diff options
| author | Robert Haas | 2013-04-05 12:51:31 +0000 |
|---|---|---|
| committer | Robert Haas | 2013-04-05 12:51:31 +0000 |
| commit | e965e6344cfaff0708a032721b56f61eea777bc5 (patch) | |
| tree | 51f5e7f7c97fd7a27779407663130fcc29978022 /contrib/sepgsql/schema.c | |
| parent | 52f436b807b0d02203ea6be19bafa56e4e1381e8 (diff) | |
sepgsql: Enforce db_schema:search permission.
KaiGai Kohei, with comment and doc wordsmithing by me
Diffstat (limited to 'contrib/sepgsql/schema.c')
| -rw-r--r-- | contrib/sepgsql/schema.c | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/contrib/sepgsql/schema.c b/contrib/sepgsql/schema.c index 74e16678cb5..bafe17adcd0 100644 --- a/contrib/sepgsql/schema.c +++ b/contrib/sepgsql/schema.c @@ -173,42 +173,54 @@ sepgsql_schema_relabel(Oid namespaceId, const char *seclabel) * * utility routine to check db_schema:{xxx} permissions */ -static void -check_schema_perms(Oid namespaceId, uint32 required) +static bool +check_schema_perms(Oid namespaceId, uint32 required, bool abort_on_violation) { ObjectAddress object; char *audit_name; + bool result; object.classId = NamespaceRelationId; object.objectId = namespaceId; object.objectSubId = 0; audit_name = getObjectDescription(&object); - sepgsql_avc_check_perms(&object, - SEPG_CLASS_DB_SCHEMA, - required, - audit_name, - true); + result = sepgsql_avc_check_perms(&object, + SEPG_CLASS_DB_SCHEMA, + required, + audit_name, + abort_on_violation); pfree(audit_name); + + return result; } /* db_schema:{setattr} permission */ void sepgsql_schema_setattr(Oid namespaceId) { - check_schema_perms(namespaceId, SEPG_DB_SCHEMA__SETATTR); + check_schema_perms(namespaceId, SEPG_DB_SCHEMA__SETATTR, true); +} + +/* db_schema:{search} permission */ +bool +sepgsql_schema_search(Oid namespaceId, bool abort_on_violation) +{ + return check_schema_perms(namespaceId, + SEPG_DB_SCHEMA__SEARCH, + abort_on_violation); } void sepgsql_schema_add_name(Oid namespaceId) { - check_schema_perms(namespaceId, SEPG_DB_SCHEMA__ADD_NAME); + check_schema_perms(namespaceId, SEPG_DB_SCHEMA__ADD_NAME, true); } void sepgsql_schema_remove_name(Oid namespaceId) { - check_schema_perms(namespaceId, SEPG_DB_SCHEMA__REMOVE_NAME); + check_schema_perms(namespaceId, SEPG_DB_SCHEMA__REMOVE_NAME, true); } void @@ -216,5 +228,6 @@ sepgsql_schema_rename(Oid namespaceId) { check_schema_perms(namespaceId, SEPG_DB_SCHEMA__ADD_NAME | - SEPG_DB_SCHEMA__REMOVE_NAME); + SEPG_DB_SCHEMA__REMOVE_NAME, + true); } |