NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit291873c

committed

Teach sepgsql about database labels.

This is still a bit of a hack, but it's better than the old way, for sure.KaiGai Kohei, with one change by me to make it compile

1 parenta5e94ea commit291873cCopy full SHA for 291873c

File tree

6 files changed

+128

-13

lines changed

contrib/sepgsql

6 files changed

+128

-13

lines changed

`‎contrib/sepgsql/Makefile`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`
`3`	`3`	`MODULE_big = sepgsql`
`4`	`4`	`OBJS = hooks.o selinux.o uavc.o label.o dml.o\`
`5`		`-schema.o relation.o proc.o`
	`5`	`+database.oschema.o relation.o proc.o`
`6`	`6`	`DATA_built = sepgsql.sql`
`7`	`7`
`8`	`8`	`REGRESS = label dml misc`

`‎contrib/sepgsql/database.c`

Lines changed: 88 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,88 @@`
	`1`	`+/* -------------------------------------------------------------------------`
	`2`	`+ *`
	`3`	`+ * contrib/sepgsql/database.c`
	`4`	`+ *`
	`5`	`+ * Routines corresponding to database objects`
	`6`	`+ *`
	`7`	`+ * Copyright (c) 2010-2011, PostgreSQL Global Development Group`
	`8`	`+ *`
	`9`	`+ * -------------------------------------------------------------------------`
	`10`	`+ */`
	`11`	`+#include"postgres.h"`
	`12`	`+`
	`13`	`+#include"catalog/dependency.h"`
	`14`	`+#include"catalog/pg_database.h"`
	`15`	`+#include"commands/seclabel.h"`
	`16`	`+#include"sepgsql.h"`
	`17`	`+`
	`18`	`+void`
	`19`	`+sepgsql_database_post_create(OiddatabaseId)`
	`20`	`+{`
	`21`	`+char*scontext=sepgsql_get_client_label();`
	`22`	`+char*tcontext;`
	`23`	`+char*ncontext;`
	`24`	`+ObjectAddressobject;`
	`25`	`+`
	`26`	`+/*`
	`27`	`+ * Compute a default security label of the newly created database`
	`28`	`+ * based on a pair of security label of client and source database.`
	`29`	`+ *`
	`30`	`+ * XXX - Right now, this logic uses "template1" as its source, because`
	`31`	`+ * here is no way to know the Oid of source database.`
	`32`	`+ */`
	`33`	`+object.classId=DatabaseRelationId;`
	`34`	`+object.objectId=TemplateDbOid;`
	`35`	`+object.objectSubId=0;`
	`36`	`+tcontext=GetSecurityLabel(&object,SEPGSQL_LABEL_TAG);`
	`37`	`+`
	`38`	`+ncontext=sepgsql_compute_create(scontext,tcontext,`
	`39`	`+SEPG_CLASS_DB_DATABASE);`
	`40`	`+`
	`41`	`+/*`
	`42`	`+ * Assign the default security label on the new database`
	`43`	`+ */`
	`44`	`+object.classId=DatabaseRelationId;`
	`45`	`+object.objectId=databaseId;`
	`46`	`+object.objectSubId=0;`
	`47`	`+`
	`48`	`+SetSecurityLabel(&object,SEPGSQL_LABEL_TAG,ncontext);`
	`49`	`+`
	`50`	`+pfree(ncontext);`
	`51`	`+pfree(tcontext);`
	`52`	`+}`
	`53`	`+`
	`54`	`+/*`
	`55`	`+ * sepgsql_database_relabel`
	`56`	`+ *`
	`57`	+ * It checks privileges to relabel the supplied database with the `seclabel'
	`58`	`+ */`
	`59`	`+void`
	`60`	`+sepgsql_database_relabel(OiddatabaseId,constchar*seclabel)`
	`61`	`+{`
	`62`	`+ObjectAddressobject;`
	`63`	`+char*audit_name;`
	`64`	`+`
	`65`	`+object.classId=DatabaseRelationId;`
	`66`	`+object.objectId=databaseId;`
	`67`	`+object.objectSubId=0;`
	`68`	`+audit_name=getObjectDescription(&object);`
	`69`	`+`
	`70`	`+/*`
	`71`	`+ * check db_database:{setattr relabelfrom} permission`
	`72`	`+ */`
	`73`	`+sepgsql_avc_check_perms(&object,`
	`74`	`+SEPG_CLASS_DB_DATABASE,`
	`75`	`+SEPG_DB_DATABASE__SETATTR \|`
	`76`	`+SEPG_DB_DATABASE__RELABELFROM,`
	`77`	`+audit_name,`
	`78`	`+true);`
	`79`	`+/*`
	`80`	`+ * check db_database:{relabelto} permission`
	`81`	`+ */`
	`82`	`+sepgsql_avc_check_perms_label(seclabel,`
	`83`	`+SEPG_CLASS_DB_DATABASE,`
	`84`	`+SEPG_DB_DATABASE__RELABELTO,`
	`85`	`+audit_name,`
	`86`	`+ true);`
	`87`	`+pfree(audit_name);`
	`88`	`+}`

