2011-01-24 09:44:48 +08:00
|
|
|
/* -------------------------------------------------------------------------
|
|
|
|
*
|
|
|
|
* contrib/sepgsql/label.c
|
|
|
|
*
|
|
|
|
* Routines to support SELinux labels (security context)
|
|
|
|
*
|
2018-01-03 12:30:12 +08:00
|
|
|
* Copyright (c) 2010-2018, PostgreSQL Global Development Group
|
2011-01-24 09:44:48 +08:00
|
|
|
*
|
|
|
|
* -------------------------------------------------------------------------
|
|
|
|
*/
|
|
|
|
#include "postgres.h"
|
|
|
|
|
2017-04-07 05:21:25 +08:00
|
|
|
#include <selinux/label.h>
|
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "access/heapam.h"
|
2012-09-06 02:01:15 +08:00
|
|
|
#include "access/htup_details.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "access/genam.h"
|
2012-03-16 04:08:40 +08:00
|
|
|
#include "access/xact.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "catalog/catalog.h"
|
|
|
|
#include "catalog/dependency.h"
|
|
|
|
#include "catalog/indexing.h"
|
|
|
|
#include "catalog/pg_attribute.h"
|
|
|
|
#include "catalog/pg_class.h"
|
2011-09-24 05:09:34 +08:00
|
|
|
#include "catalog/pg_database.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "catalog/pg_namespace.h"
|
|
|
|
#include "catalog/pg_proc.h"
|
|
|
|
#include "commands/dbcommands.h"
|
|
|
|
#include "commands/seclabel.h"
|
2012-02-16 02:54:26 +08:00
|
|
|
#include "libpq/auth.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "libpq/libpq-be.h"
|
|
|
|
#include "miscadmin.h"
|
|
|
|
#include "utils/builtins.h"
|
|
|
|
#include "utils/fmgroids.h"
|
2012-03-16 04:08:40 +08:00
|
|
|
#include "utils/guc.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "utils/lsyscache.h"
|
2012-03-16 04:08:40 +08:00
|
|
|
#include "utils/memutils.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "utils/rel.h"
|
|
|
|
#include "utils/tqual.h"
|
|
|
|
|
|
|
|
#include "sepgsql.h"
|
|
|
|
|
2012-02-16 02:54:26 +08:00
|
|
|
/*
|
|
|
|
* Saved hook entries (if stacked)
|
|
|
|
*/
|
|
|
|
static ClientAuthentication_hook_type next_client_auth_hook = NULL;
|
|
|
|
static needs_fmgr_hook_type next_needs_fmgr_hook = NULL;
|
|
|
|
static fmgr_hook_type next_fmgr_hook = NULL;
|
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
/*
|
2012-03-16 04:08:40 +08:00
|
|
|
* client_label_*
|
2011-01-24 09:44:48 +08:00
|
|
|
*
|
2012-03-16 04:08:40 +08:00
|
|
|
* security label of the database client. Initially the client security label
|
|
|
|
* is equal to client_label_peer, and can be changed by one or more calls to
|
|
|
|
* sepgsql_setcon(), and also be temporarily overridden during execution of a
|
|
|
|
* trusted-procedure.
|
|
|
|
*
|
|
|
|
* sepgsql_setcon() is a transaction-aware operation; a (sub-)transaction
|
|
|
|
* rollback should also rollback the current client security label. Therefore
|
|
|
|
* we use the list client_label_pending of pending_label to keep track of which
|
|
|
|
* labels were set during the (sub-)transactions.
|
2011-01-24 09:44:48 +08:00
|
|
|
*/
|
2012-06-11 03:20:04 +08:00
|
|
|
static char *client_label_peer = NULL; /* set by getpeercon(3) */
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-22 03:18:54 +08:00
|
|
|
static List *client_label_pending = NIL; /* pending list being set by
|
|
|
|
* sepgsql_setcon() */
|
|
|
|
static char *client_label_committed = NULL; /* set by sepgsql_setcon(), and
|
|
|
|
* already committed */
|
2012-06-11 03:20:04 +08:00
|
|
|
static char *client_label_func = NULL; /* set by trusted procedure */
|
|
|
|
|
|
|
|
typedef struct
|
|
|
|
{
|
|
|
|
SubTransactionId subid;
|
|
|
|
char *label;
|
2017-06-22 02:39:04 +08:00
|
|
|
} pending_label;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
2012-03-16 04:08:40 +08:00
|
|
|
/*
|
|
|
|
* sepgsql_get_client_label
|
|
|
|
*
|
|
|
|
* Returns the current security label of the client. All code should use this
|
2012-04-24 10:43:09 +08:00
|
|
|
* routine to get the current label, instead of referring to the client_label_*
|
2012-03-16 04:08:40 +08:00
|
|
|
* variables above.
