NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitf4c4335

committed

Add context info to OAT_POST_CREATE security hook

... and have sepgsql use it to determine whether to check permissionsduring certain operations. Indexes that are being created as a resultof REINDEX, for instance, do not need to have their permissions checked;they were already checked when the index was created.Author: KaiGai Kohei, slightly revised by me

1 parent4c9d090 commitf4c4335Copy full SHA for f4c4335

File tree

16 files changed

+336

-116

lines changed

contrib/sepgsql
- expected
  - ddl.out
- hooks.c
- relation.c
- sepgsql.h
- sql
  - ddl.sql
doc/src/sgml
- sepgsql.sgml
src
- backend
  - bootstrap
    - bootparse.y
  - catalog
  - commands
- include/catalog

16 files changed

+336

-116

lines changed

`‎contrib/sepgsql/expected/ddl.out`

Lines changed: 53 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@ LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_`
`34`	`34`	`LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column ctid"`
`35`	`35`	`LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column x"`
`36`	`36`	`LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column y"`
	`37`	`+LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`38`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table"`
`37`	`39`	`ALTER TABLE regtest_table ADD COLUMN z int;`
`38`	`40`	`LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column z"`
`39`	`41`	`CREATE TABLE regtest_table_2 (a int) WITH OIDS;`
`@@ -93,6 +95,55 @@ LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfine`
`93`	`95`	`LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="function regtest_func_2(integer)"`
`94`	`96`	`RESET SESSION AUTHORIZATION;`
`95`	`97`	`--`
	`98`	`+-- ALTER and CREATE/DROP extra attribute permissions`
	`99`	`+--`
	`100`	`+CREATE TABLE regtest_table_4 (x int primary key, y int, z int);`
	`101`	`+LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`102`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`103`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column tableoid"`
	`104`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column cmax"`
	`105`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column xmax"`
	`106`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column cmin"`
	`107`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column xmin"`
	`108`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column ctid"`
	`109`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column x"`
	`110`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column y"`
	`111`	`+LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column z"`
	`112`	`+LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`113`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`114`	`+CREATE INDEX regtest_index_tbl4_y ON regtest_table_4(y);`
	`115`	`+LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`116`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`117`	`+CREATE INDEX regtest_index_tbl4_z ON regtest_table_4(z);`
	`118`	`+LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`119`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`120`	`+ALTER TABLE regtest_table_4 ALTER COLUMN y TYPE float;`
	`121`	`+DROP INDEX regtest_index_tbl4_y;`
	`122`	`+LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`123`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`124`	`+ALTER TABLE regtest_table_4`
	`125`	`+ ADD CONSTRAINT regtest_tbl4_con EXCLUDE USING btree (z WITH =);`
	`126`	`+LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`127`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`128`	`+DROP TABLE regtest_table_4 CASCADE;`
	`129`	`+LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`130`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`131`	`+LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`132`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`133`	`+LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`134`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`135`	`+LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`136`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table_4"`
	`137`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column tableoid"`
	`138`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column cmax"`
	`139`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column xmax"`
	`140`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column cmin"`
	`141`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column xmin"`
	`142`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column ctid"`
	`143`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column x"`
	`144`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column y"`
	`145`	`+LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_4 column z"`
	`146`	`+--`
`96`	`147`	`-- DROP Permission checks (with clean-up)`
`97`	`148`	`--`
`98`	`149`	`DROP FUNCTION regtest_func(text,int[]);`
`@@ -115,6 +166,8 @@ DROP TABLE regtest_table;`
`115`	`166`	`LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
`116`	`167`	`LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="sequence regtest_table_x_seq"`
`117`	`168`	`LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
	`169`	`+LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table"`
	`170`	`+LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="schema regtest_schema"`
`118`	`171`	`LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="table regtest_table"`
`119`	`172`	`LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column tableoid"`
`120`	`173`	`LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column cmax"`

`‎contrib/sepgsql/hooks.c`

Lines changed: 41 additions & 84 deletions

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,6 @@ void_PG_init(void);`
`38`	`38`	`staticobject_access_hook_typenext_object_access_hook=NULL;`
`39`	`39`	`staticExecutorCheckPerms_hook_typenext_exec_check_perms_hook=NULL;`
`40`	`40`	`staticProcessUtility_hook_typenext_ProcessUtility_hook=NULL;`
`41`		`-staticExecutorStart_hook_typenext_ExecutorStart_hook=NULL;`
`42`	`41`
`43`	`42`	`/*`
`44`	`43`	`* Contextual information on DDL commands`
`@@ -97,53 +96,55 @@ sepgsql_object_access(ObjectAccessType access,`
`97`	`96`	`switch (access)`
`98`	`97`	`{`
`99`	`98`	`caseOAT_POST_CREATE:`
`100`		`-switch (classId)`
`101`	`99`	`{`
`102`		`-caseDatabaseRelationId:`
`103`		`-sepgsql_database_post_create(objectId,`
`104`		`-sepgsql_context_info.createdb_dtemplate);`
`105`		`-break;`
	`100`	`+ObjectAccessPostCreate*pc_arg=arg;`
	`101`	`+boolis_internal;`
`106`	`102`
`107`		`-caseNamespaceRelationId:`
`108`		`-sepgsql_schema_post_create(objectId);`
`109`		`-break;`
	`103`	`+is_internal=pc_arg ?pc_arg->is_internal : false;`
`110`	`104`
`111`		`-caseRelationRelationId:`
`112`		`-if (subId==0)`
`113`		`-{`
`114`		`-/*`
`115`		`- * All cases we want to apply permission checks on`
`116`		`- * creation of a new relation are invocation of the`
`117`		`- * heap_create_with_catalog via DefineRelation or`
`118`		`- * OpenIntoRel. Elsewhere, we need neither assignment`
`119`		`- * of security label nor permission checks.`
`120`		`- */`
`121`		`-switch (sepgsql_context_info.cmdtype)`
	`105`	`+switch (classId)`
	`106`	`+{`
	`107`	`+caseDatabaseRelationId:`
	`108`	`+Assert(!is_internal);`
	`109`	`+sepgsql_database_post_create(objectId,`
	`110`	`+sepgsql_context_info.createdb_dtemplate);`
	`111`	`+break;`
	`112`	`+`
	`113`	`+caseNamespaceRelationId:`
	`114`	`+Assert(!is_internal);`
	`115`	`+sepgsql_schema_post_create(objectId);`
	`116`	`+break;`
	`117`	`+`
	`118`	`+caseRelationRelationId:`
	`119`	`+if (subId==0)`
`122`	`120`	`{`
`123`		`-caseT_CreateStmt:`
`124`		`-caseT_ViewStmt:`
`125`		`-caseT_CreateSeqStmt:`
`126`		`-caseT_CompositeTypeStmt:`
`127`		`-caseT_CreateForeignTableStmt:`
`128`		`-caseT_SelectStmt:`
`129`		`-sepgsql_relation_post_create(objectId);`
`130`		`-break;`
`131`		`-default:`
`132`		`-/* via make_new_heap() */`
	`121`	`+/*`
	`122`	`+ * The cases in which we want to apply permission`
	`123`	`+ * checks on creation of a new relation correspond`
	`124`	`+ * to direct user invocation. For internal uses,`
	`125`	`+ * that is creation of toast tables, index rebuild`
	`126`	`+ * or ALTER TABLE commands, we need neither`
	`127`	`+ * assignment of security labels nor permission`
	`128`	`+ * checks.`
	`129`	`+ */`
	`130`	`+if (is_internal)`
`133`	`131`	`break;`
	`132`	`+`
	`133`	`+sepgsql_relation_post_create(objectId);`
`134`	`134`	`}`
`135`		`-}`
`136`		`-else`
