PostgreSQL Source Code git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
sepgsql.h
Go to the documentation of this file.
1/* -------------------------------------------------------------------------
2 *
3 * contrib/sepgsql/sepgsql.h
4 *
5 * Definitions corresponding to SE-PostgreSQL
6 *
7 * Copyright (c) 2010-2025, PostgreSQL Global Development Group
8 *
9 * -------------------------------------------------------------------------
10 */
11#ifndef SEPGSQL_H
12#define SEPGSQL_H
13
14#include "catalog/objectaddress.h"
15#include "fmgr.h"
16
17#include <selinux/selinux.h>
18#include <selinux/avc.h>
19
20/*
21 * SE-PostgreSQL Label Tag
22 */
23#define SEPGSQL_LABEL_TAG "selinux"
24
25/*
26 * SE-PostgreSQL performing mode
27 */
28#define SEPGSQL_MODE_DEFAULT 1
29#define SEPGSQL_MODE_PERMISSIVE 2
30#define SEPGSQL_MODE_INTERNAL 3
31#define SEPGSQL_MODE_DISABLED 4
32
33/*
34 * Internally used code of object classes
35 */
36#define SEPG_CLASS_PROCESS 0
37#define SEPG_CLASS_FILE 1
38#define SEPG_CLASS_DIR 2
39#define SEPG_CLASS_LNK_FILE 3
40#define SEPG_CLASS_CHR_FILE 4
41#define SEPG_CLASS_BLK_FILE 5
42#define SEPG_CLASS_SOCK_FILE 6
43#define SEPG_CLASS_FIFO_FILE 7
44#define SEPG_CLASS_DB_DATABASE 8
45#define SEPG_CLASS_DB_SCHEMA 9
46#define SEPG_CLASS_DB_TABLE 10
47#define SEPG_CLASS_DB_SEQUENCE 11
48#define SEPG_CLASS_DB_PROCEDURE 12
49#define SEPG_CLASS_DB_COLUMN 13
50#define SEPG_CLASS_DB_TUPLE 14
51#define SEPG_CLASS_DB_BLOB 15
52#define SEPG_CLASS_DB_LANGUAGE 16
53#define SEPG_CLASS_DB_VIEW 17
54#define SEPG_CLASS_MAX 18
55
56/*
57 * Internally used code of access vectors
58 */
59#define SEPG_PROCESS__TRANSITION (1<<0)
60#define SEPG_PROCESS__DYNTRANSITION (1<<1)
61#define SEPG_PROCESS__SETCURRENT (1<<2)
62
63#define SEPG_FILE__READ (1<<0)
64#define SEPG_FILE__WRITE (1<<1)
65#define SEPG_FILE__CREATE (1<<2)
66#define SEPG_FILE__GETATTR (1<<3)
67#define SEPG_FILE__UNLINK (1<<4)
68#define SEPG_FILE__RENAME (1<<5)
69#define SEPG_FILE__APPEND (1<<6)
70
71#define SEPG_DIR__READ (SEPG_FILE__READ)
72#define SEPG_DIR__WRITE (SEPG_FILE__WRITE)
73#define SEPG_DIR__CREATE (SEPG_FILE__CREATE)
74#define SEPG_DIR__GETATTR (SEPG_FILE__GETATTR)
75#define SEPG_DIR__UNLINK (SEPG_FILE__UNLINK)
76#define SEPG_DIR__RENAME (SEPG_FILE__RENAME)
77#define SEPG_DIR__SEARCH (1<<6)
78#define SEPG_DIR__ADD_NAME (1<<7)
79#define SEPG_DIR__REMOVE_NAME (1<<8)
80#define SEPG_DIR__RMDIR (1<<9)
81#define SEPG_DIR__REPARENT (1<<10)
82
83#define SEPG_LNK_FILE__READ (SEPG_FILE__READ)
84#define SEPG_LNK_FILE__WRITE (SEPG_FILE__WRITE)
85#define SEPG_LNK_FILE__CREATE (SEPG_FILE__CREATE)
86#define SEPG_LNK_FILE__GETATTR (SEPG_FILE__GETATTR)
87#define SEPG_LNK_FILE__UNLINK (SEPG_FILE__UNLINK)
88#define SEPG_LNK_FILE__RENAME (SEPG_FILE__RENAME)
89
90#define SEPG_CHR_FILE__READ (SEPG_FILE__READ)
91#define SEPG_CHR_FILE__WRITE (SEPG_FILE__WRITE)
92#define SEPG_CHR_FILE__CREATE (SEPG_FILE__CREATE)
93#define SEPG_CHR_FILE__GETATTR (SEPG_FILE__GETATTR)