|
|
|
|
*/
|
2011-01-24 09:44:48 +08:00
|
|
|
char *
|
|
|
|
sepgsql_get_client_label(void)
|
|
|
|
{
|
2012-03-16 04:08:40 +08:00
|
|
|
/* trusted procedure client label override */
|
|
|
|
if (client_label_func)
|
|
|
|
return client_label_func;
|
|
|
|
|
|
|
|
/* uncommitted sepgsql_setcon() value */
|
|
|
|
if (client_label_pending)
|
|
|
|
{
|
2012-06-11 03:20:04 +08:00
|
|
|
pending_label *plabel = llast(client_label_pending);
|
2012-03-16 04:08:40 +08:00
|
|
|
|
|
|
|
if (plabel->label)
|
|
|
|
return plabel->label;
|
|
|
|
}
|
|
|
|
else if (client_label_committed)
|
|
|
|
return client_label_committed; /* set by sepgsql_setcon() committed */
|
|
|
|
|
|
|
|
/* default label */
|
|
|
|
Assert(client_label_peer != NULL);
|
|
|
|
return client_label_peer;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sepgsql_set_client_label
|
|
|
|
*
|
|
|
|
* This routine tries to switch the current security label of the client, and
|
2014-05-07 00:12:18 +08:00
|
|
|
* checks related permissions. The supplied new label shall be added to the
|
2012-03-16 04:08:40 +08:00
|
|
|
* client_label_pending list, then saved at transaction-commit time to ensure
|
|
|
|
* transaction-awareness.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
sepgsql_set_client_label(const char *new_label)
|
|
|
|
{
|
2012-06-11 03:20:04 +08:00
|
|
|
const char *tcontext;
|
|
|
|
MemoryContext oldcxt;
|
|
|
|
pending_label *plabel;
|
2012-03-16 04:08:40 +08:00
|
|
|
|
|
|
|
/* Reset to the initial client label, if NULL */
|
|
|
|
if (!new_label)
|
|
|
|
tcontext = client_label_peer;
|
|
|
|
else
|
|
|
|
{
|
|
|
|
if (security_check_context_raw((security_context_t) new_label) < 0)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INVALID_NAME),
|
|
|
|
errmsg("SELinux: invalid security label: \"%s\"",
|
|
|
|
new_label)));
|
|
|
|
tcontext = new_label;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check process:{setcurrent} permission. */
|
|
|
|
sepgsql_avc_check_perms_label(sepgsql_get_client_label(),
|
|
|
|
SEPG_CLASS_PROCESS,
|
|
|
|
SEPG_PROCESS__SETCURRENT,
|
|
|
|
NULL,
|
|
|
|
true);
|
|
|
|
/* Check process:{dyntransition} permission. */
|
|
|
|
sepgsql_avc_check_perms_label(tcontext,
|
|
|
|
SEPG_CLASS_PROCESS,
|
|
|
|
SEPG_PROCESS__DYNTRANSITION,
|
|
|
|
NULL,
|
|
|
|
true);
|
2012-06-11 03:20:04 +08:00
|
|
|
|
2012-03-16 04:08:40 +08:00
|
|
|
/*
|
2012-06-11 03:20:04 +08:00
|
|
|
* Append the supplied new_label on the pending list until the current
|
|
|
|
* transaction is committed.
|
2012-03-16 04:08:40 +08:00
|
|
|
*/
|
|
|
|
oldcxt = MemoryContextSwitchTo(CurTransactionContext);
|
|
|
|
|
|
|
|
plabel = palloc0(sizeof(pending_label));
|
|
|
|
plabel->subid = GetCurrentSubTransactionId();
|
|
|
|
if (new_label)
|
|
|
|
plabel->label = pstrdup(new_label);
|
|
|
|
client_label_pending = lappend(client_label_pending, plabel);
|
|
|
|
|
|
|
|
MemoryContextSwitchTo(oldcxt);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sepgsql_xact_callback
|
|
|
|
*
|
2016-03-16 06:06:11 +08:00
|
|
|
* A callback routine of transaction commit/abort/prepare. Commit or abort
|
2012-03-16 04:08:40 +08:00
|
|
|
* changes in the client_label_pending list.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
sepgsql_xact_callback(XactEvent event, void *arg)
|
|
|
|
{
|
|
|
|
if (event == XACT_EVENT_COMMIT)
|
|
|
|
{
|
|
|
|
if (client_label_pending != NIL)
|
|
|
|
{
|
2012-06-11 03:20:04 +08:00
|
|
|
pending_label *plabel = llast(client_label_pending);
|
|
|
|
char *new_label;
|
2012-03-16 04:08:40 +08:00
|
|
|
|
|
|
|
if (plabel->label)
|
|
|
|
new_label = MemoryContextStrdup(TopMemoryContext,
|
|
|
|
plabel->label);
|
|
|
|
else
|
|
|
|
new_label = NULL;
|
|
|
|
|
|
|
|
if (client_label_committed)
|
|
|
|
pfree(client_label_committed);
|
|
|
|
|
|
|
|
client_label_committed = new_label;
|
2012-06-11 03:20:04 +08:00
|
|
|
|
2012-03-16 04:08:40 +08:00
|
|
|
/*
|
2012-06-11 03:20:04 +08:00
|
|
|
* XXX - Note that items of client_label_pending are allocated on
|
|
|
|
* CurTransactionContext, thus, all acquired memory region shall
|
|
|
|
* be released implicitly.
