Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit291873c

Browse files
committed
Teach sepgsql about database labels.
This is still a bit of a hack, but it's better than the old way, for sure.KaiGai Kohei, with one change by me to make it compile
1 parenta5e94ea commit291873c

File tree

6 files changed

+128
-13
lines changed

6 files changed

+128
-13
lines changed

‎contrib/sepgsql/Makefile‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
MODULE_big = sepgsql
44
OBJS = hooks.o selinux.o uavc.o label.o dml.o\
5-
schema.o relation.o proc.o
5+
database.oschema.o relation.o proc.o
66
DATA_built = sepgsql.sql
77

88
REGRESS = label dml misc

‎contrib/sepgsql/database.c‎

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
/* -------------------------------------------------------------------------
2+
*
3+
* contrib/sepgsql/database.c
4+
*
5+
* Routines corresponding to database objects
6+
*
7+
* Copyright (c) 2010-2011, PostgreSQL Global Development Group
8+
*
9+
* -------------------------------------------------------------------------
10+
*/
11+
#include"postgres.h"
12+
13+
#include"catalog/dependency.h"
14+
#include"catalog/pg_database.h"
15+
#include"commands/seclabel.h"
16+
#include"sepgsql.h"
17+
18+
void
19+
sepgsql_database_post_create(OiddatabaseId)
20+
{
21+
char*scontext=sepgsql_get_client_label();
22+
char*tcontext;
23+
char*ncontext;
24+
ObjectAddressobject;
25+
26+
/*
27+
* Compute a default security label of the newly created database
28+
* based on a pair of security label of client and source database.
29+
*
30+
* XXX - Right now, this logic uses "template1" as its source, because
31+
* here is no way to know the Oid of source database.
32+
*/
33+
object.classId=DatabaseRelationId;
34+
object.objectId=TemplateDbOid;
35+
object.objectSubId=0;
36+
tcontext=GetSecurityLabel(&object,SEPGSQL_LABEL_TAG);
37+
38+
ncontext=sepgsql_compute_create(scontext,tcontext,
39+
SEPG_CLASS_DB_DATABASE);
40+
41+
/*
42+
* Assign the default security label on the new database
43+
*/
44+
object.classId=DatabaseRelationId;
45+
object.objectId=databaseId;
46+
object.objectSubId=0;
47+
48+
SetSecurityLabel(&object,SEPGSQL_LABEL_TAG,ncontext);
49+
50+
pfree(ncontext);
51+
pfree(tcontext);
52+
}
53+
54+
/*
55+
* sepgsql_database_relabel
56+
*
57+
* It checks privileges to relabel the supplied database with the `seclabel'
58+
*/
59+
void
60+
sepgsql_database_relabel(OiddatabaseId,constchar*seclabel)
61+
{
62+
ObjectAddressobject;
63+
char*audit_name;
64+
65+
object.classId=DatabaseRelationId;
66+
object.objectId=databaseId;
67+
object.objectSubId=0;
68+
audit_name=getObjectDescription(&object);
69+
70+
/*
71+
* check db_database:{setattr relabelfrom} permission
72+
*/
73+
sepgsql_avc_check_perms(&object,
74+
SEPG_CLASS_DB_DATABASE,
75+
SEPG_DB_DATABASE__SETATTR |
76+
SEPG_DB_DATABASE__RELABELFROM,
77+
audit_name,
78+
true);
79+
/*
80+
* check db_database:{relabelto} permission
81+
*/
82+
sepgsql_avc_check_perms_label(seclabel,
83+
SEPG_CLASS_DB_DATABASE,
84+
SEPG_DB_DATABASE__RELABELTO,
85+
audit_name,
86+
true);
87+
pfree(audit_name);
88+
}

‎contrib/sepgsql/hooks.c‎

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212

1313
#include"catalog/objectaccess.h"
1414
#include"catalog/pg_class.h"
15+
#include"catalog/pg_database.h"
1516
#include"catalog/pg_namespace.h"
1617
#include"catalog/pg_proc.h"
1718
#include"commands/seclabel.h"
@@ -125,6 +126,10 @@ sepgsql_object_access(ObjectAccessType access,
125126
caseOAT_POST_CREATE:
126127
switch (classId)
127128
{
129+
caseDatabaseRelationId:
130+
sepgsql_database_post_create(objectId);
131+
break;
132+
128133
caseNamespaceRelationId:
129134
sepgsql_schema_post_create(objectId);
130135
break;