`‎contrib/sepgsql/hooks.c`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`
`13`	`13`	`#include"catalog/objectaccess.h"`
`14`	`14`	`#include"catalog/pg_class.h"`
	`15`	`+#include"catalog/pg_database.h"`
`15`	`16`	`#include"catalog/pg_namespace.h"`
`16`	`17`	`#include"catalog/pg_proc.h"`
`17`	`18`	`#include"commands/seclabel.h"`
`@@ -125,6 +126,10 @@ sepgsql_object_access(ObjectAccessType access,`
`125`	`126`	`caseOAT_POST_CREATE:`
`126`	`127`	`switch (classId)`
`127`	`128`	`{`
	`129`	`+caseDatabaseRelationId:`
	`130`	`+sepgsql_database_post_create(objectId);`
	`131`	`+break;`
	`132`	`+`
`128`	`133`	`caseNamespaceRelationId:`
`129`	`134`	`sepgsql_schema_post_create(objectId);`
`130`	`135`	`break;`

`‎contrib/sepgsql/label.c`

Lines changed: 22 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@`
`17`	`17`	`#include"catalog/indexing.h"`
`18`	`18`	`#include"catalog/pg_attribute.h"`
`19`	`19`	`#include"catalog/pg_class.h"`
	`20`	`+#include"catalog/pg_database.h"`
`20`	`21`	`#include"catalog/pg_namespace.h"`
`21`	`22`	`#include"catalog/pg_proc.h"`
`22`	`23`	`#include"commands/dbcommands.h"`
`@@ -121,9 +122,14 @@ sepgsql_object_relabel(const ObjectAddress object, const char seclabel)`
`121`	`122`	`*/`
`122`	`123`	`switch (object->classId)`
`123`	`124`	`{`
	`125`	`+caseDatabaseRelationId:`
	`126`	`+sepgsql_database_relabel(object->objectId,seclabel);`
	`127`	`+break;`
	`128`	`+`
`124`	`129`	`caseNamespaceRelationId:`
`125`	`130`	`sepgsql_schema_relabel(object->objectId,seclabel);`
`126`	`131`	`break;`
	`132`	`+`
`127`	`133`	`caseRelationRelationId:`
`128`	`134`	`if (object->objectSubId==0)`
`129`	`135`	`sepgsql_relation_relabel(object->objectId,`
`@@ -133,6 +139,7 @@ sepgsql_object_relabel(const ObjectAddress object, const char seclabel)`
`133`	`139`	`object->objectSubId,`
`134`	`140`	`seclabel);`
`135`	`141`	`break;`
	`142`	`+`
`136`	`143`	`caseProcedureRelationId:`
`137`	`144`	`sepgsql_proc_relabel(object->objectId,seclabel);`
`138`	`145`	`break;`
`@@ -315,6 +322,7 @@ exec_object_restorecon(struct selabel_handle * sehnd, Oid catalogId)`
`315`	`322`	`SnapshotNow,0,NULL);`
`316`	`323`	`while (HeapTupleIsValid(tuple=systable_getnext(sscan)))`
`317`	`324`	`{`
	`325`	`+Form_pg_databasedatForm;`
`318`	`326`	`Form_pg_namespacenspForm;`
`319`	`327`	`Form_pg_classrelForm;`
`320`	`328`	`Form_pg_attributeattForm;`
`@@ -330,6 +338,19 @@ exec_object_restorecon(struct selabel_handle * sehnd, Oid catalogId)`
`330`	`338`	`*/`
`331`	`339`	`switch (catalogId)`
`332`	`340`	`{`
	`341`	`+caseDatabaseRelationId:`
	`342`	`+datForm= (Form_pg_database)GETSTRUCT(tuple);`
	`343`	`+`
	`344`	`+objtype=SELABEL_DB_DATABASE;`
	`345`	`+`
	`346`	`+objname=quote_object_name(NameStr(datForm->datname),`
	`347`	`+NULL,NULL,NULL);`
	`348`	`+`
	`349`	`+object.classId=DatabaseRelationId;`
	`350`	`+object.objectId=HeapTupleGetOid(tuple);`
	`351`	`+object.objectSubId=0;`
	`352`	`+break;`
	`353`	`+`
`333`	`354`	`caseNamespaceRelationId:`
`334`	`355`	`nspForm= (Form_pg_namespace)GETSTRUCT(tuple);`
`335`	`356`
`@@ -506,10 +527,7 @@ sepgsql_restorecon(PG_FUNCTION_ARGS)`
`506`	`527`	`errmsg("SELinux: failed to initialize labeling handle: %m")));`
`507`	`528`	`PG_TRY();`
`508`	`529`	`{`
`509`		`-/*`
`510`		`- * Right now, we have no support labeling on the shared database`
`511`		`- * objects, such as database, role, or tablespace.`
`512`		`- */`
	`530`	`+exec_object_restorecon(sehnd,DatabaseRelationId);`
`513`	`531`	`exec_object_restorecon(sehnd,NamespaceRelationId);`
`514`	`532`	`exec_object_restorecon(sehnd,RelationRelationId);`
`515`	`533`	`exec_object_restorecon(sehnd,AttributeRelationId);`