|
2012-03-16 04:08:40 +08:00
|
|
|
*/
|
|
|
|
client_label_pending = NIL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else if (event == XACT_EVENT_ABORT)
|
|
|
|
client_label_pending = NIL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sepgsql_subxact_callback
|
|
|
|
*
|
|
|
|
* A callback routine of sub-transaction start/abort/commit. Releases all
|
|
|
|
* security labels that are set within the sub-transaction that is aborted.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
sepgsql_subxact_callback(SubXactEvent event, SubTransactionId mySubid,
|
|
|
|
SubTransactionId parentSubid, void *arg)
|
|
|
|
{
|
|
|
|
ListCell *cell;
|
|
|
|
ListCell *prev;
|
|
|
|
ListCell *next;
|
|
|
|
|
|
|
|
if (event == SUBXACT_EVENT_ABORT_SUB)
|
|
|
|
{
|
|
|
|
prev = NULL;
|
|
|
|
for (cell = list_head(client_label_pending); cell; cell = next)
|
|
|
|
{
|
2012-06-11 03:20:04 +08:00
|
|
|
pending_label *plabel = lfirst(cell);
|
|
|
|
|
2012-03-16 04:08:40 +08:00
|
|
|
next = lnext(cell);
|
|
|
|
|
|
|
|
if (plabel->subid == mySubid)
|
|
|
|
client_label_pending
|
|
|
|
= list_delete_cell(client_label_pending, cell, prev);
|
|
|
|
else
|
|
|
|
prev = cell;
|
|
|
|
}
|
|
|
|
}
|
2011-01-24 09:44:48 +08:00
|
|
|
}
|
|
|
|
|
2012-02-16 02:54:26 +08:00
|
|
|
/*
|
|
|
|
* sepgsql_client_auth
|
|
|
|
*
|
|
|
|
* Entrypoint of the client authentication hook.
|
|
|
|
* It switches the client label according to getpeercon(), and the current
|
|
|
|
* performing mode according to the GUC setting.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
sepgsql_client_auth(Port *port, int status)
|
|
|
|
{
|
|
|
|
if (next_client_auth_hook)
|
|
|
|
(*next_client_auth_hook) (port, status);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* In the case when authentication failed, the supplied socket shall be
|
|
|
|
* closed soon, so we don't need to do anything here.
|
|
|
|
*/
|
|
|
|
if (status != STATUS_OK)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Getting security label of the peer process using API of libselinux.
|
|
|
|
*/
|
2012-03-16 04:08:40 +08:00
|
|
|
if (getpeercon_raw(port->sock, &client_label_peer) < 0)
|
2012-02-16 02:54:26 +08:00
|
|
|
ereport(FATAL,
|
|
|
|
(errcode(ERRCODE_INTERNAL_ERROR),
|
|
|
|
errmsg("SELinux: unable to get peer label: %m")));
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Switch the current performing mode from INTERNAL to either DEFAULT or
|
|
|
|
* PERMISSIVE.
|
|
|
|
*/
|
|
|
|
if (sepgsql_get_permissive())
|
|
|
|
sepgsql_set_mode(SEPGSQL_MODE_PERMISSIVE);
|
|
|
|
else
|
|
|
|
sepgsql_set_mode(SEPGSQL_MODE_DEFAULT);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sepgsql_needs_fmgr_hook
|
|
|
|
*
|
|
|
|
* It informs the core whether the supplied function is trusted procedure,
|
|
|
|
* or not. If true, sepgsql_fmgr_hook shall be invoked at start, end, and
|
|
|
|
* abort time of function invocation.