`137`		`-sepgsql_attribute_post_create(objectId,subId);`
`138`		`-break;`
	`135`	`+else`
	`136`	`+sepgsql_attribute_post_create(objectId,subId);`
	`137`	`+break;`
`139`	`138`
`140`		`-caseProcedureRelationId:`
`141`		`-sepgsql_proc_post_create(objectId);`
`142`		`-break;`
	`139`	`+caseProcedureRelationId:`
	`140`	`+Assert(!is_internal);`
	`141`	`+sepgsql_proc_post_create(objectId);`
	`142`	`+break;`
`143`	`143`
`144`		`-default:`
`145`		`-/* Ignore unsupported object classes */`
`146`		`-break;`
	`144`	`+default:`
	`145`	`+/* Ignore unsupported object classes */`
	`146`	`+break;`
	`147`	`+}`
`147`	`148`	`}`
`148`	`149`	`break;`
`149`	`150`
`@@ -215,46 +216,6 @@ sepgsql_exec_check_perms(List *rangeTabls, bool abort)`
`215`	`216`	`return true;`
`216`	`217`	`}`
`217`	`218`
`218`		`-/*`
`219`		`- * sepgsql_executor_start`
`220`		`- *`
`221`		`- * It saves contextual information during ExecutorStart to distinguish`
`222`		`- * a case with/without permission checks later.`
`223`		`- */`
`224`		`-staticvoid`
`225`		`-sepgsql_executor_start(QueryDesc*queryDesc,inteflags)`
`226`		`-{`
`227`		`-sepgsql_context_info_tsaved_context_info=sepgsql_context_info;`
`228`		`-`
`229`		`-PG_TRY();`
`230`		`-{`
`231`		`-if (queryDesc->operation==CMD_SELECT)`
`232`		`-sepgsql_context_info.cmdtype=T_SelectStmt;`
`233`		`-elseif (queryDesc->operation==CMD_INSERT)`
`234`		`-sepgsql_context_info.cmdtype=T_InsertStmt;`
`235`		`-elseif (queryDesc->operation==CMD_DELETE)`
`236`		`-sepgsql_context_info.cmdtype=T_DeleteStmt;`
`237`		`-elseif (queryDesc->operation==CMD_UPDATE)`
`238`		`-sepgsql_context_info.cmdtype=T_UpdateStmt;`
`239`		`-`
`240`		`-/*`
`241`		`- * XXX - If queryDesc->operation is not above four cases, an error`
`242`		`- * shall be raised on the following executor stage soon.`
`243`		`- */`
`244`		`-if (next_ExecutorStart_hook)`
`245`		`-(*next_ExecutorStart_hook) (queryDesc,eflags);`
`246`		`-else`
`247`		`-standard_ExecutorStart(queryDesc,eflags);`
`248`		`-}`
`249`		`-PG_CATCH();`
`250`		`-{`
`251`		`-sepgsql_context_info=saved_context_info;`
`252`		`-PG_RE_THROW();`
`253`		`-}`
`254`		`-PG_END_TRY();`
`255`		`-sepgsql_context_info=saved_context_info;`
`256`		`-}`
`257`		`-`
`258`	`219`	`/*`
`259`	`220`	`* sepgsql_utility_command`
`260`	`221`	`*`
`@@ -425,10 +386,6 @@ _PG_init(void)`
`425`	`386`	`next_ProcessUtility_hook=ProcessUtility_hook;`
`426`	`387`	`ProcessUtility_hook=sepgsql_utility_command;`
`427`	`388`
`428`		`-/* ExecutorStart hook */`
`429`		`-next_ExecutorStart_hook=ExecutorStart_hook;`
`430`		`-ExecutorStart_hook=sepgsql_executor_start;`
`431`		`-`
`432`	`389`	`/* init contextual info */`
`433`	`390`	`memset(&sepgsql_context_info,0,sizeof(sepgsql_context_info));`
`434`	`391`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf4c4335

File tree

16 files changed

16 files changed

`‎contrib/sepgsql/expected/ddl.out`

`‎contrib/sepgsql/hooks.c`

0 commit comments