94#define SEPG_CHR_FILE__UNLINK (SEPG_FILE__UNLINK)
95#define SEPG_CHR_FILE__RENAME (SEPG_FILE__RENAME)
96
97#define SEPG_BLK_FILE__READ (SEPG_FILE__READ)
98#define SEPG_BLK_FILE__WRITE (SEPG_FILE__WRITE)
99#define SEPG_BLK_FILE__CREATE (SEPG_FILE__CREATE)
100#define SEPG_BLK_FILE__GETATTR (SEPG_FILE__GETATTR)
101#define SEPG_BLK_FILE__UNLINK (SEPG_FILE__UNLINK)
102#define SEPG_BLK_FILE__RENAME (SEPG_FILE__RENAME)
103
104#define SEPG_SOCK_FILE__READ (SEPG_FILE__READ)
105#define SEPG_SOCK_FILE__WRITE (SEPG_FILE__WRITE)
106#define SEPG_SOCK_FILE__CREATE (SEPG_FILE__CREATE)
107#define SEPG_SOCK_FILE__GETATTR (SEPG_FILE__GETATTR)
108#define SEPG_SOCK_FILE__UNLINK (SEPG_FILE__UNLINK)
109#define SEPG_SOCK_FILE__RENAME (SEPG_FILE__RENAME)
110
111#define SEPG_FIFO_FILE__READ (SEPG_FILE__READ)
112#define SEPG_FIFO_FILE__WRITE (SEPG_FILE__WRITE)
113#define SEPG_FIFO_FILE__CREATE (SEPG_FILE__CREATE)
114#define SEPG_FIFO_FILE__GETATTR (SEPG_FILE__GETATTR)
115#define SEPG_FIFO_FILE__UNLINK (SEPG_FILE__UNLINK)
116#define SEPG_FIFO_FILE__RENAME (SEPG_FILE__RENAME)
117
118#define SEPG_DB_DATABASE__CREATE (1<<0)
119#define SEPG_DB_DATABASE__DROP (1<<1)
120#define SEPG_DB_DATABASE__GETATTR (1<<2)
121#define SEPG_DB_DATABASE__SETATTR (1<<3)
122#define SEPG_DB_DATABASE__RELABELFROM (1<<4)
123#define SEPG_DB_DATABASE__RELABELTO (1<<5)
124#define SEPG_DB_DATABASE__ACCESS (1<<6)
125#define SEPG_DB_DATABASE__LOAD_MODULE (1<<7)
126
127#define SEPG_DB_SCHEMA__CREATE (SEPG_DB_DATABASE__CREATE)
128#define SEPG_DB_SCHEMA__DROP (SEPG_DB_DATABASE__DROP)
129#define SEPG_DB_SCHEMA__GETATTR (SEPG_DB_DATABASE__GETATTR)
130#define SEPG_DB_SCHEMA__SETATTR (SEPG_DB_DATABASE__SETATTR)
131#define SEPG_DB_SCHEMA__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
132#define SEPG_DB_SCHEMA__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
133#define SEPG_DB_SCHEMA__SEARCH (1<<6)
134#define SEPG_DB_SCHEMA__ADD_NAME (1<<7)
135#define SEPG_DB_SCHEMA__REMOVE_NAME (1<<8)
136
137#define SEPG_DB_TABLE__CREATE (SEPG_DB_DATABASE__CREATE)
138#define SEPG_DB_TABLE__DROP (SEPG_DB_DATABASE__DROP)
139#define SEPG_DB_TABLE__GETATTR (SEPG_DB_DATABASE__GETATTR)
140#define SEPG_DB_TABLE__SETATTR (SEPG_DB_DATABASE__SETATTR)
141#define SEPG_DB_TABLE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
142#define SEPG_DB_TABLE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
143#define SEPG_DB_TABLE__SELECT (1<<6)
144#define SEPG_DB_TABLE__UPDATE (1<<7)
145#define SEPG_DB_TABLE__INSERT (1<<8)
146#define SEPG_DB_TABLE__DELETE (1<<9)
147#define SEPG_DB_TABLE__LOCK (1<<10)
148#define SEPG_DB_TABLE__TRUNCATE (1<<11)
149
150#define SEPG_DB_SEQUENCE__CREATE (SEPG_DB_DATABASE__CREATE)
151#define SEPG_DB_SEQUENCE__DROP (SEPG_DB_DATABASE__DROP)
152#define SEPG_DB_SEQUENCE__GETATTR (SEPG_DB_DATABASE__GETATTR)
153#define SEPG_DB_SEQUENCE__SETATTR (SEPG_DB_DATABASE__SETATTR)
154#define SEPG_DB_SEQUENCE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
