summaryrefslogtreecommitdiff
path: root/contrib/sepgsql/schema.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/sepgsql/schema.c')
-rw-r--r--contrib/sepgsql/schema.c90
1 files changed, 82 insertions, 8 deletions
diff --git a/contrib/sepgsql/schema.c b/contrib/sepgsql/schema.c
index 230449dc4b..fc103b0260 100644
--- a/contrib/sepgsql/schema.c
+++ b/contrib/sepgsql/schema.c
@@ -4,7 +4,7 @@
*
* Routines corresponding to schema objects
*
- * Copyright (c) 2010-2012, PostgreSQL Global Development Group
+ * Copyright (c) 2010-2014, PostgreSQL Global Development Group
*
* -------------------------------------------------------------------------
*/
@@ -12,13 +12,16 @@
#include "access/genam.h"
#include "access/heapam.h"
+#include "access/htup_details.h"
#include "access/sysattr.h"
#include "catalog/dependency.h"
#include "catalog/indexing.h"
#include "catalog/pg_database.h"
#include "catalog/pg_namespace.h"
#include "commands/seclabel.h"
+#include "lib/stringinfo.h"
#include "miscadmin.h"
+#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/lsyscache.h"
#include "utils/tqual.h"
@@ -40,9 +43,10 @@ sepgsql_schema_post_create(Oid namespaceId)
HeapTuple tuple;
char *tcontext;
char *ncontext;
- char audit_name[NAMEDATALEN + 20];
+ const char *nsp_name;
ObjectAddress object;
Form_pg_namespace nspForm;
+ StringInfoData audit_name;
/*
* Compute a default security label when we create a new schema object
@@ -66,21 +70,27 @@ sepgsql_schema_post_create(Oid namespaceId)
elog(ERROR, "catalog lookup failed for namespace %u", namespaceId);
nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
+ nsp_name = NameStr(nspForm->nspname);
+ if (strncmp(nsp_name, "pg_temp_", 8) == 0)
+ nsp_name = "pg_temp";
+ else if (strncmp(nsp_name, "pg_toast_temp_", 14) == 0)
+ nsp_name = "pg_toast_temp";
tcontext = sepgsql_get_label(DatabaseRelationId, MyDatabaseId, 0);
ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
tcontext,
- SEPG_CLASS_DB_SCHEMA);
+ SEPG_CLASS_DB_SCHEMA,
+ nsp_name);
/*
* check db_schema:{create}
*/
- snprintf(audit_name, sizeof(audit_name),
- "schema %s", NameStr(nspForm->nspname));
+ initStringInfo(&audit_name);
+ appendStringInfo(&audit_name, "%s", quote_identifier(nsp_name));
sepgsql_avc_check_perms_label(ncontext,
SEPG_CLASS_DB_SCHEMA,
SEPG_DB_SCHEMA__CREATE,
- audit_name,
+ audit_name.data,
true);
systable_endscan(sscan);
heap_close(rel, AccessShareLock);
@@ -114,7 +124,7 @@ sepgsql_schema_drop(Oid namespaceId)
object.classId = NamespaceRelationId;
object.objectId = namespaceId;
object.objectSubId = 0;
- audit_name = getObjectDescription(&object);
+ audit_name = getObjectIdentity(&object);
sepgsql_avc_check_perms(&object,
SEPG_CLASS_DB_SCHEMA,
@@ -139,7 +149,7 @@ sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
object.classId = NamespaceRelationId;
object.objectId = namespaceId;
object.objectSubId = 0;
- audit_name = getObjectDescription(&object);
+ audit_name = getObjectIdentity(&object);
/*
* check db_schema:{setattr relabelfrom} permission
@@ -161,3 +171,67 @@ sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
true);
pfree(audit_name);
}
+
+/*
+ * sepgsql_schema_check_perms
+ *
+ * utility routine to check db_schema:{xxx} permissions
+ */
+static bool
+check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation)
+{
+ ObjectAddress object;
+ char *audit_name;
+ bool result;
+
+ object.classId = NamespaceRelationId;
+ object.objectId = namespaceId;
+ object.objectSubId = 0;
+ audit_name = getObjectIdentity(&object);
+
+ result = sepgsql_avc_check_perms(&object,
+ SEPG_CLASS_DB_SCHEMA,
+ required,
+ audit_name,
+ abort_on_violation);
+ pfree(audit_name);
+
+ return result;
+}
+
+/* db_schema:{setattr} permission */
+void
+sepgsql_schema_setattr(Oid namespaceId)
+{
+ check_schema_perms(namespaceId, SEPG_DB_SCHEMA__SETATTR, true);
+}
+
+/* db_schema:{search} permission */
+bool
+sepgsql_schema_search(Oid namespaceId, bool abort_on_violation)
+{
+ return check_schema_perms(namespaceId,
+ SEPG_DB_SCHEMA__SEARCH,
+ abort_on_violation);
+}
+
+void
+sepgsql_schema_add_name(Oid namespaceId)
+{
+ check_schema_perms(namespaceId, SEPG_DB_SCHEMA__ADD_NAME, true);
+}
+
+void
+sepgsql_schema_remove_name(Oid namespaceId)
+{
+ check_schema_perms(namespaceId, SEPG_DB_SCHEMA__REMOVE_NAME, true);
+}
+
+void
+sepgsql_schema_rename(Oid namespaceId)
+{
+ check_schema_perms(namespaceId,
+ SEPG_DB_SCHEMA__ADD_NAME |
+ SEPG_DB_SCHEMA__REMOVE_NAME,
+ true);
+}