‎contrib/sepgsql/label.c‎

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
#include"catalog/indexing.h"
1818
#include"catalog/pg_attribute.h"
1919
#include"catalog/pg_class.h"
20+
#include"catalog/pg_database.h"
2021
#include"catalog/pg_namespace.h"
2122
#include"catalog/pg_proc.h"
2223
#include"commands/dbcommands.h"
@@ -121,9 +122,14 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
121122
*/
122123
switch (object->classId)
123124
{
125+
caseDatabaseRelationId:
126+
sepgsql_database_relabel(object->objectId,seclabel);
127+
break;
128+
124129
caseNamespaceRelationId:
125130
sepgsql_schema_relabel(object->objectId,seclabel);
126131
break;
132+
127133
caseRelationRelationId:
128134
if (object->objectSubId==0)
129135
sepgsql_relation_relabel(object->objectId,
@@ -133,6 +139,7 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
133139
object->objectSubId,
134140
seclabel);
135141
break;
142+
136143
caseProcedureRelationId:
137144
sepgsql_proc_relabel(object->objectId,seclabel);
138145
break;
@@ -315,6 +322,7 @@ exec_object_restorecon(struct selabel_handle * sehnd, Oid catalogId)
315322
SnapshotNow,0,NULL);
316323
while (HeapTupleIsValid(tuple=systable_getnext(sscan)))
317324
{
325+
Form_pg_databasedatForm;
318326
Form_pg_namespacenspForm;
319327
Form_pg_classrelForm;
320328
Form_pg_attributeattForm;
@@ -330,6 +338,19 @@ exec_object_restorecon(struct selabel_handle * sehnd, Oid catalogId)
330338
*/
331339
switch (catalogId)
332340
{
341+
caseDatabaseRelationId:
342+
datForm= (Form_pg_database)GETSTRUCT(tuple);
343+
344+
objtype=SELABEL_DB_DATABASE;
345+
346+
objname=quote_object_name(NameStr(datForm->datname),
347+
NULL,NULL,NULL);
348+
349+
object.classId=DatabaseRelationId;
350+
object.objectId=HeapTupleGetOid(tuple);
351+
object.objectSubId=0;
352+
break;
353+
333354
caseNamespaceRelationId:
334355
nspForm= (Form_pg_namespace)GETSTRUCT(tuple);
335356

@@ -506,10 +527,7 @@ sepgsql_restorecon(PG_FUNCTION_ARGS)
506527
errmsg("SELinux: failed to initialize labeling handle: %m")));
507528
PG_TRY();
508529
{
509-
/*
510-
* Right now, we have no support labeling on the shared database
511-
* objects, such as database, role, or tablespace.
512-
*/
530+
exec_object_restorecon(sehnd,DatabaseRelationId);
513531
exec_object_restorecon(sehnd,NamespaceRelationId);
514532
exec_object_restorecon(sehnd,RelationRelationId);
515533
exec_object_restorecon(sehnd,AttributeRelationId);

‎contrib/sepgsql/schema.c‎

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,10 @@
1111
#include"postgres.h"
1212

1313
#include"catalog/dependency.h"
14+
#include"catalog/pg_database.h"
1415
#include"catalog/pg_namespace.h"
1516
#include"commands/seclabel.h"
17+
#include"miscadmin.h"
1618
#include"utils/lsyscache.h"
1719

1820
#include"sepgsql.h"
@@ -26,22 +28,17 @@
2628
void
2729
sepgsql_schema_post_create(OidnamespaceId)
2830
{
29-
char*scontext=sepgsql_get_client_label();
31+
char*scontext;
3032
char*tcontext;
3133
char*ncontext;
3234
ObjectAddressobject;
3335

34-
/*
35-
* FIXME: Right now, we assume pg_database object has a fixed security
36-
* label, because pg_seclabel does not support to store label of shared
37-
* database objects.
38-
*/
39-
tcontext="system_u:object_r:sepgsql_db_t:s0";
40-
4136
/*
4237
* Compute a default security label when we create a new schema object
4338
* under the working database.
4439
*/
40+
scontext=sepgsql_get_client_label();
41+
tcontext=sepgsql_get_label(DatabaseRelationId,MyDatabaseId,0);
4542
ncontext=sepgsql_compute_create(scontext,tcontext,
4643
SEPG_CLASS_DB_SCHEMA);
4744

@@ -54,6 +51,7 @@ sepgsql_schema_post_create(Oid namespaceId)
5451
SetSecurityLabel(&object,SEPGSQL_LABEL_TAG,ncontext);
5552

5653
pfree(ncontext);
54+
pfree(tcontext);
5755
}
5856

5957
/*

‎contrib/sepgsql/sepgsql.h‎

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -283,6 +283,12 @@ extern Datum sepgsql_restorecon(PG_FUNCTION_ARGS);
283283
*/
284284
externboolsepgsql_dml_privileges(List*rangeTabls,boolabort);
285285

286+
/*
287+
* database.c
288+
*/
289+
externvoidsepgsql_database_post_create(OiddatabaseId);
290+
externvoidsepgsql_database_relabel(OiddatabaseId,constchar*seclabel);
291+
286292
/*
287293
* schema.c
288294
*/

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp