Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit4d355a8

Browse files
committed
Add a SECURITY LABEL command.
This is intended as infrastructure to support integration with label-basedmandatory access control systems such as SE-Linux. Further changes (mostlyhooks) will be needed, but this is a big chunk of it.KaiGai Kohei and Robert Haas
1 parent2ce0039 commit4d355a8

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

42 files changed

+1815
-26
lines changed

‎contrib/Makefile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ SUBDIRS = \
1515
dblink\
1616
dict_int\
1717
dict_xsyn\
18+
dummy_seclabel\
1819
earthdistance\
1920
fuzzystrmatch\
2021
hstore\

‎contrib/dummy_seclabel/Makefile

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# contrib/dummy_seclabel/Makefile
2+
3+
MODULES = dummy_seclabel
4+
5+
ifdefUSE_PGXS
6+
PG_CONFIG = pg_config
7+
PGXS :=$(shell$(PG_CONFIG) --pgxs)
8+
include$(PGXS)
9+
else
10+
subdir = contrib/dummy_seclabel
11+
top_builddir = ../..
12+
include$(top_builddir)/src/Makefile.global
13+
include$(top_srcdir)/contrib/contrib-global.mk
14+
endif
Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
/*
2+
* dummy_seclabel.c
3+
*
4+
* Dummy security label provider.
5+
*
6+
* This module does not provide anything worthwhile from a security
7+
* perspective, but allows regression testing independent of platform-specific
8+
* features like SELinux.
9+
*
10+
* Portions Copyright (c) 1996-2010, PostgreSQL Global Development Group
11+
* Portions Copyright (c) 1994, Regents of the University of California
12+
*/
13+
#include"postgres.h"
14+
15+
#include"commands/seclabel.h"
16+
#include"miscadmin.h"
17+
18+
PG_MODULE_MAGIC;
19+
20+
/* Entrypoint of the module */
21+
void_PG_init(void);
22+
23+
staticvoid
24+
dummy_object_relabel(constObjectAddress*object,constchar*seclabel)
25+
{
26+
if (seclabel==NULL||
27+
strcmp(seclabel,"unclassified")==0||
28+
strcmp(seclabel,"classified")==0)
29+
return;
30+
31+
if (strcmp(seclabel,"secret")==0||
32+
strcmp(seclabel,"top secret")==0)
33+
{
34+
if (!superuser())
35+
ereport(ERROR,
36+
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
37+
errmsg("only superuser can set '%s' label",seclabel)));
38+
return;
39+
}
40+
ereport(ERROR,
41+
(errcode(ERRCODE_INVALID_NAME),
42+
errmsg("'%s' is not a valid security label",seclabel)));
43+
}
44+
45+
void
46+
_PG_init(void)
47+
{
48+
register_label_provider("dummy",dummy_object_relabel);
49+
}

‎doc/src/sgml/catalogs.sgml

Lines changed: 172 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -208,6 +208,11 @@
208208
<entry>query rewrite rules</entry>
209209
</row>
210210

211+
<row>
212+
<entry><link linkend="catalog-pg-seclabel"><structname>pg_seclabel</structname></link></entry>
213+
<entry>security labels on database objects</entry>
214+
</row>
215+
211216
<row>
212217
<entry><link linkend="catalog-pg-shdepend"><structname>pg_shdepend</structname></link></entry>
213218
<entry>dependencies on shared objects</entry>
@@ -4229,6 +4234,77 @@
42294234
</sect1>
42304235

