NotificationsYou must be signed in to change notification settings
Fork5
Star27

Commitb620fda

committed

sepgql: Use getObjectIdentity rather than getObjectDescription.

KaiGai Kohei, based on a suggestion from Álvaro Herrera

1 parentbe55f3b commitb620fdaCopy full SHA for b620fda

File tree

7 files changed

+351

-330

lines changed

contrib/sepgsql
- database.c
- dml.c
- expected
  - alter.out
  - ddl.out
- proc.c
- relation.c
- schema.c

7 files changed

+351

-330

lines changed

`‎contrib/sepgsql/database.c‎`

Lines changed: 12 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@`
`19`	`19`	`#include"catalog/indexing.h"`
`20`	`20`	`#include"commands/dbcommands.h"`
`21`	`21`	`#include"commands/seclabel.h"`
	`22`	`+#include"utils/builtins.h"`
`22`	`23`	`#include"utils/fmgroids.h"`
`23`	`24`	`#include"utils/tqual.h"`
`24`	`25`	`#include"sepgsql.h"`
`@@ -38,9 +39,9 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)`
`38`	`39`	`HeapTupletuple;`
`39`	`40`	`char*tcontext;`
`40`	`41`	`char*ncontext;`
`41`		`-charaudit_name[NAMEDATALEN+20];`
`42`	`42`	`ObjectAddressobject;`
`43`	`43`	`Form_pg_databasedatForm;`
	`44`	`+StringInfoDataaudit_name;`
`44`	`45`
`45`	`46`	`/*`
`46`	`47`	`* Oid of the source database is not saved in pg_database catalog, so we`
`@@ -61,11 +62,12 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)`
`61`	`62`	`/*`
`62`	`63`	`* check db_database:{getattr} permission`
`63`	`64`	`*/`
`64`		`-snprintf(audit_name,sizeof(audit_name),"database %s",dtemplate);`
	`65`	`+initStringInfo(&audit_name);`
	`66`	`+appendStringInfo(&audit_name,"%s",quote_identifier(dtemplate));`
`65`	`67`	`sepgsql_avc_check_perms_label(tcontext,`
`66`	`68`	`SEPG_CLASS_DB_DATABASE,`
`67`	`69`	`SEPG_DB_DATABASE__GETATTR,`
`68`		`-audit_name,`
	`70`	`+audit_name.data,`
`69`	`71`	`true);`
`70`	`72`
`71`	`73`	`/*`
`@@ -98,12 +100,13 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)`
`98`	`100`	`/*`
`99`	`101`	`* check db_database:{create} permission`
`100`	`102`	`*/`
`101`		`-snprintf(audit_name,sizeof(audit_name),`
`102`		`-"database %s",NameStr(datForm->datname));`
	`103`	`+resetStringInfo(&audit_name);`
	`104`	`+appendStringInfo(&audit_name,"%s",`
	`105`	`+quote_identifier(NameStr(datForm->datname)));`
`103`	`106`	`sepgsql_avc_check_perms_label(ncontext,`
`104`	`107`	`SEPG_CLASS_DB_DATABASE,`
`105`	`108`	`SEPG_DB_DATABASE__CREATE,`
`106`		`-audit_name,`
	`109`	`+audit_name.data,`
`107`	`110`	`true);`
`108`	`111`
`109`	`112`	`systable_endscan(sscan);`
`@@ -139,7 +142,7 @@ sepgsql_database_drop(Oid databaseId)`
`139`	`142`	`object.classId=DatabaseRelationId;`
`140`	`143`	`object.objectId=databaseId;`
`141`	`144`	`object.objectSubId=0;`
`142`		`-audit_name=getObjectDescription(&object);`
	`145`	`+audit_name=getObjectIdentity(&object);`
`143`	`146`
`144`	`147`	`sepgsql_avc_check_perms(&object,`
`145`	`148`	`SEPG_CLASS_DB_DATABASE,`
`@@ -166,7 +169,7 @@ sepgsql_database_setattr(Oid databaseId)`
`166`	`169`	`object.classId=DatabaseRelationId;`
`167`	`170`	`object.objectId=databaseId;`
`168`	`171`	`object.objectSubId=0;`
`169`		`-audit_name=getObjectDescription(&object);`
	`172`	`+audit_name=getObjectIdentity(&object);`
`170`	`173`
`171`	`174`	`sepgsql_avc_check_perms(&object,`
`172`	`175`	`SEPG_CLASS_DB_DATABASE,`
`@@ -190,7 +193,7 @@ sepgsql_database_relabel(Oid databaseId, const char *seclabel)`
`190`	`193`	`object.classId=DatabaseRelationId;`
`191`	`194`	`object.objectId=databaseId;`
`192`	`195`	`object.objectSubId=0;`
`193`		`-audit_name=getObjectDescription(&object);`
	`196`	`+audit_name=getObjectIdentity(&object);`
`194`	`197`
`195`	`198`	`/*`
`196`	`199`	`* check db_database:{setattr relabelfrom} permission`

`‎contrib/sepgsql/dml.c‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -187,7 +187,7 @@ check_relation_privileges(Oid relOid,`
`187`	`187`	`object.classId=RelationRelationId;`
`188`	`188`	`object.objectId=relOid;`
`189`	`189`	`object.objectSubId=0;`
`190`		`-audit_name=getObjectDescription(&object);`
	`190`	`+audit_name=getObjectIdentity(&object);`
`191`	`191`	`switch (relkind)`
`192`	`192`	`{`
`193`	`193`	`caseRELKIND_RELATION:`

`‎contrib/sepgsql/expected/alter.out‎`

Lines changed: 84 additions & 84 deletions

Large diffs are not rendered by default.

`‎contrib/sepgsql/expected/ddl.out‎`

Lines changed: 195 additions & 195 deletions

Large diffs are not rendered by default.

`‎contrib/sepgsql/proc.c‎`

Lines changed: 15 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@`
`18`	`18`	`#include"catalog/indexing.h"`
`19`	`19`	`#include"catalog/pg_namespace.h"`
`20`	`20`	`#include"catalog/pg_proc.h"`
	`21`	`+#include"catalog/pg_type.h"`
`21`	`22`	`#include"commands/seclabel.h"`
`22`	`23`	`#include"lib/stringinfo.h"`
`23`	`24`	`#include"utils/builtins.h"`
`@@ -41,6 +42,7 @@ sepgsql_proc_post_create(Oid functionId)`
`41`	`42`	`ScanKeyDataskey;`
`42`	`43`	`SysScanDescsscan;`
`43`	`44`	`HeapTupletuple;`
	`45`	`+char*nsp_name;`
`44`	`46`	`char*scontext;`
`45`	`47`	`char*tcontext;`
`46`	`48`	`char*ncontext;`
`@@ -79,7 +81,7 @@ sepgsql_proc_post_create(Oid functionId)`
`79`	`81`	`sepgsql_avc_check_perms(&object,`
`80`	`82`	`SEPG_CLASS_DB_SCHEMA,`
`81`	`83`	`SEPG_DB_SCHEMA__ADD_NAME,`
`82`		`-getObjectDescription(&object),`
	`84`	`+getObjectIdentity(&object),`
`83`	`85`	`true);`
`84`	`86`
`85`	`87`	`/*`
`@@ -102,14 +104,18 @@ sepgsql_proc_post_create(Oid functionId)`
`102`	`104`	`* check db_procedure:{create (install)} permission`
`103`	`105`	`*/`
`104`	`106`	`initStringInfo(&audit_name);`
`105`		`-appendStringInfo(&audit_name,"function %s(",NameStr(proForm->proname));`
	`107`	`+nsp_name=get_namespace_name(proForm->pronamespace);`
	`108`	`+appendStringInfo(&audit_name,"%s(",`
	`109`	`+quote_qualified_identifier(nsp_name,NameStr(proForm->proname)));`
`106`	`110`	`for (i=0;i<proForm->pronargs;i++)`
`107`	`111`	`{`
`108`		`-Oidtypeoid=proForm->proargtypes.values[i];`
`109`		`-`
`110`	`112`	`if (i>0)`
`111`	`113`	`appendStringInfoChar(&audit_name,',');`
`112`		`-appendStringInfoString(&audit_name,format_type_be(typeoid));`
	`114`	`+`
	`115`	`+object.classId=TypeRelationId;`
	`116`	`+object.objectId=proForm->proargtypes.values[i];`
	`117`	`+object.objectSubId=0;`
	`118`	`+appendStringInfoString(&audit_name,getObjectIdentity(&object));`
`113`	`119`	`}`
`114`	`120`	`appendStringInfoChar(&audit_name,')');`
`115`	`121`
`@@ -159,7 +165,7 @@ sepgsql_proc_drop(Oid functionId)`
`159`	`165`	`object.classId=NamespaceRelationId;`
`160`	`166`	`object.objectId=get_func_namespace(functionId);`
`161`	`167`	`object.objectSubId=0;`
`162`		`-audit_name=getObjectDescription(&object);`
	`168`	`+audit_name=getObjectIdentity(&object);`
`163`	`169`
`164`	`170`	`sepgsql_avc_check_perms(&object,`
`165`	`171`	`SEPG_CLASS_DB_SCHEMA,`
`@@ -174,7 +180,7 @@ sepgsql_proc_drop(Oid functionId)`
`174`	`180`	`object.classId=ProcedureRelationId;`
`175`	`181`	`object.objectId=functionId;`
`176`	`182`	`object.objectSubId=0;`
`177`		`-audit_name=getObjectDescription(&object);`
	`183`	`+audit_name=getObjectIdentity(&object);`
`178`	`184`
`179`	`185`	`sepgsql_avc_check_perms(&object,`
`180`	`186`	`SEPG_CLASS_DB_PROCEDURE,`
`@@ -199,7 +205,7 @@ sepgsql_proc_relabel(Oid functionId, const char *seclabel)`
`199`	`205`	`object.classId=ProcedureRelationId;`
`200`	`206`	`object.objectId=functionId;`
`201`	`207`	`object.objectSubId=0;`
`202`		`-audit_name=getObjectDescription(&object);`
	`208`	`+audit_name=getObjectIdentity(&object);`
`203`	`209`
`204`	`210`	`/*`
`205`	`211`	`* check db_procedure:{setattr relabelfrom} permission`
`@@ -287,7 +293,7 @@ sepgsql_proc_setattr(Oid functionId)`
`287`	`293`	`object.classId=ProcedureRelationId;`
`288`	`294`	`object.objectId=functionId;`
`289`	`295`	`object.objectSubId=0;`
`290`		`-audit_name=getObjectDescription(&object);`
	`296`	`+audit_name=getObjectIdentity(&object);`
`291`	`297`
`292`	`298`	`sepgsql_avc_check_perms(&object,`
`293`	`299`	`SEPG_CLASS_DB_PROCEDURE,`

`‎contrib/sepgsql/relation.c‎`

Lines changed: 35 additions & 26 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@`
`20`	`20`	`#include"catalog/pg_class.h"`
`21`	`21`	`#include"catalog/pg_namespace.h"`
`22`	`22`	`#include"commands/seclabel.h"`
	`23`	`+#include"lib/stringinfo.h"`
	`24`	`+#include"utils/builtins.h"`
`23`	`25`	`#include"utils/fmgroids.h"`
`24`	`26`	`#include"utils/catcache.h"`
`25`	`27`	`#include"utils/lsyscache.h"`
`@@ -49,9 +51,9 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)`
`49`	`51`	`char*scontext;`
`50`	`52`	`char*tcontext;`
`51`	`53`	`char*ncontext;`
`52`		`-charaudit_name[2*NAMEDATALEN+20];`
`53`	`54`	`ObjectAddressobject;`
`54`	`55`	`Form_pg_attributeattForm;`
	`56`	`+StringInfoDataaudit_name;`
`55`	`57`
`56`	`58`	`/*`
`57`	`59`	`* Only attributes within regular relation have individual security`
`@@ -94,12 +96,18 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)`
`94`	`96`	`/*`
`95`	`97`	`* check db_column:{create} permission`
`96`	`98`	`*/`
`97`		`-snprintf(audit_name,sizeof(audit_name),"table %s column %s",`
`98`		`-get_rel_name(relOid),NameStr(attForm->attname));`
	`99`	`+object.classId=RelationRelationId;`
	`100`	`+object.objectId=relOid;`
	`101`	`+object.objectSubId=0;`
	`102`	`+`
	`103`	`+initStringInfo(&audit_name);`
	`104`	`+appendStringInfo(&audit_name,"%s.%s",`
	`105`	`+getObjectIdentity(&object),`
	`106`	`+quote_identifier(NameStr(attForm->attname)));`
`99`	`107`	`sepgsql_avc_check_perms_label(ncontext,`
`100`	`108`	`SEPG_CLASS_DB_COLUMN,`
`101`	`109`	`SEPG_DB_COLUMN__CREATE,`
`102`		`-audit_name,`
	`110`	`+audit_name.data,`
`103`	`111`	`true);`
`104`	`112`
`105`	`113`	`/*`
`@@ -137,7 +145,7 @@ sepgsql_attribute_drop(Oid relOid, AttrNumber attnum)`
`137`	`145`	`object.classId=RelationRelationId;`
`138`	`146`	`object.objectId=relOid;`
`139`	`147`	`object.objectSubId=attnum;`
`140`		`-audit_name=getObjectDescription(&object);`
	`148`	`+audit_name=getObjectIdentity(&object);`
`141`	`149`
`142`	`150`	`sepgsql_avc_check_perms(&object,`
`143`	`151`	`SEPG_CLASS_DB_COLUMN,`
`@@ -168,7 +176,7 @@ sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,`
`168`	`176`	`object.classId=RelationRelationId;`
`169`	`177`	`object.objectId=relOid;`
`170`	`178`	`object.objectSubId=attnum;`
`171`		`-audit_name=getObjectDescription(&object);`
	`179`	`+audit_name=getObjectIdentity(&object);`
`172`	`180`
`173`	`181`	`/*`
`174`	`182`	`* check db_column:{setattr relabelfrom} permission`
`@@ -211,7 +219,7 @@ sepgsql_attribute_setattr(Oid relOid, AttrNumber attnum)`
`211`	`219`	`object.classId=RelationRelationId;`
`212`	`220`	`object.objectId=relOid;`
`213`	`221`	`object.objectSubId=attnum;`
`214`		`-audit_name=getObjectDescription(&object);`
	`222`	`+audit_name=getObjectIdentity(&object);`
`215`	`223`
`216`	`224`	`sepgsql_avc_check_perms(&object,`
`217`	`225`	`SEPG_CLASS_DB_COLUMN,`
`@@ -236,12 +244,12 @@ sepgsql_relation_post_create(Oid relOid)`
`236`	`244`	`Form_pg_classclassForm;`
`237`	`245`	`ObjectAddressobject;`
`238`	`246`	`uint16tclass;`
`239`		`-constchar*tclass_text;`
`240`	`247`	`charscontext;/ subject */`
`241`	`248`	`chartcontext;/ schema */`
`242`	`249`	`charrcontext;/ relation */`
`243`	`250`	`charccontext;/ column */`
`244`		`-charaudit_name[2*NAMEDATALEN+20];`
	`251`	`+char*nsp_name;`
	`252`	`+StringInfoDataaudit_name;`
`245`	`253`
`246`	`254`	`/*`
`247`	`255`	`* Fetch catalog record of the new relation. Because pg_class entry is not`
`@@ -277,22 +285,19 @@ sepgsql_relation_post_create(Oid relOid)`
`277`	`285`	`sepgsql_avc_check_perms(&object,`
`278`	`286`	`SEPG_CLASS_DB_SCHEMA,`
`279`	`287`	`SEPG_DB_SCHEMA__ADD_NAME,`
`280`		`-getObjectDescription(&object),`
	`288`	`+getObjectIdentity(&object),`
`281`	`289`	`true);`
`282`	`290`
`283`	`291`	`switch (classForm->relkind)`
`284`	`292`	`{`
`285`	`293`	`caseRELKIND_RELATION:`
`286`	`294`	`tclass=SEPG_CLASS_DB_TABLE;`
`287`		`-tclass_text="table";`
`288`	`295`	`break;`
`289`	`296`	`caseRELKIND_SEQUENCE:`
`290`	`297`	`tclass=SEPG_CLASS_DB_SEQUENCE;`
`291`		`-tclass_text="sequence";`
`292`	`298`	`break;`
`293`	`299`	`caseRELKIND_VIEW:`
`294`	`300`	`tclass=SEPG_CLASS_DB_VIEW;`
`295`		`-tclass_text="view";`
`296`	`301`	`break;`
`297`	`302`	`caseRELKIND_INDEX:`
`298`	`303`	`/* deal with indexes specially; no need for tclass */`
`@@ -316,12 +321,15 @@ sepgsql_relation_post_create(Oid relOid)`
`316`	`321`	`/*`
`317`	`322`	`* check db_xxx:{create} permission`
`318`	`323`	`*/`
`319`		`-snprintf(audit_name,sizeof(audit_name),"%s %s",`
`320`		`-tclass_text,NameStr(classForm->relname));`
	`324`	`+nsp_name=get_namespace_name(classForm->relnamespace);`
	`325`	`+initStringInfo(&audit_name);`
	`326`	`+appendStringInfo(&audit_name,"%s.%s",`
	`327`	`+quote_identifier(nsp_name),`
	`328`	`+quote_identifier(NameStr(classForm->relname)));`
`321`	`329`	`sepgsql_avc_check_perms_label(rcontext,`
`322`	`330`	`tclass,`
`323`	`331`	`SEPG_DB_DATABASE__CREATE,`
`324`		`-audit_name,`
	`332`	`+audit_name.data,`
`325`	`333`	`true);`
`326`	`334`
`327`	`335`	`/*`
`@@ -358,10 +366,11 @@ sepgsql_relation_post_create(Oid relOid)`
`358`	`366`	`{`
`359`	`367`	`attForm= (Form_pg_attribute)GETSTRUCT(atup);`
`360`	`368`
`361`		`-snprintf(audit_name,sizeof(audit_name),"%s %s column %s",`
`362`		`-tclass_text,`
`363`		`-NameStr(classForm->relname),`
`364`		`-NameStr(attForm->attname));`
	`369`	`+resetStringInfo(&audit_name);`
	`370`	`+appendStringInfo(&audit_name,"%s.%s.%s",`
	`371`	`+quote_identifier(nsp_name),`
	`372`	`+quote_identifier(NameStr(classForm->relname)),`
	`373`	`+quote_identifier(NameStr(attForm->attname)));`
`365`	`374`
`366`	`375`	`ccontext=sepgsql_compute_create(scontext,`
`367`	`376`	`rcontext,`
`@@ -374,7 +383,7 @@ sepgsql_relation_post_create(Oid relOid)`
`374`	`383`	`sepgsql_avc_check_perms_label(ccontext,`
`375`	`384`	`SEPG_CLASS_DB_COLUMN,`
`376`	`385`	`SEPG_DB_COLUMN__CREATE,`
`377`		`-audit_name,`
	`386`	`+audit_name.data,`
`378`	`387`	`true);`
`379`	`388`
`380`	`389`	`object.classId=RelationRelationId;`
`@@ -436,7 +445,7 @@ sepgsql_relation_drop(Oid relOid)`
`436`	`445`	`object.classId=NamespaceRelationId;`
`437`	`446`	`object.objectId=get_rel_namespace(relOid);`
`438`	`447`	`object.objectSubId=0;`
`439`		`-audit_name=getObjectDescription(&object);`
	`448`	`+audit_name=getObjectIdentity(&object);`
`440`	`449`
`441`	`450`	`sepgsql_avc_check_perms(&object,`
`442`	`451`	`SEPG_CLASS_DB_SCHEMA,`
`@@ -458,7 +467,7 @@ sepgsql_relation_drop(Oid relOid)`
`458`	`467`	`object.classId=RelationRelationId;`
`459`	`468`	`object.objectId=relOid;`
`460`	`469`	`object.objectSubId=0;`
`461`		`-audit_name=getObjectDescription(&object);`
	`470`	`+audit_name=getObjectIdentity(&object);`
`462`	`471`
`463`	`472`	`sepgsql_avc_check_perms(&object,`
`464`	`473`	`tclass,`
`@@ -489,7 +498,7 @@ sepgsql_relation_drop(Oid relOid)`
`489`	`498`	`object.classId=RelationRelationId;`
`490`	`499`	`object.objectId=relOid;`
`491`	`500`	`object.objectSubId=attForm->attnum;`
`492`		`-audit_name=getObjectDescription(&object);`
	`501`	`+audit_name=getObjectIdentity(&object);`
`493`	`502`
`494`	`503`	`sepgsql_avc_check_perms(&object,`
`495`	`504`	`SEPG_CLASS_DB_COLUMN,`
`@@ -531,7 +540,7 @@ sepgsql_relation_relabel(Oid relOid, const char *seclabel)`
`531`	`540`	`object.classId=RelationRelationId;`
`532`	`541`	`object.objectId=relOid;`
`533`	`542`	`object.objectSubId=0;`
`534`		`-audit_name=getObjectDescription(&object);`
	`543`	`+audit_name=getObjectIdentity(&object);`
`535`	`544`
`536`	`545`	`/*`
`537`	`546`	`* check db_xxx:{setattr relabelfrom} permission`
`@@ -641,7 +650,7 @@ sepgsql_relation_setattr(Oid relOid)`
`641`	`650`	`object.classId=RelationRelationId;`
`642`	`651`	`object.objectId=relOid;`
`643`	`652`	`object.objectSubId=0;`
`644`		`-audit_name=getObjectDescription(&object);`
	`653`	`+audit_name=getObjectIdentity(&object);`
`645`	`654`
`646`	`655`	`sepgsql_avc_check_perms(&object,`
`647`	`656`	`tclass,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb620fda

File tree

7 files changed

7 files changed

`‎contrib/sepgsql/database.c‎`

`‎contrib/sepgsql/dml.c‎`

`‎contrib/sepgsql/expected/alter.out‎`

`‎contrib/sepgsql/expected/ddl.out‎`

`‎contrib/sepgsql/proc.c‎`

`‎contrib/sepgsql/relation.c‎`

0 commit comments