Header And Logo
|
#include "postgres.h"#include "access/genam.h"#include "access/heapam.h"#include "access/htup_details.h"#include "access/sysattr.h"#include "catalog/dependency.h"#include "catalog/pg_database.h"#include "catalog/indexing.h"#include "commands/dbcommands.h"#include "commands/seclabel.h"#include "utils/builtins.h"#include "utils/fmgroids.h"#include "utils/tqual.h"#include "sepgsql.h"
Go to the source code of this file.
Functions | |
| void | sepgsql_database_post_create (Oid databaseId, const char *dtemplate) |
| void | sepgsql_database_drop (Oid databaseId) |
| void | sepgsql_database_setattr (Oid databaseId) |
| void | sepgsql_database_relabel (Oid databaseId, const char *seclabel) |
| void sepgsql_database_drop | ( | Oid | databaseId | ) |
Definition at line 134 of file database.c.
References getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__DROP, and sepgsql_avc_check_perms().
Referenced by sepgsql_object_access().
{
ObjectAddress object;
char *audit_name;
/*
* check db_database:{drop} permission
*/
object.classId = DatabaseRelationId;
object.objectId = databaseId;
object.objectSubId = 0;
audit_name = getObjectIdentity(&object);
sepgsql_avc_check_perms(&object,
SEPG_CLASS_DB_DATABASE,
SEPG_DB_DATABASE__DROP,
audit_name,
true);
pfree(audit_name);
}
| void sepgsql_database_post_create | ( | Oid | databaseId, | |
| const char * | dtemplate | |||
| ) |
Definition at line 34 of file database.c.
References AccessShareLock, appendStringInfo(), BTEqualStrategyNumber, StringInfoData::data, DatabaseOidIndexId, DatabaseRelationId, elog, ERROR, get_database_oid(), GETSTRUCT, heap_close, heap_open(), HeapTupleIsValid, initStringInfo(), NameStr, ObjectIdAttributeNumber, ObjectIdGetDatum, pfree(), quote_identifier(), resetStringInfo(), ScanKeyInit(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__CREATE, SEPG_DB_DATABASE__GETATTR, sepgsql_avc_check_perms_label(), sepgsql_compute_create(), sepgsql_get_client_label(), sepgsql_get_label(), SEPGSQL_LABEL_TAG, SetSecurityLabel(), SnapshotSelf, systable_beginscan(), systable_endscan(), and systable_getnext().
Referenced by sepgsql_object_access().
{
Relation rel;
ScanKeyData skey;
SysScanDesc sscan;
HeapTuple tuple;
char *tcontext;
char *ncontext;
ObjectAddress object;
Form_pg_database datForm;
StringInfoData audit_name;
/*
* Oid of the source database is not saved in pg_database catalog, so we
* collect its identifier using contextual information. If NULL, its
* default is "template1" according to createdb().
*/
if (!dtemplate)
dtemplate = "template1";
object.classId = DatabaseRelationId;
object.objectId = get_database_oid(dtemplate, false);
object.objectSubId = 0;
tcontext = sepgsql_get_label(object.classId,
object.objectId,
object.objectSubId);
/*
* check db_database:{getattr} permission
*/
initStringInfo(&audit_name);
appendStringInfo(&audit_name, "%s", quote_identifier(dtemplate));
sepgsql_avc_check_perms_label(tcontext,
SEPG_CLASS_DB_DATABASE,
SEPG_DB_DATABASE__GETATTR,
audit_name.data,
true);
/*
* Compute a default security label of the newly created database based on
* a pair of security label of client and source database.
*
* XXX - uncoming version of libselinux supports to take object name to
* handle special treatment on default security label.
*/
rel = heap_open(DatabaseRelationId, AccessShareLock);
ScanKeyInit(&skey,
ObjectIdAttributeNumber,
BTEqualStrategyNumber, F_OIDEQ,
ObjectIdGetDatum(databaseId));
sscan = systable_beginscan(rel, DatabaseOidIndexId, true,
SnapshotSelf, 1, &skey);
tuple = systable_getnext(sscan);
if (!HeapTupleIsValid(tuple))
elog(ERROR, "catalog lookup failed for database %u", databaseId);
datForm = (Form_pg_database) GETSTRUCT(tuple);
ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
tcontext,
SEPG_CLASS_DB_DATABASE,
NameStr(datForm->datname));
/*
* check db_database:{create} permission
*/
resetStringInfo(&audit_name);
appendStringInfo(&audit_name, "%s",
quote_identifier(NameStr(datForm->datname)));
sepgsql_avc_check_perms_label(ncontext,
SEPG_CLASS_DB_DATABASE,
SEPG_DB_DATABASE__CREATE,
audit_name.data,
true);
systable_endscan(sscan);
heap_close(rel, AccessShareLock);
/*
* Assign the default security label on the new database
*/
object.classId = DatabaseRelationId;
object.objectId = databaseId;
object.objectSubId = 0;
SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);
pfree(ncontext);
pfree(tcontext);
}
| void sepgsql_database_relabel | ( | Oid | databaseId, | |
| const char * | seclabel | |||
| ) |
Definition at line 188 of file database.c.
References getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__RELABELFROM, SEPG_DB_DATABASE__RELABELTO, SEPG_DB_DATABASE__SETATTR, sepgsql_avc_check_perms(), and sepgsql_avc_check_perms_label().
Referenced by sepgsql_object_relabel().
{
ObjectAddress object;
char *audit_name;
object.classId = DatabaseRelationId;
object.objectId = databaseId;
object.objectSubId = 0;
audit_name = getObjectIdentity(&object);
/*
* check db_database:{setattr relabelfrom} permission
*/
sepgsql_avc_check_perms(&object,
SEPG_CLASS_DB_DATABASE,
SEPG_DB_DATABASE__SETATTR |
SEPG_DB_DATABASE__RELABELFROM,
audit_name,
true);
/*
* check db_database:{relabelto} permission
*/
sepgsql_avc_check_perms_label(seclabel,
SEPG_CLASS_DB_DATABASE,
SEPG_DB_DATABASE__RELABELTO,
audit_name,
true);
pfree(audit_name);
}
| void sepgsql_database_setattr | ( | Oid | databaseId | ) |
Definition at line 161 of file database.c.
References getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__SETATTR, and sepgsql_avc_check_perms().
Referenced by sepgsql_object_access().
{
ObjectAddress object;
char *audit_name;
/*
* check db_database:{setattr} permission
*/
object.classId = DatabaseRelationId;
object.objectId = databaseId;
object.objectSubId = 0;
audit_name = getObjectIdentity(&object);
sepgsql_avc_check_perms(&object,
SEPG_CLASS_DB_DATABASE,
SEPG_DB_DATABASE__SETATTR,
audit_name,
true);
pfree(audit_name);
}
1.7.1