155#define SEPG_DB_SEQUENCE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
156#define SEPG_DB_SEQUENCE__GET_VALUE (1<<6)
157#define SEPG_DB_SEQUENCE__NEXT_VALUE (1<<7)
158#define SEPG_DB_SEQUENCE__SET_VALUE (1<<8)
159
160#define SEPG_DB_PROCEDURE__CREATE (SEPG_DB_DATABASE__CREATE)
161#define SEPG_DB_PROCEDURE__DROP (SEPG_DB_DATABASE__DROP)
162#define SEPG_DB_PROCEDURE__GETATTR (SEPG_DB_DATABASE__GETATTR)
163#define SEPG_DB_PROCEDURE__SETATTR (SEPG_DB_DATABASE__SETATTR)
164#define SEPG_DB_PROCEDURE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
165#define SEPG_DB_PROCEDURE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
166#define SEPG_DB_PROCEDURE__EXECUTE (1<<6)
167#define SEPG_DB_PROCEDURE__ENTRYPOINT (1<<7)
168#define SEPG_DB_PROCEDURE__INSTALL (1<<8)
169
170#define SEPG_DB_COLUMN__CREATE (SEPG_DB_DATABASE__CREATE)
171#define SEPG_DB_COLUMN__DROP (SEPG_DB_DATABASE__DROP)
172#define SEPG_DB_COLUMN__GETATTR (SEPG_DB_DATABASE__GETATTR)
173#define SEPG_DB_COLUMN__SETATTR (SEPG_DB_DATABASE__SETATTR)
174#define SEPG_DB_COLUMN__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
175#define SEPG_DB_COLUMN__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
176#define SEPG_DB_COLUMN__SELECT (1<<6)
177#define SEPG_DB_COLUMN__UPDATE (1<<7)
178#define SEPG_DB_COLUMN__INSERT (1<<8)
179
180#define SEPG_DB_TUPLE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
181#define SEPG_DB_TUPLE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
182#define SEPG_DB_TUPLE__SELECT (SEPG_DB_DATABASE__GETATTR)
183#define SEPG_DB_TUPLE__UPDATE (SEPG_DB_DATABASE__SETATTR)
184#define SEPG_DB_TUPLE__INSERT (SEPG_DB_DATABASE__CREATE)
185#define SEPG_DB_TUPLE__DELETE (SEPG_DB_DATABASE__DROP)
186
187#define SEPG_DB_BLOB__CREATE (SEPG_DB_DATABASE__CREATE)
188#define SEPG_DB_BLOB__DROP (SEPG_DB_DATABASE__DROP)
189#define SEPG_DB_BLOB__GETATTR (SEPG_DB_DATABASE__GETATTR)
190#define SEPG_DB_BLOB__SETATTR (SEPG_DB_DATABASE__SETATTR)
191#define SEPG_DB_BLOB__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
192#define SEPG_DB_BLOB__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
193#define SEPG_DB_BLOB__READ (1<<6)
194#define SEPG_DB_BLOB__WRITE (1<<7)
195#define SEPG_DB_BLOB__IMPORT (1<<8)
196#define SEPG_DB_BLOB__EXPORT (1<<9)
197
198#define SEPG_DB_LANGUAGE__CREATE (SEPG_DB_DATABASE__CREATE)
199#define SEPG_DB_LANGUAGE__DROP (SEPG_DB_DATABASE__DROP)
200#define SEPG_DB_LANGUAGE__GETATTR (SEPG_DB_DATABASE__GETATTR)
201#define SEPG_DB_LANGUAGE__SETATTR (SEPG_DB_DATABASE__SETATTR)
202#define SEPG_DB_LANGUAGE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
203#define SEPG_DB_LANGUAGE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
204#define SEPG_DB_LANGUAGE__IMPLEMENT (1<<6)
205#define SEPG_DB_LANGUAGE__EXECUTE (1<<7)
206
207#define SEPG_DB_VIEW__CREATE (SEPG_DB_DATABASE__CREATE)
208#define SEPG_DB_VIEW__DROP (SEPG_DB_DATABASE__DROP)
209#define SEPG_DB_VIEW__GETATTR (SEPG_DB_DATABASE__GETATTR)
