diff options
| author | Robert Haas | 2013-04-12 12:55:56 +0000 |
|---|---|---|
| committer | Robert Haas | 2013-04-12 12:58:01 +0000 |
| commit | f8a54e936bdf4c31b395a2ab7d7bc98eefa6dbad (patch) | |
| tree | 957024396b9375191802c4b9eb5a2ed8e80809fb /contrib/sepgsql/proc.c | |
| parent | d017bf41a32d08885f00a274603ed2e50816fe7f (diff) | |
sepgsql: Enforce db_procedure:{execute} permission.
To do this, we add an additional object access hook type,
OAT_FUNCTION_EXECUTE.
KaiGai Kohei
Diffstat (limited to 'contrib/sepgsql/proc.c')
| -rw-r--r-- | contrib/sepgsql/proc.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/contrib/sepgsql/proc.c b/contrib/sepgsql/proc.c index c0b0f6aeeb..fe33119118 100644 --- a/contrib/sepgsql/proc.c +++ b/contrib/sepgsql/proc.c @@ -307,3 +307,29 @@ sepgsql_proc_setattr(Oid functionId) systable_endscan(sscan); heap_close(rel, AccessShareLock); } + +/* + * sepgsql_proc_execute + * + * It checks privileges to execute the supplied function + */ +void +sepgsql_proc_execute(Oid functionId) +{ + ObjectAddress object; + char *audit_name; + + /* + * check db_procedure:{execute} permission + */ + object.classId = ProcedureRelationId; + object.objectId = functionId; + object.objectSubId = 0; + audit_name = getObjectDescription(&object); + sepgsql_avc_check_perms(&object, + SEPG_CLASS_DB_PROCEDURE, + SEPG_DB_PROCEDURE__EXECUTE, + audit_name, + true); + pfree(audit_name); +} |