|
|
|
|
*/
|
|
|
|
static bool
|
|
|
|
sepgsql_needs_fmgr_hook(Oid functionId)
|
|
|
|
{
|
2012-06-11 03:20:04 +08:00
|
|
|
ObjectAddress object;
|
2012-02-16 02:54:26 +08:00
|
|
|
|
|
|
|
if (next_needs_fmgr_hook &&
|
|
|
|
(*next_needs_fmgr_hook) (functionId))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* SELinux needs the function to be called via security_definer wrapper,
|
|
|
|
* if this invocation will take a domain-transition. We call these
|
|
|
|
* functions as trusted-procedure, if the security policy has a rule that
|
|
|
|
* switches security label of the client on execution.
|
|
|
|
*/
|
|
|
|
if (sepgsql_avc_trusted_proc(functionId) != NULL)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Even if not a trusted-procedure, this function should not be inlined
|
|
|
|
* unless the client has db_procedure:{execute} permission. Please note
|
|
|
|
* that it shall be actually failed later because of same reason with
|
|
|
|
* ACL_EXECUTE.
|
|
|
|
*/
|
|
|
|
object.classId = ProcedureRelationId;
|
|
|
|
object.objectId = functionId;
|
|
|
|
object.objectSubId = 0;
|
|
|
|
if (!sepgsql_avc_check_perms(&object,
|
|
|
|
SEPG_CLASS_DB_PROCEDURE,
|
2013-04-12 20:55:56 +08:00
|
|
|
SEPG_DB_PROCEDURE__EXECUTE |
|
|
|
|
SEPG_DB_PROCEDURE__ENTRYPOINT,
|
2012-02-16 02:54:26 +08:00
|
|
|
SEPGSQL_AVC_NOAUDIT, false))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sepgsql_fmgr_hook
|
|
|
|
*
|
|
|
|
* It switches security label of the client on execution of trusted
|
|
|
|
* procedures.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
sepgsql_fmgr_hook(FmgrHookEventType event,
|
|
|
|
FmgrInfo *flinfo, Datum *private)
|
2011-01-24 09:44:48 +08:00
|
|
|
{
|
2012-02-16 02:54:26 +08:00
|
|
|
struct
|
|
|
|
{
|
|
|
|
char *old_label;
|
|
|
|
char *new_label;
|
|
|
|
Datum next_private;
|
|
|
|
} *stack;
|
|
|
|
|
|
|
|
switch (event)
|
|
|
|
{
|
|
|
|
case FHET_START:
|
|
|
|
stack = (void *) DatumGetPointer(*private);
|
|
|
|
if (!stack)
|
|
|
|
{
|
|
|
|
MemoryContext oldcxt;
|
|
|
|
|
|
|
|
oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
|
|
|
|
stack = palloc(sizeof(*stack));
|
|
|
|
stack->old_label = NULL;
|
|
|
|
stack->new_label = sepgsql_avc_trusted_proc(flinfo->fn_oid);
|
|
|
|
stack->next_private = 0;
|
|
|
|
|
|
|
|
MemoryContextSwitchTo(oldcxt);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* process:transition permission between old and new label,
|
2012-06-11 03:20:04 +08:00
|
|
|
* when user tries to switch security label of the client on
|
|
|
|
* execution of trusted procedure.
|
2013-04-12 20:55:56 +08:00
|
|
|
*
|
|
|
|
* Also, db_procedure:entrypoint permission should be checked
|
|
|
|
* whether this procedure can perform as an entrypoint of the
|
2013-05-30 04:58:43 +08:00
|
|
|
* trusted procedure, or not. Note that db_procedure:execute
|
|
|
|
* permission shall be checked individually.
|
2012-02-16 02:54:26 +08:00
|
|
|
*/
|
|
|
|
if (stack->new_label)
|
2013-04-12 20:55:56 +08:00
|
|
|
{
|
|
|
|
ObjectAddress object;
|
|
|
|
|
|
|
|
object.classId = ProcedureRelationId;
|
|
|
|
object.objectId = flinfo->fn_oid;
|
|
|
|
object.objectSubId = 0;
|
|
|
|
sepgsql_avc_check_perms(&object,
|
|
|
|
SEPG_CLASS_DB_PROCEDURE,
|
|
|
|
SEPG_DB_PROCEDURE__ENTRYPOINT,
|
|
|
|
getObjectDescription(&object),
|
|
|
|
true);
|
|
|
|
|
2012-02-16 02:54:26 +08:00
|
|
|
sepgsql_avc_check_perms_label(stack->new_label,
|
|
|
|
SEPG_CLASS_PROCESS,
|
|
|
|
SEPG_PROCESS__TRANSITION,
|
|
|
|
NULL, true);
|
2013-04-12 20:55:56 +08:00
|
|
|
}
|
2012-02-16 02:54:26 +08:00
|
|
|
*private = PointerGetDatum(stack);
|
|
|
|
}
|
|
|
|
Assert(!stack->old_label);
|
|
|
|
if (stack->new_label)
|
|
|
|
{
|
2012-03-16 04:08:40 +08:00
|
|
|
stack->old_label = client_label_func;
|
|
|
|
client_label_func = stack->new_label;
|
2012-02-16 02:54:26 +08:00
|
|
|
}
|
|
|
|
if (next_fmgr_hook)
|
|
|
|
(*next_fmgr_hook) (event, flinfo, &stack->next_private);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case FHET_END:
|
|
|
|
case FHET_ABORT:
|
|
|
|
stack = (void *) DatumGetPointer(*private);
|
|
|
|
|
|
|
|
if (next_fmgr_hook)
|
|
|
|
(*next_fmgr_hook) (event, flinfo, &stack->next_private);
|
|
|
|
|
|
|
|
if (stack->new_label)
|
|
|
|
{
|
2012-03-16 04:08:40 +08:00
|
|
|
client_label_func = stack->old_label;
|
2012-02-16 02:54:26 +08:00
|
|
|
stack->old_label = NULL;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
elog(ERROR, "unexpected event type: %d", (int) event);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sepgsql_init_client_label
|
|
|
|
*
|
2012-03-16 04:08:40 +08:00
|
|
|
* Initializes the client security label and sets up related hooks for client
|
|
|
|
* label management.
|
2012-02-16 02:54:26 +08:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
sepgsql_init_client_label(void)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Set up dummy client label.
|
|
|
|
*
|
|
|
|
* XXX - note that PostgreSQL launches background worker process like
|
|
|
|
* autovacuum without authentication steps. So, we initialize sepgsql_mode
|
|
|
|
* with SEPGSQL_MODE_INTERNAL, and client_label with the security context
|
|
|
|
* of server process. Later, it also launches background of user session.
|
|
|
|
* In this case, the process is always hooked on post-authentication, and
|
|
|
|
* we can initialize the sepgsql_mode and client_label correctly.
|
|
|
|
*/
|
2012-03-16 04:08:40 +08:00
|
|
|
if (getcon_raw(&client_label_peer) < 0)
|
2012-02-16 02:54:26 +08:00
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INTERNAL_ERROR),
|
|
|
|
errmsg("SELinux: failed to get server security label: %m")));
|
|
|
|
|
|
|
|
/* Client authentication hook */
|
|
|
|
next_client_auth_hook = ClientAuthentication_hook;
|
|
|
|
ClientAuthentication_hook = sepgsql_client_auth;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
2012-02-16 02:54:26 +08:00
|
|
|
/* Trusted procedure hooks */
|
|
|
|
next_needs_fmgr_hook = needs_fmgr_hook;
|
|
|
|
needs_fmgr_hook = sepgsql_needs_fmgr_hook;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
2012-02-16 02:54:26 +08:00
|
|
|
next_fmgr_hook = fmgr_hook;
|
|
|
|
fmgr_hook = sepgsql_fmgr_hook;
|
2012-03-16 04:08:40 +08:00
|
|
|
|
|
|
|
/* Transaction/Sub-transaction callbacks */
|
|
|
|
RegisterXactCallback(sepgsql_xact_callback, NULL);
|
|
|
|
RegisterSubXactCallback(sepgsql_subxact_callback, NULL);
|
2011-01-24 09:44:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sepgsql_get_label
|
|
|
|
*
|
|
|
|
* It returns a security context of the specified database object.
|
|
|
|
* If unlabeled or incorrectly labeled, the system "unlabeled" label
|
|
|
|
* shall be returned.
|
|
|
|
*/
|
|
|
|
char *
|
|
|
|
sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
|
|
|
|
{
|
2011-04-10 23:42:00 +08:00
|
|
|
ObjectAddress object;
|
|
|
|
char *label;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
2011-04-10 23:42:00 +08:00
|
|
|
object.classId = classId;
|
|
|
|
object.objectId = objectId;
|
|
|
|
object.objectSubId = subId;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
label = GetSecurityLabel(&object, SEPGSQL_LABEL_TAG);
|
2011-04-10 23:42:00 +08:00
|
|
|
if (!label || security_check_context_raw((security_context_t) label))
|
2011-01-24 09:44:48 +08:00
|
|
|
{
|
2011-04-10 23:42:00 +08:00
|
|
|
security_context_t unlabeled;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
if (security_get_initial_context_raw("unlabeled", &unlabeled) < 0)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INTERNAL_ERROR),
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-22 03:35:54 +08:00
|
|
|
errmsg("SELinux: failed to get initial security label: %m")));
|
2011-01-24 09:44:48 +08:00
|
|
|
PG_TRY();
|
|
|
|
{
|
|
|
|
label = pstrdup(unlabeled);
|
|
|
|
}
|
|
|
|
PG_CATCH();
|
|
|
|
{
|
|
|
|
freecon(unlabeled);
|
|
|
|
PG_RE_THROW();
|
|
|
|
}
|
|
|
|
PG_END_TRY();
|
|
|
|
|
|
|
|
freecon(unlabeled);
|
|
|
|
}
|
|
|
|
return label;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sepgsql_object_relabel
|
|
|
|
*
|
|
|
|
* An entrypoint of SECURITY LABEL statement
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
|
|
|
|
{
|
|
|
|
/*
|
2011-04-10 23:42:00 +08:00
|
|
|
* validate format of the supplied security label, if it is security
|
|
|
|
* context of selinux.
|
2011-01-24 09:44:48 +08:00
|
|
|
*/
|
|
|
|
if (seclabel &&
|
|
|
|
security_check_context_raw((security_context_t) seclabel) < 0)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INVALID_NAME),
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-22 03:35:54 +08:00
|
|
|
errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
|
2011-04-10 23:42:00 +08:00
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
/*
|
|
|
|
* Do actual permission checks for each object classes
|
|
|
|
*/
|
|
|
|
switch (object->classId)
|
|
|
|
{
|
2011-09-24 05:09:34 +08:00
|
|
|
case DatabaseRelationId:
|
|
|
|
sepgsql_database_relabel(object->objectId, seclabel);
|
|
|
|
break;
|
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
case NamespaceRelationId:
|
2011-04-10 23:42:00 +08:00
|
|
|
sepgsql_schema_relabel(object->objectId, seclabel);
|
2011-01-24 09:44:48 +08:00
|
|
|
break;
|
2011-09-24 05:09:34 +08:00
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
case RelationRelationId:
|
|
|
|
if (object->objectSubId == 0)
|
|
|
|
sepgsql_relation_relabel(object->objectId,
|
|
|
|
seclabel);
|
|
|
|
else
|
|
|
|
sepgsql_attribute_relabel(object->objectId,
|
|
|
|
object->objectSubId,
|
|
|
|
seclabel);
|
|
|
|
break;
|
2011-09-24 05:09:34 +08:00
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
case ProcedureRelationId:
|
|
|
|
sepgsql_proc_relabel(object->objectId, seclabel);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2015-03-12 00:12:10 +08:00
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
|
|
errmsg("sepgsql provider does not support labels on %s",
|
|
|
|
getObjectTypeDescription(object))));
|
2011-01-24 09:44:48 +08:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* TEXT sepgsql_getcon(VOID)
|
|
|
|
*
|
|
|
|
* It returns the security label of the client.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(sepgsql_getcon);
|
|
|
|
Datum
|
|
|
|
sepgsql_getcon(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2011-04-10 23:42:00 +08:00
|
|
|
char *client_label;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
if (!sepgsql_is_enabled())
|
2011-01-24 11:47:16 +08:00
|
|
|
PG_RETURN_NULL();
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
client_label = sepgsql_get_client_label();
|
|
|
|
|
2011-01-24 11:47:16 +08:00
|
|
|
PG_RETURN_TEXT_P(cstring_to_text(client_label));
|
2011-01-24 09:44:48 +08:00
|
|
|
}
|
|
|
|
|
2012-03-16 04:08:40 +08:00
|
|
|
/*
|
|
|
|
* BOOL sepgsql_setcon(TEXT)
|
|
|
|
*
|
|
|
|
* It switches the security label of the client.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(sepgsql_setcon);
|
|
|
|
Datum
|
|
|
|
sepgsql_setcon(PG_FUNCTION_ARGS)
|
|
|
|
{
|
|
|
|
const char *new_label;
|
|
|
|
|
|
|
|
if (PG_ARGISNULL(0))
|
|
|
|
new_label = NULL;
|
|
|
|
else
|
|
|
|
new_label = TextDatumGetCString(PG_GETARG_DATUM(0));
|
|
|
|
|
|
|
|
sepgsql_set_client_label(new_label);
|
|
|
|
|
|
|
|
PG_RETURN_BOOL(true);
|
|
|
|
}
|
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
/*
|
|
|
|
* TEXT sepgsql_mcstrans_in(TEXT)
|
|
|
|
*
|
|
|
|
* It translate the given qualified MLS/MCS range into raw format
|
|
|
|
* when mcstrans daemon is working.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(sepgsql_mcstrans_in);
|
|
|
|
Datum
|
|
|
|
sepgsql_mcstrans_in(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2017-03-13 07:35:34 +08:00
|
|
|
text *label = PG_GETARG_TEXT_PP(0);
|
2011-04-10 23:42:00 +08:00
|
|
|
char *raw_label;
|
|
|
|
char *result;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
if (!sepgsql_is_enabled())
|
|
|
|
ereport(ERROR,
|
2011-01-24 11:47:16 +08:00
|
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
|
|
errmsg("sepgsql is not enabled")));
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