42314236

4237+
<sect1 id="catalog-pg-seclabel">
4238+
<title><structname>pg_seclabel</structname></title>
4239+
4240+
<indexterm zone="catalog-pg-seclabel">
4241+
<primary>pg_seclabel</primary>
4242+
</indexterm>
4243+
4244+
<para>
4245+
The catalog <structname>pg_seclabel</structname> stores security
4246+
labels on database objects. See the
4247+
<xref linkend="sql-security-label"> statement.
4248+
</para>
4249+
4250+
<table>
4251+
<title><structname>pg_seclabel</structname> Columns</title>
4252+
4253+
<tgroup cols="4">
4254+
<thead>
4255+
<row>
4256+
<entry>Name</entry>
4257+
<entry>Type</entry>
4258+
<entry>References</entry>
4259+
<entry>Description</entry>
4260+
</row>
4261+
</thead>
4262+
4263+
<tbody>
4264+
<row>
4265+
<entry><structfield>objoid</structfield></entry>
4266+
<entry><type>oid</type></entry>
4267+
<entry>any OID column</entry>
4268+
<entry>The OID of the object this security label pertains to</entry>
4269+
</row>
4270+
4271+
<row>
4272+
<entry><structfield>classoid</structfield></entry>
4273+
<entry><type>oid</type></entry>
4274+
<entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.oid</literal></entry>
4275+
<entry>The OID of the system catalog this object appears in</entry>
4276+
</row>
4277+
4278+
<row>
4279+
<entry><structfield>objsubid</structfield></entry>
4280+
<entry><type>int4</type></entry>
4281+
<entry></entry>
4282+
<entry>
4283+
For a security label on a table column, this is the column number (the
4284+
<structfield>objoid</> and <structfield>classoid</> refer to
4285+
the table itself). For all other object types, this column is
4286+
zero.
4287+
</entry>
4288+
</row>
4289+
4290+
<row>
4291+
<entry><structfield>provider</structfield></entry>
4292+
<entry><type>text</type></entry>
4293+
<entry></entry>
4294+
<entry>The label provider associated with this label.</entry>
4295+
</row>
4296+
4297+
<row>
4298+
<entry><structfield>label</structfield></entry>
4299+
<entry><type>text</type></entry>
4300+
<entry></entry>
4301+
<entry>The security label applied to this object.</entry>
4302+
</row>
4303+
</tbody>
4304+
</tgroup>
4305+
</table>
4306+
</sect1>
4307+
42324308
<sect1 id="catalog-pg-shdepend">
42334309
<title><structname>pg_shdepend</structname></title>
42344310

@@ -5883,6 +5959,11 @@
58835959
<entry>rules</entry>
58845960
</row>
58855961

5962+
<row>
5963+
<entry><link linkend="view-pg-seclabels"><structname>pg_seclabels</structname></link></entry>
5964+
<entry>security labels</entry>
5965+
</row>
5966+
58865967
<row>
58875968
<entry><link linkend="view-pg-settings"><structname>pg_settings</structname></link></entry>
58885969
<entry>parameter settings</entry>
@@ -6791,6 +6872,97 @@
67916872