210#define SEPG_DB_VIEW__SETATTR (SEPG_DB_DATABASE__SETATTR)
211#define SEPG_DB_VIEW__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
212#define SEPG_DB_VIEW__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
213#define SEPG_DB_VIEW__EXPAND (1<<6)
214
215/*
216 * hooks.c
217 */
218extern bool sepgsql_get_permissive(void);
219extern bool sepgsql_get_debug_audit(void);
220
221/*
222 * selinux.c
223 */
224extern bool sepgsql_is_enabled(void);
225extern int sepgsql_get_mode(void);
226extern int sepgsql_set_mode(int new_mode);
227extern bool sepgsql_getenforce(void);
228
229extern void sepgsql_audit_log(bool denied,
230 bool enforcing,
231 const char *scontext,
232 const char *tcontext,
233 uint16 tclass,
234 uint32 audited,
235 const char *audit_name);
236
237extern void sepgsql_compute_avd(const char *scontext,
238 const char *tcontext,
239 uint16 tclass,
240 struct av_decision *avd);
241
242extern char *sepgsql_compute_create(const char *scontext,
243 const char *tcontext,
244 uint16 tclass,
245 const char *objname);
246
247/*
248 * uavc.c
249 */
250#define SEPGSQL_AVC_NOAUDIT ((void *)(-1))
251extern bool sepgsql_avc_check_perms_label(const char *tcontext,
252 uint16 tclass,
253 uint32 required,
254 const char *audit_name,
255 bool abort_on_violation);
256extern bool sepgsql_avc_check_perms(const ObjectAddress *tobject,
257 uint16 tclass,
258 uint32 required,
259 const char *audit_name,
260 bool abort_on_violation);
261extern char *sepgsql_avc_trusted_proc(Oid functionId);
262extern void sepgsql_avc_init(void);
263
264/*
265 * label.c
266 */
267extern char *sepgsql_get_client_label(void);
268extern void sepgsql_init_client_label(void);
269extern char *sepgsql_get_label(Oid classId, Oid objectId, int32 subId);
270
271extern void sepgsql_object_relabel(const ObjectAddress *object,
272 const char *seclabel);
273
274/*
275 * dml.c
276 */
277extern bool sepgsql_dml_privileges(List *rangeTabls, List *rteperminfos,
278 bool abort_on_violation);
279
280/*
281 * database.c
282 */
283extern void sepgsql_database_post_create(Oid databaseId,
284 const char *dtemplate);
285extern void sepgsql_database_drop(Oid databaseId);
286extern void sepgsql_database_relabel(Oid databaseId, const char *seclabel);
287extern void sepgsql_database_setattr(Oid databaseId);
288
289/*
290 * schema.c
291 */
292extern void sepgsql_schema_post_create(Oid namespaceId);
293extern void sepgsql_schema_drop(Oid namespaceId);
294extern void sepgsql_schema_relabel(Oid namespaceId, const char *seclabel);
295extern void sepgsql_schema_setattr(Oid namespaceId);
296extern bool sepgsql_schema_search(Oid namespaceId, bool abort_on_violation);
297extern void sepgsql_schema_add_name(Oid namespaceId);
298extern void sepgsql_schema_remove_name(Oid namespaceId);
299extern void sepgsql_schema_rename(Oid namespaceId);
300
301/*
302 * relation.c
303 */
304extern void sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum);
305extern void sepgsql_attribute_drop(Oid relOid, AttrNumber attnum);
306extern void sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
307 const char *seclabel);
308extern void sepgsql_attribute_setattr(Oid relOid, AttrNumber attnum);
309extern void sepgsql_relation_post_create(Oid relOid);
310extern void sepgsql_relation_drop(Oid relOid);
311extern void sepgsql_relation_truncate(Oid relOid);
312extern void sepgsql_relation_relabel(Oid relOid, const char *seclabel);
313extern void sepgsql_relation_setattr(Oid relOid);
314
315/*
316 * proc.c
317 */
318extern void sepgsql_proc_post_create(Oid functionId);
319extern void sepgsql_proc_drop(Oid functionId);
320extern void sepgsql_proc_relabel(Oid functionId, const char *seclabel);
321extern void sepgsql_proc_setattr(Oid functionId);
322extern void sepgsql_proc_execute(Oid functionId);
323
324#endif /* SEPGSQL_H */
AttrNumber
int16 AttrNumber
Definition: attnum.h:21
int32
int32_t int32
Definition: c.h:498
uint16
uint16_t uint16
Definition: c.h:501
uint32
uint32_t uint32
Definition: c.h:502
generate_unaccent_rules.required
required
Definition: generate_unaccent_rules.py:285
attnum
int16 attnum
Definition: pg_attribute.h:74
Oid
unsigned int Oid
Definition: postgres_ext.h:30
sepgsql_attribute_setattr
void sepgsql_attribute_setattr(Oid relOid, AttrNumber attnum)
Definition: relation.c:209
sepgsql_attribute_post_create
void sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
Definition: relation.c:43
sepgsql_relation_post_create
void sepgsql_relation_post_create(Oid relOid)
Definition: relation.c:240
sepgsql_attribute_relabel
void sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum, const char *seclabel)
Definition: relation.c:165
sepgsql_get_permissive
bool sepgsql_get_permissive(void)
Definition: hooks.c:66
sepgsql_avc_trusted_proc
char * sepgsql_avc_trusted_proc(Oid functionId)
Definition: uavc.c:445
sepgsql_database_relabel
void sepgsql_database_relabel(Oid databaseId, const char *seclabel)
Definition: database.c:187
sepgsql_avc_check_perms_label
bool sepgsql_avc_check_perms_label(const char *tcontext, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:337
sepgsql_schema_post_create
void sepgsql_schema_post_create(Oid namespaceId)
Definition: schema.c:36
sepgsql_schema_setattr
void sepgsql_schema_setattr(Oid namespaceId)
Definition: schema.c:202
sepgsql_init_client_label
void sepgsql_init_client_label(void)
Definition: label.c:404
sepgsql_schema_rename
void sepgsql_schema_rename(Oid namespaceId)
Definition: schema.c:229
sepgsql_proc_post_create
void sepgsql_proc_post_create(Oid functionId)
Definition: proc.c:37
sepgsql_compute_create
char * sepgsql_compute_create(const char *scontext, const char *tcontext, uint16 tclass, const char *objname)
Definition: selinux.c:842
sepgsql_proc_relabel
void sepgsql_proc_relabel(Oid functionId, const char *seclabel)
Definition: proc.c:198
sepgsql_get_mode
int sepgsql_get_mode(void)
Definition: selinux.c:625
