Header And Logo

PostgreSQL
| The world's most advanced open source database.

Functions

database.c File Reference

#include "postgres.h"
#include "access/genam.h"
#include "access/heapam.h"
#include "access/htup_details.h"
#include "access/sysattr.h"
#include "catalog/dependency.h"
#include "catalog/pg_database.h"
#include "catalog/indexing.h"
#include "commands/dbcommands.h"
#include "commands/seclabel.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/tqual.h"
#include "sepgsql.h"
Include dependency graph for database.c:

Go to the source code of this file.

Functions

void sepgsql_database_post_create (Oid databaseId, const char *dtemplate)
void sepgsql_database_drop (Oid databaseId)
void sepgsql_database_setattr (Oid databaseId)
void sepgsql_database_relabel (Oid databaseId, const char *seclabel)

Function Documentation

void sepgsql_database_drop ( Oid  databaseId  ) 

Definition at line 134 of file database.c.

References getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__DROP, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().

{
    ObjectAddress object;
    char       *audit_name;

    /*
     * check db_database:{drop} permission
     */
    object.classId = DatabaseRelationId;
    object.objectId = databaseId;
    object.objectSubId = 0;
    audit_name = getObjectIdentity(&object);

    sepgsql_avc_check_perms(&object,
                            SEPG_CLASS_DB_DATABASE,
                            SEPG_DB_DATABASE__DROP,
                            audit_name,
                            true);
    pfree(audit_name);
}

void sepgsql_database_post_create ( Oid  databaseId,
const char *  dtemplate 
)

Definition at line 34 of file database.c.

References AccessShareLock, appendStringInfo(), BTEqualStrategyNumber, StringInfoData::data, DatabaseOidIndexId, DatabaseRelationId, elog, ERROR, get_database_oid(), GETSTRUCT, heap_close, heap_open(), HeapTupleIsValid, initStringInfo(), NameStr, ObjectIdAttributeNumber, ObjectIdGetDatum, pfree(), quote_identifier(), resetStringInfo(), ScanKeyInit(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__CREATE, SEPG_DB_DATABASE__GETATTR, sepgsql_avc_check_perms_label(), sepgsql_compute_create(), sepgsql_get_client_label(), sepgsql_get_label(), SEPGSQL_LABEL_TAG, SetSecurityLabel(), SnapshotSelf, systable_beginscan(), systable_endscan(), and systable_getnext().

Referenced by sepgsql_object_access().

{
    Relation    rel;
    ScanKeyData skey;
    SysScanDesc sscan;
    HeapTuple   tuple;
    char       *tcontext;
    char       *ncontext;
    ObjectAddress object;
    Form_pg_database datForm;
    StringInfoData audit_name;

    /*
     * Oid of the source database is not saved in pg_database catalog, so we
     * collect its identifier using contextual information. If NULL, its
     * default is "template1" according to createdb().
     */
    if (!dtemplate)
        dtemplate = "template1";

    object.classId = DatabaseRelationId;
    object.objectId = get_database_oid(dtemplate, false);
    object.objectSubId = 0;

    tcontext = sepgsql_get_label(object.classId,
                                 object.objectId,
                                 object.objectSubId);

    /*
     * check db_database:{getattr} permission
     */
    initStringInfo(&audit_name);
    appendStringInfo(&audit_name, "%s", quote_identifier(dtemplate));
    sepgsql_avc_check_perms_label(tcontext,
                                  SEPG_CLASS_DB_DATABASE,
                                  SEPG_DB_DATABASE__GETATTR,
                                  audit_name.data,
                                  true);

    /*
     * Compute a default security label of the newly created database based on
     * a pair of security label of client and source database.
     *
     * XXX - uncoming version of libselinux supports to take object name to
     * handle special treatment on default security label.
     */
    rel = heap_open(DatabaseRelationId, AccessShareLock);

    ScanKeyInit(&skey,
                ObjectIdAttributeNumber,
                BTEqualStrategyNumber, F_OIDEQ,
                ObjectIdGetDatum(databaseId));

    sscan = systable_beginscan(rel, DatabaseOidIndexId, true,
                               SnapshotSelf, 1, &skey);
    tuple = systable_getnext(sscan);
    if (!HeapTupleIsValid(tuple))
        elog(ERROR, "catalog lookup failed for database %u", databaseId);

    datForm = (Form_pg_database) GETSTRUCT(tuple);

    ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
                                      tcontext,
                                      SEPG_CLASS_DB_DATABASE,
                                      NameStr(datForm->datname));

    /*
     * check db_database:{create} permission
     */
    resetStringInfo(&audit_name);
    appendStringInfo(&audit_name, "%s",
                     quote_identifier(NameStr(datForm->datname)));
    sepgsql_avc_check_perms_label(ncontext,
                                  SEPG_CLASS_DB_DATABASE,
                                  SEPG_DB_DATABASE__CREATE,
                                  audit_name.data,
                                  true);

    systable_endscan(sscan);
    heap_close(rel, AccessShareLock);

    /*
     * Assign the default security label on the new database
     */
    object.classId = DatabaseRelationId;
    object.objectId = databaseId;
    object.objectSubId = 0;

    SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, ncontext);

    pfree(ncontext);
    pfree(tcontext);
}

void sepgsql_database_relabel ( Oid  databaseId,
const char *  seclabel 
)

Definition at line 188 of file database.c.

References getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__RELABELFROM, SEPG_DB_DATABASE__RELABELTO, SEPG_DB_DATABASE__SETATTR, sepgsql_avc_check_perms(), and sepgsql_avc_check_perms_label().

Referenced by sepgsql_object_relabel().

{
    ObjectAddress object;
    char       *audit_name;

    object.classId = DatabaseRelationId;
    object.objectId = databaseId;
    object.objectSubId = 0;
    audit_name = getObjectIdentity(&object);

    /*
     * check db_database:{setattr relabelfrom} permission
     */
    sepgsql_avc_check_perms(&object,
                            SEPG_CLASS_DB_DATABASE,
                            SEPG_DB_DATABASE__SETATTR |
                            SEPG_DB_DATABASE__RELABELFROM,
                            audit_name,
                            true);

    /*
     * check db_database:{relabelto} permission
     */
    sepgsql_avc_check_perms_label(seclabel,
                                  SEPG_CLASS_DB_DATABASE,
                                  SEPG_DB_DATABASE__RELABELTO,
                                  audit_name,
                                  true);
    pfree(audit_name);
}

void sepgsql_database_setattr ( Oid  databaseId  ) 

Definition at line 161 of file database.c.

References getObjectIdentity(), pfree(), SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__SETATTR, and sepgsql_avc_check_perms().

Referenced by sepgsql_object_access().

{
    ObjectAddress object;
    char       *audit_name;

    /*
     * check db_database:{setattr} permission
     */
    object.classId = DatabaseRelationId;
    object.objectId = databaseId;
    object.objectSubId = 0;
    audit_name = getObjectIdentity(&object);

    sepgsql_avc_check_perms(&object,
                            SEPG_CLASS_DB_DATABASE,
                            SEPG_DB_DATABASE__SETATTR,
                            audit_name,
                            true);
    pfree(audit_name);
}