabelStmt

(

SecLabelStmt *

stmt

)

Definition at line 116 of file seclabel.c.

{
    LabelProvider *provider = NULL;
    ObjectAddress address;
    Relation    relation;
    ListCell   *lc;
    bool        missing_ok;
 
    /*
     * Find the named label provider, or if none specified, check whether
     * there's exactly one, and if so use it.
     */
    if (stmt->provider == NULL)
    {
        if (label_provider_list == NIL)
            ereport(ERROR,
                    (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
                     errmsg("no security label providers have been loaded")));
        if (list_length(label_provider_list) != 1)
            ereport(ERROR,
                    (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
                     errmsg("must specify provider when multiple security label providers have been loaded")));
        provider = (LabelProvider *) linitial(label_provider_list);
    }
    else
    {
        foreach(lc, label_provider_list)
        {
            LabelProvider *lp = lfirst(lc);
 
            if (strcmp(stmt->provider, lp->provider_name) == 0)
            {
                provider = lp;
                break;
            }
        }
        if (provider == NULL)
            ereport(ERROR,
                    (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
                     errmsg("security label provider \"%s\" is not loaded",
                            stmt->provider)));
    }
 
    if (!SecLabelSupportsObjectType(stmt->objtype))
        ereport(ERROR,
                (errcode(ERRCODE_WRONG_OBJECT_TYPE),
                 errmsg("security labels are not supported for this type of object")));
 
    /*
     * During binary upgrade, allow nonexistent large objects so that we don't
     * have to create them during schema restoration.  pg_upgrade will
     * transfer the contents of pg_largeobject_metadata via COPY or by
     * copying/linking its files from the old cluster later on.
     */
    missing_ok = IsBinaryUpgrade && stmt->objtype == OBJECT_LARGEOBJECT;
 
    /*
     * Translate the parser representation which identifies this object into
     * an ObjectAddress. get_object_address() will throw an error if the
     * object does not exist, and will also acquire a lock on the target to
     * guard against concurrent modifications.
     */
    address = get_object_address(stmt->objtype, stmt->object,
                                 &relation, ShareUpdateExclusiveLock,
                                 missing_ok);
 
    /* Require ownership of the target object. */
    check_object_ownership(GetUserId(), stmt->objtype, address,
                           stmt->object, relation);
 
    /* Perform other integrity checks as needed. */
    switch (stmt->objtype)
    {
        case OBJECT_COLUMN:
 
            /*
             * Allow security labels only on columns of tables, views,
             * materialized views, composite types, and foreign tables (which
             * are the only relkinds for which pg_dump will dump labels).
             */
            if (relation->rd_rel->relkind != RELKIND_RELATION &&
                relation->rd_rel->relkind != RELKIND_VIEW &&
                relation->rd_rel->relkind != RELKIND_MATVIEW &&
                relation->rd_rel->relkind != RELKIND_COMPOSITE_TYPE &&
                relation->rd_rel->relkind != RELKIND_FOREIGN_TABLE &&
                relation->rd_rel->relkind != RELKIND_PARTITIONED_TABLE)
                ereport(ERROR,
                        (errcode(ERRCODE_WRONG_OBJECT_TYPE),
                         errmsg("cannot set security label on relation \"%s\"",
                                RelationGetRelationName(relation)),
                         errdetail_relkind_not_supported(relation->rd_rel->relkind)));
            break;
        default:
            break;
    }
 
    /* Provider gets control here, may throw ERROR to veto new label. */
    provider->hook(&address, stmt->label);
 
    /* Apply new label. */
    SetSecurityLabel(&address, provider->provider_name, stmt->label);
 
    /*
     * If get_object_address() opened the relation for us, we close it to keep
     * the reference count correct - but we retain any locks acquired by
     * get_object_address() until commit time, to guard against concurrent
     * activity.
     */
    if (relation != NULL)
        relation_close(relation, NoLock);
 
    return address;
}

References check_object_ownership(), ereport, errcode(), errdetail_relkind_not_supported(), errmsg, ERROR, fb(), get_object_address(), GetUserId(), IsBinaryUpgrade, label_provider_list, lfirst, linitial, list_length(), NIL, NoLock, OBJECT_COLUMN, OBJECT_LARGEOBJECT, RelationData::rd_rel, relation_close(), RelationGetRelationName, SecLabelSupportsObjectType(), SetSecurityLabel(), ShareUpdateExclusiveLock, and stmt.