67926873
</sect1>
67936874

6875+
<sect1 id="view-pg-seclabels">
6876+
<title><structname>pg_seclabels</structname></title>
6877+
6878+
<indexterm zone="view-pg-seclabels">
6879+
<primary>pg_seclabels</primary>
6880+
</indexterm>
6881+
6882+
<para>
6883+
The view <structname>pg_seclabels</structname> provides information about
6884+
security labels. It as an easier-to-query version of the
6885+
<link linkend="catalog-pg-seclabel"><structname>pg_seclabel</></> catalog.
6886+
</para>
6887+
6888+
<table>
6889+
<title><structname>pg_seclabels</> Columns</title>
6890+
6891+
<tgroup cols="4">
6892+
<thead>
6893+
<row>
6894+
<entry>Name</entry>
6895+
<entry>Type</entry>
6896+
<entry>References</entry>
6897+
<entry>Description</entry>
6898+
</row>
6899+
</thead>
6900+
<tbody>
6901+
<row>
6902+
<entry><structfield>objoid</structfield></entry>
6903+
<entry><type>oid</type></entry>
6904+
<entry>any OID column</entry>
6905+
<entry>The OID of the object this security label pertains to</entry>
6906+
</row>
6907+
<row>
6908+
<entry><structfield>classoid</structfield></entry>
6909+
<entry><type>oid</type></entry>
6910+
<entry><literal><link linkend="catalog-pg-class"><structname>pg_class</structname></link>.oid</literal></entry>
6911+
<entry>The OID of the system catalog this object appears in</entry>
6912+
</row>
6913+
<row>
6914+
<entry><structfield>objsubid</structfield></entry>
6915+
<entry><type>int4</type></entry>
6916+
<entry></entry>
6917+
<entry>
6918+
For a security label on a table column, this is the column number (the
6919+
<structfield>objoid</> and <structfield>classoid</> refer to
6920+
the table itself). For all other object types, this column is
6921+
zero.
6922+
</entry>
6923+
</row>
6924+
<row>
6925+
<entry><structfield>objtype</structfield></entry>
6926+
<entry><type>text</type></entry>
6927+
<entry></entry>
6928+
<entry>
6929+
The type of object to which this label applies, as text.
6930+
</entry>
6931+
</row>
6932+
<row>
6933+
<entry><structfield>objnamespace</structfield></entry>
6934+
<entry><type>oid</type></entry>
6935+
<entry><literal><link linkend="catalog-pg-namespace"><structname>pg_namespace</structname></link>.oid</literal></entry>
6936+
<entry>
6937+
The OID of the namespace for this object, if applicable;
6938+
otherwise NULL.
6939+
</entry>
6940+
</row>
6941+
<row>
6942+
<entry><structfield>objname</structfield></entry>
6943+
<entry><type>text</type></entry>
6944+
<entry></entry>
6945+
<entry>
6946+
The name of the object to which this label applies, as text.
6947+
</entry>
6948+
</row>
6949+
<row>
6950+
<entry><structfield>provider</structfield></entry>
6951+
<entry><type>text</type></entry>
6952+
<entry><literal><link linkend="catalog-pg-seclabel"><structname>pg_seclabel</structname></link>.provider</literal></entry>
6953+
<entry>The label provider associated with this label.</entry>
6954+
</row>
6955+
<row>
6956+
<entry><structfield>label</structfield></entry>
6957+
<entry><type>text</type></entry>
6958+
<entry><literal><link linkend="catalog-pg-seclabel"><structname>pg_seclabel</structname></link>.label</literal></entry>
6959+
<entry>The security label applied to this object.</entry>
6960+
</row>
6961+
</tbody>
6962+
</tgroup>
6963+
</table>
6964+
</sect1>
6965+
67946966
<sect1 id="view-pg-settings">
67956967
<title><structname>pg_settings</structname></title>
67966968

‎doc/src/sgml/ref/allfiles.sgml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,7 @@ Complete list of usable sgml source files in this directory.
132132
<!entity rollbackPrepared system "rollback_prepared.sgml">
133133
<!entity rollbackTo system "rollback_to.sgml">
134134
<!entity savepoint system "savepoint.sgml">
135+
<!entity securityLabel system "security_label.sgml">
135136
<!entity select system "select.sgml">
136137
<!entity selectInto system "select_into.sgml">
137138
<!entity set system "set.sgml">

‎doc/src/sgml/ref/pg_dump.sgml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -778,6 +778,16 @@ PostgreSQL documentation
778778
</para>
779779
</listitem>
780780
</varlistentry>
781+
782+
<varlistentry>
783+
<term><option>--security-label</option></term>
784+
<listitem>
785+
<para>
786+
With this option, it also outputs security labels of database
787+
objects to be dumped, if labeled.
788+
</para>
789+
</listitem>
790+
</varlistentry>
781791
</variablelist>
782792
</para>
783793
</refsect1>

‎doc/src/sgml/ref/pg_dumpall.sgml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -493,6 +493,15 @@ PostgreSQL documentation
493493
</para>
494494
</listitem>
495495
</varlistentry>
496+
<varlistentry>
497+
<term><option>--security-label</option></term>
498+
<listitem>
499+
<para>
500+
With this option, it also outputs security labels of database
501+
objects to be dumped, if labeled.
502+
</para>
503+
</listitem>
504+
</varlistentry>
496505
</variablelist>
497506
</para>
498507
</refsect1>

‎doc/src/sgml/ref/pg_restore.sgml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -328,6 +328,16 @@
328328
</listitem>
329329
</varlistentry>
330330

331+
<varlistentry>
332+
<term><option>--no-security-label</option></term>
333+
<listitem>
334+
<para>
335+
Do not output commands to restore security labels,
336+
even if the archive contains them.
337+
</para>
338+
</listitem>
339+
</varlistentry>
340+
331341
<varlistentry>
332342
<term><option>-P <replaceable class="parameter">function-name(argtype [, ...])</replaceable></option></term>
333343
<term><option>--function=<replaceable class="parameter">function-name(argtype [, ...])</replaceable></option></term>

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp