diff options
Diffstat (limited to 'contrib/sepgsql/database.c')
| -rw-r--r-- | contrib/sepgsql/database.c | 52 |
1 files changed, 42 insertions, 10 deletions
diff --git a/contrib/sepgsql/database.c b/contrib/sepgsql/database.c index 5a4246752a..cc8b31eb74 100644 --- a/contrib/sepgsql/database.c +++ b/contrib/sepgsql/database.c @@ -4,7 +4,7 @@ * * Routines corresponding to database objects * - * Copyright (c) 2010-2012, PostgreSQL Global Development Group + * Copyright (c) 2010-2014, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ @@ -12,12 +12,14 @@ #include "access/genam.h" #include "access/heapam.h" +#include "access/htup_details.h" #include "access/sysattr.h" #include "catalog/dependency.h" #include "catalog/pg_database.h" #include "catalog/indexing.h" #include "commands/dbcommands.h" #include "commands/seclabel.h" +#include "utils/builtins.h" #include "utils/fmgroids.h" #include "utils/tqual.h" #include "sepgsql.h" @@ -37,9 +39,9 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate) HeapTuple tuple; char *tcontext; char *ncontext; - char audit_name[NAMEDATALEN + 20]; ObjectAddress object; Form_pg_database datForm; + StringInfoData audit_name; /* * Oid of the source database is not saved in pg_database catalog, so we @@ -60,11 +62,12 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate) /* * check db_database:{getattr} permission */ - snprintf(audit_name, sizeof(audit_name), "database %s", dtemplate); + initStringInfo(&audit_name); + appendStringInfo(&audit_name, "%s", quote_identifier(dtemplate)); sepgsql_avc_check_perms_label(tcontext, SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__GETATTR, - audit_name, + audit_name.data, true); /* @@ -91,17 +94,19 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate) ncontext = sepgsql_compute_create(sepgsql_get_client_label(), tcontext, - SEPG_CLASS_DB_DATABASE); + SEPG_CLASS_DB_DATABASE, + NameStr(datForm->datname)); /* * check db_database:{create} permission */ - snprintf(audit_name, sizeof(audit_name), - "database %s", NameStr(datForm->datname)); + resetStringInfo(&audit_name); + appendStringInfo(&audit_name, "%s", + quote_identifier(NameStr(datForm->datname))); sepgsql_avc_check_perms_label(ncontext, SEPG_CLASS_DB_DATABASE, SEPG_DB_DATABASE__CREATE, - audit_name, + audit_name.data, true); systable_endscan(sscan); @@ -137,7 +142,7 @@ sepgsql_database_drop(Oid databaseId) object.classId = DatabaseRelationId; object.objectId = databaseId; object.objectSubId = 0; - audit_name = getObjectDescription(&object); + audit_name = getObjectIdentity(&object); sepgsql_avc_check_perms(&object, SEPG_CLASS_DB_DATABASE, @@ -148,6 +153,33 @@ sepgsql_database_drop(Oid databaseId) } /* + * sepgsql_database_post_alter + * + * It checks privileges to alter the supplied database + */ +void +sepgsql_database_setattr(Oid databaseId) +{ + ObjectAddress object; + char *audit_name; + + /* + * check db_database:{setattr} permission + */ + object.classId = DatabaseRelationId; + object.objectId = databaseId; + object.objectSubId = 0; + audit_name = getObjectIdentity(&object); + + sepgsql_avc_check_perms(&object, + SEPG_CLASS_DB_DATABASE, + SEPG_DB_DATABASE__SETATTR, + audit_name, + true); + pfree(audit_name); +} + +/* * sepgsql_database_relabel * * It checks privileges to relabel the supplied database with the `seclabel' @@ -161,7 +193,7 @@ sepgsql_database_relabel(Oid databaseId, const char *seclabel) object.classId = DatabaseRelationId; object.objectId = databaseId; object.objectSubId = 0; - audit_name = getObjectDescription(&object); + audit_name = getObjectIdentity(&object); /* * check db_database:{setattr relabelfrom} permission |