sepgsql_schema_remove_name
void sepgsql_schema_remove_name(Oid namespaceId)
Definition: schema.c:223
sepgsql_get_debug_audit
bool sepgsql_get_debug_audit(void)
Definition: hooks.c:77
sepgsql_database_post_create
void sepgsql_database_post_create(Oid databaseId, const char *dtemplate)
Definition: database.c:33
sepgsql_compute_avd
void sepgsql_compute_avd(const char *scontext, const char *tcontext, uint16 tclass, struct av_decision *avd)
Definition: selinux.c:739
sepgsql_database_drop
void sepgsql_database_drop(Oid databaseId)
Definition: database.c:133
sepgsql_schema_add_name
void sepgsql_schema_add_name(Oid namespaceId)
Definition: schema.c:217
sepgsql_audit_log
void sepgsql_audit_log(bool denied, bool enforcing, const char *scontext, const char *tcontext, uint16 tclass, uint32 audited, const char *audit_name)
Definition: selinux.c:678
sepgsql_schema_relabel
void sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
Definition: schema.c:142
sepgsql_relation_truncate
void sepgsql_relation_truncate(Oid relOid)
Definition: relation.c:524
sepgsql_proc_setattr
void sepgsql_proc_setattr(Oid functionId)
Definition: proc.c:235
sepgsql_relation_relabel
void sepgsql_relation_relabel(Oid relOid, const char *seclabel)
Definition: relation.c:564
sepgsql_dml_privileges
bool sepgsql_dml_privileges(List *rangeTabls, List *rteperminfos, bool abort_on_violation)
Definition: dml.c:282
sepgsql_get_label
char * sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
Definition: label.c:445
sepgsql_object_relabel
void sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
Definition: label.c:482
sepgsql_database_setattr
void sepgsql_database_setattr(Oid databaseId)
Definition: database.c:160
sepgsql_set_mode
int sepgsql_set_mode(int new_mode)
Definition: selinux.c:634
sepgsql_relation_setattr
void sepgsql_relation_setattr(Oid relOid)
Definition: relation.c:615
sepgsql_get_client_label
char * sepgsql_get_client_label(void)
Definition: label.c:80
sepgsql_proc_drop
void sepgsql_proc_drop(Oid functionId)
Definition: proc.c:155
sepgsql_is_enabled
bool sepgsql_is_enabled(void)
Definition: selinux.c:616
sepgsql_relation_drop
void sepgsql_relation_drop(Oid relOid)
Definition: relation.c:416
sepgsql_schema_search
bool sepgsql_schema_search(Oid namespaceId, bool abort_on_violation)
Definition: schema.c:209
sepgsql_getenforce
bool sepgsql_getenforce(void)
Definition: selinux.c:651
sepgsql_proc_execute
void sepgsql_proc_execute(Oid functionId)
Definition: proc.c:315
sepgsql_schema_drop
void sepgsql_schema_drop(Oid namespaceId)
Definition: schema.c:114
sepgsql_attribute_drop
void sepgsql_attribute_drop(Oid relOid, AttrNumber attnum)
Definition: relation.c:133
sepgsql_avc_init
void sepgsql_avc_init(void)
Definition: uavc.c:488
sepgsql_avc_check_perms
bool sepgsql_avc_check_perms(const ObjectAddress *tobject, uint16 tclass, uint32 required, const char *audit_name, bool abort_on_violation)
Definition: uavc.c:420
List
Definition: pg_list.h:54