`‎contrib/sepgsql/schema.c`

Lines changed: 6 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,10 @@`
`11`	`11`	`#include"postgres.h"`
`12`	`12`
`13`	`13`	`#include"catalog/dependency.h"`
	`14`	`+#include"catalog/pg_database.h"`
`14`	`15`	`#include"catalog/pg_namespace.h"`
`15`	`16`	`#include"commands/seclabel.h"`
	`17`	`+#include"miscadmin.h"`
`16`	`18`	`#include"utils/lsyscache.h"`
`17`	`19`
`18`	`20`	`#include"sepgsql.h"`
`@@ -26,22 +28,17 @@`
`26`	`28`	`void`
`27`	`29`	`sepgsql_schema_post_create(OidnamespaceId)`
`28`	`30`	`{`
`29`		`-char*scontext=sepgsql_get_client_label();`
	`31`	`+char*scontext;`
`30`	`32`	`char*tcontext;`
`31`	`33`	`char*ncontext;`
`32`	`34`	`ObjectAddressobject;`
`33`	`35`
`34`		`-/*`
`35`		`- * FIXME: Right now, we assume pg_database object has a fixed security`
`36`		`- * label, because pg_seclabel does not support to store label of shared`
`37`		`- * database objects.`
`38`		`- */`
`39`		`-tcontext="system_u:object_r:sepgsql_db_t:s0";`
`40`		`-`
`41`	`36`	`/*`
`42`	`37`	`* Compute a default security label when we create a new schema object`
`43`	`38`	`* under the working database.`
`44`	`39`	`*/`
	`40`	`+scontext=sepgsql_get_client_label();`
	`41`	`+tcontext=sepgsql_get_label(DatabaseRelationId,MyDatabaseId,0);`
`45`	`42`	`ncontext=sepgsql_compute_create(scontext,tcontext,`
`46`	`43`	`SEPG_CLASS_DB_SCHEMA);`
`47`	`44`
`@@ -54,6 +51,7 @@ sepgsql_schema_post_create(Oid namespaceId)`
`54`	`51`	`SetSecurityLabel(&object,SEPGSQL_LABEL_TAG,ncontext);`
`55`	`52`
`56`	`53`	`pfree(ncontext);`
	`54`	`+pfree(tcontext);`
`57`	`55`	`}`
`58`	`56`
`59`	`57`	`/*`

`‎contrib/sepgsql/sepgsql.h`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -283,6 +283,12 @@ extern Datum sepgsql_restorecon(PG_FUNCTION_ARGS);`
`283`	`283`	`*/`
`284`	`284`	`externboolsepgsql_dml_privileges(List*rangeTabls,boolabort);`
`285`	`285`
	`286`	`+/*`
	`287`	`+ * database.c`
	`288`	`+ */`
	`289`	`+externvoidsepgsql_database_post_create(OiddatabaseId);`
	`290`	`+externvoidsepgsql_database_relabel(OiddatabaseId,constchar*seclabel);`
	`291`	`+`
`286`	`292`	`/*`
`287`	`293`	`* schema.c`
`288`	`294`	`*/`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit291873c

File tree

6 files changed

6 files changed

`‎contrib/sepgsql/Makefile`

`‎contrib/sepgsql/database.c`

`‎contrib/sepgsql/hooks.c`

`‎contrib/sepgsql/label.c`

`‎contrib/sepgsql/schema.c`

`‎contrib/sepgsql/sepgsql.h`

0 commit comments