if (selinux_trans_to_raw_context(text_to_cstring(label),
|
|
|
|
&raw_label) < 0)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INTERNAL_ERROR),
|
2011-02-03 12:39:43 +08:00
|
|
|
errmsg("SELinux: could not translate security label: %m")));
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
PG_TRY();
|
|
|
|
{
|
|
|
|
result = pstrdup(raw_label);
|
|
|
|
}
|
|
|
|
PG_CATCH();
|
|
|
|
{
|
|
|
|
freecon(raw_label);
|
|
|
|
PG_RE_THROW();
|
|
|
|
}
|
|
|
|
PG_END_TRY();
|
|
|
|
freecon(raw_label);
|
|
|
|
|
2011-01-24 11:47:16 +08:00
|
|
|
PG_RETURN_TEXT_P(cstring_to_text(result));
|
2011-01-24 09:44:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* TEXT sepgsql_mcstrans_out(TEXT)
|
|
|
|
*
|
|
|
|
* It translate the given raw MLS/MCS range into qualified format
|
|
|
|
* when mcstrans daemon is working.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(sepgsql_mcstrans_out);
|
|
|
|
Datum
|
|
|
|
sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2017-03-13 07:35:34 +08:00
|
|
|
text *label = PG_GETARG_TEXT_PP(0);
|
2011-04-10 23:42:00 +08:00
|
|
|
char *qual_label;
|
|
|
|
char *result;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
if (!sepgsql_is_enabled())
|
|
|
|
ereport(ERROR,
|
2011-01-24 11:47:16 +08:00
|
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
|
|
errmsg("sepgsql is not currently enabled")));
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
if (selinux_raw_to_trans_context(text_to_cstring(label),
|
|
|
|
&qual_label) < 0)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INTERNAL_ERROR),
|
2011-02-03 12:39:43 +08:00
|
|
|
errmsg("SELinux: could not translate security label: %m")));
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
PG_TRY();
|
|
|
|
{
|
|
|
|
result = pstrdup(qual_label);
|
|
|
|
}
|
|
|
|
PG_CATCH();
|
|
|
|
{
|
|
|
|
freecon(qual_label);
|
|
|
|
PG_RE_THROW();
|
|
|
|
}
|
|
|
|
PG_END_TRY();
|
|
|
|
freecon(qual_label);
|
|
|
|
|
2011-01-24 11:47:16 +08:00
|
|
|
PG_RETURN_TEXT_P(cstring_to_text(result));
|
2011-01-24 09:44:48 +08:00
|
|
|
}
|
|
|
|
|
2011-02-03 12:39:43 +08:00
|
|
|
/*
|
|
|
|
* quote_object_names
|
|
|
|
*
|
|
|
|
* It tries to quote the supplied identifiers
|
|
|
|
*/
|
|
|
|
static char *
|
|
|
|
quote_object_name(const char *src1, const char *src2,
|
|
|
|
const char *src3, const char *src4)
|
|
|
|
{
|
2011-04-10 23:42:00 +08:00
|
|
|
StringInfoData result;
|
|
|
|
const char *temp;
|
2011-02-03 12:39:43 +08:00
|
|
|
|
|
|
|
initStringInfo(&result);
|
|
|
|
|
|
|
|
if (src1)
|
|
|
|
{
|
|
|
|
temp = quote_identifier(src1);
|
|
|
|
appendStringInfo(&result, "%s", temp);
|
|
|
|
if (src1 != temp)
|
2011-04-10 23:42:00 +08:00
|
|
|
pfree((void *) temp);
|
2011-02-03 12:39:43 +08:00
|
|
|
}
|
|
|
|
if (src2)
|
|
|
|
{
|
|
|
|
temp = quote_identifier(src2);
|
|
|
|
appendStringInfo(&result, ".%s", temp);
|
|
|
|
if (src2 != temp)
|
2011-04-10 23:42:00 +08:00
|
|
|
pfree((void *) temp);
|
2011-02-03 12:39:43 +08:00
|
|
|
}
|
|
|
|
if (src3)
|
|
|
|
{
|
|
|
|
temp = quote_identifier(src3);
|
|
|
|
appendStringInfo(&result, ".%s", temp);
|
|
|
|
if (src3 != temp)
|
2011-04-10 23:42:00 +08:00
|
|
|
pfree((void *) temp);
|
2011-02-03 12:39:43 +08:00
|
|
|
}
|
|
|
|
if (src4)
|
|
|
|
{
|
|
|
|
temp = quote_identifier(src4);
|
|
|
|
appendStringInfo(&result, ".%s", temp);
|
|
|
|
if (src4 != temp)
|
2011-04-10 23:42:00 +08:00
|
|
|
pfree((void *) temp);
|
2011-02-03 12:39:43 +08:00
|
|
|
}
|
|
|
|
return result.data;
|
|
|
|
}
|
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
/*
|
|
|
|
* exec_object_restorecon
|
|
|
|
*
|
|
|
|
* This routine is a helper called by sepgsql_restorecon; it set up
|
|
|
|
* initial security labels of database objects within the supplied
|
|
|
|
* catalog OID.