Referenced by ProcessUtilitySlow(), and standard_ProcessUtility().

GetSecurityLabel()

char * GetSecurityLabel	(	const ObjectAddress *	object,
		const char *	provider
	)

Definition at line 283 of file seclabel.c.

{
    Relation    pg_seclabel;
    ScanKeyData keys[4];
    SysScanDesc scan;
    HeapTuple   tuple;
    Datum       datum;
    bool        isnull;
    char       *seclabel = NULL;
 
    /* Shared objects have their own security label catalog. */
    if (IsSharedRelation(object->classId))
        return GetSharedSecurityLabel(object, provider);
 
    /* Must be an unshared object, so examine pg_seclabel. */
    ScanKeyInit(&keys[0],
                Anum_pg_seclabel_objoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->objectId));
    ScanKeyInit(&keys[1],
                Anum_pg_seclabel_classoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->classId));
    ScanKeyInit(&keys[2],
                Anum_pg_seclabel_objsubid,
                BTEqualStrategyNumber, F_INT4EQ,
                Int32GetDatum(object->objectSubId));
    ScanKeyInit(&keys[3],
                Anum_pg_seclabel_provider,
                BTEqualStrategyNumber, F_TEXTEQ,
                CStringGetTextDatum(provider));
 
    pg_seclabel = table_open(SecLabelRelationId, AccessShareLock);
 
    scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
                              NULL, 4, keys);
 
    tuple = systable_getnext(scan);
    if (HeapTupleIsValid(tuple))
    {
        datum = heap_getattr(tuple, Anum_pg_seclabel_label,
                             RelationGetDescr(pg_seclabel), &isnull);
        if (!isnull)
            seclabel = TextDatumGetCString(datum);
    }
    systable_endscan(scan);
 
    table_close(pg_seclabel, AccessShareLock);
 
    return seclabel;
}

References AccessShareLock, BTEqualStrategyNumber, ObjectAddress::classId, CStringGetTextDatum, fb(), GetSharedSecurityLabel(), heap_getattr(), HeapTupleIsValid, Int32GetDatum(), IsSharedRelation(), ObjectAddress::objectId, ObjectIdGetDatum(), ObjectAddress::objectSubId, RelationGetDescr, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and TextDatumGetCString.

Referenced by sepgsql_avc_check_perms(), sepgsql_avc_trusted_proc(), and sepgsql_get_label().

GetSharedSecurityLabel()

static char * GetSharedSecurityLabel ( const ObjectAddress *  object, const char *  provider  )

static

Definition at line 235 of file seclabel.c.

{
    Relation    pg_shseclabel;
    ScanKeyData keys[3];
    SysScanDesc scan;
    HeapTuple   tuple;
    Datum       datum;
    bool        isnull;
    char       *seclabel = NULL;
 
    ScanKeyInit(&keys[0],
                Anum_pg_shseclabel_objoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->objectId));
    ScanKeyInit(&keys[1],
                Anum_pg_shseclabel_classoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->classId));
    ScanKeyInit(&keys[2],
                Anum_pg_shseclabel_provider,
                BTEqualStrategyNumber, F_TEXTEQ,
                CStringGetTextDatum(provider));
 
    pg_shseclabel = table_open(SharedSecLabelRelationId, AccessShareLock);
 
    scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId,
                              criticalSharedRelcachesBuilt, NULL, 3, keys);
 
    tuple = systable_getnext(scan);
    if (HeapTupleIsValid(tuple))
    {
        datum = heap_getattr(tuple, Anum_pg_shseclabel_label,
                             RelationGetDescr(pg_shseclabel), &isnull);
        if (!isnull)
            seclabel = TextDatumGetCString(datum);
    }
    systable_endscan(scan);
 
    table_close(pg_shseclabel, AccessShareLock);
 
    return seclabel;
}

References AccessShareLock, BTEqualStrategyNumber, ObjectAddress::classId, criticalSharedRelcachesBuilt, CStringGetTextDatum, fb(), heap_getattr(), HeapTupleIsValid, ObjectAddress::objectId, ObjectIdGetDatum(), RelationGetDescr, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and TextDatumGetCString.

Referenced by GetSecurityLabel().

register_label_provider()

void register_label_provider	(	const char *	provider_name,
		check_object_relabel_type	hook
	)

Definition at line 581 of file seclabel.c.

{
    LabelProvider *provider;
    MemoryContext oldcxt;
 
    oldcxt = MemoryContextSwitchTo(TopMemoryContext);
    provider = palloc_object(LabelProvider);
    provider->provider_name = pstrdup(provider_name);
    provider->hook = hook;
    label_provider_list = lappend(label_provider_list, provider);
    MemoryContextSwitchTo(oldcxt);
}

References fb(), label_provider_list, lappend(), MemoryContextSwitchTo(), palloc_object, pstrdup(), and TopMemoryContext.

Referenced by _PG_init().

SecLabelSupportsObjectType()

static bool SecLabelSupportsObjectType ( ObjectType  objtype )

static

Definition at line 37 of file seclabel.c.

{
    switch (objtype)
    {
        case OBJECT_AGGREGATE:
        case OBJECT_COLUMN:
        case OBJECT_DATABASE:
        case OBJECT_DOMAIN:
        case OBJECT_EVENT_TRIGGER:
        case OBJECT_FOREIGN_TABLE:
        case OBJECT_FUNCTION:
        case OBJECT_LANGUAGE:
        case OBJECT_LARGEOBJECT:
        case OBJECT_MATVIEW:
        case OBJECT_PROCEDURE:
        case OBJECT_PUBLICATION:
        case OBJECT_ROLE:
        case OBJECT_ROUTINE:
        case OBJECT_SCHEMA:
        case OBJECT_SEQUENCE:
        case OBJECT_SUBSCRIPTION:
        case OBJECT_TABLE:
        case OBJECT_TABLESPACE:
        case OBJECT_TYPE:
        case OBJECT_VIEW:
            return true;
 
        case OBJECT_ACCESS_METHOD:
        case OBJECT_AMOP:
        case OBJECT_AMPROC:
        case OBJECT_ATTRIBUTE:
        case OBJECT_CAST:
        case OBJECT_COLLATION:
        case OBJECT_CONVERSION:
        case OBJECT_DEFAULT:
        case OBJECT_DEFACL:
        case OBJECT_DOMCONSTRAINT:
        case OBJECT_EXTENSION:
        case OBJECT_FDW:
        case OBJECT_FOREIGN_SERVER:
        case OBJECT_INDEX:
        case OBJECT_OPCLASS:
        case OBJECT_OPERATOR:
        case OBJECT_OPFAMILY:
        case OBJECT_PARAMETER_ACL:
        case OBJECT_POLICY:
        case OBJECT_PROPGRAPH:
        case OBJECT_PUBLICATION_NAMESPACE:
        case OBJECT_PUBLICATION_REL:
        case OBJECT_RULE:
        case OBJECT_STATISTIC_EXT:
        case OBJECT_TABCONSTRAINT:
        case OBJECT_TRANSFORM:
        case OBJECT_TRIGGER:
        case OBJECT_TSCONFIGURATION:
        case OBJECT_TSDICTIONARY:
        case OBJECT_TSPARSER:
        case OBJECT_TSTEMPLATE:
        case OBJECT_USER_MAPPING:
            return false;
 
            /*
             * There's intentionally no default: case here; we want the
             * compiler to warn if a new ObjectType hasn't been handled above.
             */
    }
 
    /* Shouldn't get here, but if we do, say "no support" */
    return false;
}

References OBJECT_ACCESS_METHOD, OBJECT_AGGREGATE, OBJECT_AMOP, OBJECT_AMPROC, OBJECT_ATTRIBUTE, OBJECT_CAST, OBJECT_COLLATION, OBJECT_COLUMN, OBJECT_CONVERSION, OBJECT_DATABASE, OBJECT_DEFACL, OBJECT_DEFAULT, OBJECT_DOMAIN, OBJECT_DOMCONSTRAINT, OBJECT_EVENT_TRIGGER, OBJECT_EXTENSION, OBJECT_FDW, OBJECT_FOREIGN_SERVER, OBJECT_FOREIGN_TABLE, OBJECT_FUNCTION, OBJECT_INDEX, OBJECT_LANGUAGE, OBJECT_LARGEOBJECT, OBJECT_MATVIEW, OBJECT_OPCLASS, OBJECT_OPERATOR, OBJECT_OPFAMILY, OBJECT_PARAMETER_ACL, OBJECT_POLICY, OBJECT_PROCEDURE, OBJECT_PROPGRAPH, OBJECT_PUBLICATION, OBJECT_PUBLICATION_NAMESPACE, OBJECT_PUBLICATION_REL, OBJECT_ROLE, OBJECT_ROUTINE, OBJECT_RULE, OBJECT_SCHEMA, OBJECT_SEQUENCE, OBJECT_STATISTIC_EXT, OBJECT_SUBSCRIPTION, OBJECT_TABCONSTRAINT, OBJECT_TABLE, OBJECT_TABLESPACE, OBJECT_TRANSFORM, OBJECT_TRIGGER, OBJECT_TSCONFIGURATION, OBJECT_TSDICTIONARY, OBJECT_TSPARSER, OBJECT_TSTEMPLATE, OBJECT_TYPE, OBJECT_USER_MAPPING, and OBJECT_VIEW.

Referenced by ExecSecLabelStmt().

SetSecurityLabel()

void SetSecurityLabel	(	const ObjectAddress *	object,
		const char *	provider,
		const char *	label
	)

Definition at line 415 of file seclabel.c.

{
    Relation    pg_seclabel;
    ScanKeyData keys[4];
    SysScanDesc scan;
    HeapTuple   oldtup;
    HeapTuple   newtup = NULL;
    Datum       values[Natts_pg_seclabel];
    bool        nulls[Natts_pg_seclabel];
    bool        replaces[Natts_pg_seclabel];
 
    /* Shared objects have their own security label catalog. */
    if (IsSharedRelation(object->classId))
    {
        SetSharedSecurityLabel(object, provider, label);
        return;
    }
 
    /* Prepare to form or update a tuple, if necessary. */
    memset(nulls, false, sizeof(nulls));
    memset(replaces, false, sizeof(replaces));
    values[Anum_pg_seclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
    values[Anum_pg_seclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
    values[Anum_pg_seclabel_objsubid - 1] = Int32GetDatum(object->objectSubId);
    values[Anum_pg_seclabel_provider - 1] = CStringGetTextDatum(provider);
    if (label != NULL)
        values[Anum_pg_seclabel_label - 1] = CStringGetTextDatum(label);
 
    /* Use the index to search for a matching old tuple */
    ScanKeyInit(&keys[0],
                Anum_pg_seclabel_objoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->objectId));
    ScanKeyInit(&keys[1],
                Anum_pg_seclabel_classoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->classId));
    ScanKeyInit(&keys[2],
                Anum_pg_seclabel_objsubid,
                BTEqualStrategyNumber, F_INT4EQ,
                Int32GetDatum(object->objectSubId));
    ScanKeyInit(&keys[3],
                Anum_pg_seclabel_provider,
                BTEqualStrategyNumber, F_TEXTEQ,
                CStringGetTextDatum(provider));
 
    pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
 
    scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
                              NULL, 4, keys);
 
    oldtup = systable_getnext(scan);
    if (HeapTupleIsValid(oldtup))
    {
        if (label == NULL)
            CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
        else
        {
            replaces[Anum_pg_seclabel_label - 1] = true;
            newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_seclabel),
                                       values, nulls, replaces);
            CatalogTupleUpdate(pg_seclabel, &oldtup->t_self, newtup);
        }
    }
    systable_endscan(scan);
 
    /* If we didn't find an old tuple, insert a new one */
    if (newtup == NULL && label != NULL)
    {
        newtup = heap_form_tuple(RelationGetDescr(pg_seclabel),
                                 values, nulls);
        CatalogTupleInsert(pg_seclabel, newtup);
    }
 
    /* Update indexes, if necessary */
    if (newtup != NULL)
        heap_freetuple(newtup);
 
    table_close(pg_seclabel, RowExclusiveLock);
}

References BTEqualStrategyNumber, CatalogTupleDelete(), CatalogTupleInsert(), CatalogTupleUpdate(), ObjectAddress::classId, CStringGetTextDatum, fb(), heap_form_tuple(), heap_freetuple(), heap_modify_tuple(), HeapTupleIsValid, Int32GetDatum(), IsSharedRelation(), label, ObjectAddress::objectId, ObjectIdGetDatum(), ObjectAddress::objectSubId, RelationGetDescr, RowExclusiveLock, ScanKeyInit(), SetSharedSecurityLabel(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and values.

Referenced by exec_object_restorecon(), ExecSecLabelStmt(), sepgsql_attribute_post_create(), sepgsql_database_post_create(), sepgsql_proc_post_create(), sepgsql_relation_post_create(), and sepgsql_schema_post_create().

SetSharedSecurityLabel()

static void SetSharedSecurityLabel ( const ObjectAddress *  object, const char *  provider, const char *  label  )

static

Definition at line 340 of file seclabel.c.

{
    Relation    pg_shseclabel;
    ScanKeyData keys[4];
    SysScanDesc scan;
    HeapTuple   oldtup;
    HeapTuple   newtup = NULL;
    Datum       values[Natts_pg_shseclabel];
    bool        nulls[Natts_pg_shseclabel];
    bool        replaces[Natts_pg_shseclabel];
 
    /* Prepare to form or update a tuple, if necessary. */
    memset(nulls, false, sizeof(nulls));
    memset(replaces, false, sizeof(replaces));
    values[Anum_pg_shseclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
    values[Anum_pg_shseclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
    values[Anum_pg_shseclabel_provider - 1] = CStringGetTextDatum(provider);
    if (label != NULL)
        values[Anum_pg_shseclabel_label - 1] = CStringGetTextDatum(label);
 
    /* Use the index to search for a matching old tuple */
    ScanKeyInit(&keys[0],
                Anum_pg_shseclabel_objoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->objectId));
    ScanKeyInit(&keys[1],
                Anum_pg_shseclabel_classoid,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(object->classId));
    ScanKeyInit(&keys[2],
                Anum_pg_shseclabel_provider,
                BTEqualStrategyNumber, F_TEXTEQ,
                CStringGetTextDatum(provider));
 
    pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
 
    scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
                              NULL, 3, keys);
 
    oldtup = systable_getnext(scan);
    if (HeapTupleIsValid(oldtup))
    {
        if (label == NULL)
            CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
        else
        {
            replaces[Anum_pg_shseclabel_label - 1] = true;
            newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_shseclabel),
                                       values, nulls, replaces);
            CatalogTupleUpdate(pg_shseclabel, &oldtup->t_self, newtup);
        }
    }
    systable_endscan(scan);
 
    /* If we didn't find an old tuple, insert a new one */
    if (newtup == NULL && label != NULL)
    {
        newtup = heap_form_tuple(RelationGetDescr(pg_shseclabel),
                                 values, nulls);
        CatalogTupleInsert(pg_shseclabel, newtup);
    }
 
    if (newtup != NULL)
        heap_freetuple(newtup);
 
    table_close(pg_shseclabel, RowExclusiveLock);
}

References BTEqualStrategyNumber, CatalogTupleDelete(), CatalogTupleInsert(), CatalogTupleUpdate(), ObjectAddress::classId, CStringGetTextDatum, fb(), heap_form_tuple(), heap_freetuple(), heap_modify_tuple(), HeapTupleIsValid, label, ObjectAddress::objectId, ObjectIdGetDatum(), RelationGetDescr, RowExclusiveLock, ScanKeyInit(), systable_beginscan(), systable_endscan(), systable_getnext(), table_close(), table_open(), and values.

Referenced by SetSecurityLabel().

Variable Documentation

label_provider_list

List* label_provider_list = NIL

static

Definition at line 34 of file seclabel.c.

Referenced by ExecSecLabelStmt(), and register_label_provider().