|
|
|
|
*/
|
|
|
|
static void
|
2017-06-22 02:39:04 +08:00
|
|
|
exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
|
2011-01-24 09:44:48 +08:00
|
|
|
{
|
2011-04-10 23:42:00 +08:00
|
|
|
Relation rel;
|
|
|
|
SysScanDesc sscan;
|
|
|
|
HeapTuple tuple;
|
|
|
|
char *database_name = get_database_name(MyDatabaseId);
|
|
|
|
char *namespace_name;
|
|
|
|
Oid namespace_id;
|
|
|
|
char *relation_name;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
/*
|
2011-04-10 23:42:00 +08:00
|
|
|
* Open the target catalog. We don't want to allow writable accesses by
|
|
|
|
* other session during initial labeling.
|
2011-01-24 09:44:48 +08:00
|
|
|
*/
|
|
|
|
rel = heap_open(catalogId, AccessShareLock);
|
|
|
|
|
|
|
|
sscan = systable_beginscan(rel, InvalidOid, false,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 21:47:01 +08:00
|
|
|
NULL, 0, NULL);
|
2011-01-24 09:44:48 +08:00
|
|
|
while (HeapTupleIsValid(tuple = systable_getnext(sscan)))
|
|
|
|
{
|
2011-09-24 05:09:34 +08:00
|
|
|
Form_pg_database datForm;
|
2011-04-10 23:42:00 +08:00
|
|
|
Form_pg_namespace nspForm;
|
|
|
|
Form_pg_class relForm;
|
|
|
|
Form_pg_attribute attForm;
|
|
|
|
Form_pg_proc proForm;
|
|
|
|
char *objname;
|
|
|
|
int objtype = 1234;
|
|
|
|
ObjectAddress object;
|
|
|
|
security_context_t context;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
/*
|
2011-04-10 23:42:00 +08:00
|
|
|
* The way to determine object name depends on object classes. So, any
|
|
|
|
* branches set up `objtype', `objname' and `object' here.
|
2011-01-24 09:44:48 +08:00
|
|
|
*/
|
|
|
|
switch (catalogId)
|
|
|
|
{
|
2011-09-24 05:09:34 +08:00
|
|
|
case DatabaseRelationId:
|
|
|
|
datForm = (Form_pg_database) GETSTRUCT(tuple);
|
|
|
|
|
|
|
|
objtype = SELABEL_DB_DATABASE;
|
|
|
|
|
|
|
|
objname = quote_object_name(NameStr(datForm->datname),
|
|
|
|
NULL, NULL, NULL);
|
|
|
|
|
|
|
|
object.classId = DatabaseRelationId;
|
Remove WITH OIDS support, change oid catalog column visibility.
Previously tables declared WITH OIDS, including a significant fraction
of the catalog tables, stored the oid column not as a normal column,
but as part of the tuple header.
This special column was not shown by default, which was somewhat odd,
as it's often (consider e.g. pg_class.oid) one of the more important
parts of a row. Neither pg_dump nor COPY included the contents of the
oid column by default.
The fact that the oid column was not an ordinary column necessitated a
significant amount of special case code to support oid columns. That
already was painful for the existing, but upcoming work aiming to make
table storage pluggable, would have required expanding and duplicating
that "specialness" significantly.
WITH OIDS has been deprecated since 2005 (commit ff02d0a05280e0).
Remove it.
Removing includes:
- CREATE TABLE and ALTER TABLE syntax for declaring the table to be
WITH OIDS has been removed (WITH (oids[ = true]) will error out)
- pg_dump does not support dumping tables declared WITH OIDS and will
issue a warning when dumping one (and ignore the oid column).
- restoring an pg_dump archive with pg_restore will warn when
restoring a table with oid contents (and ignore the oid column)
- COPY will refuse to load binary dump that includes oids.
- pg_upgrade will error out when encountering tables declared WITH
OIDS, they have to be altered to remove the oid column first.
- Functionality to access the oid of the last inserted row (like
plpgsql's RESULT_OID, spi's SPI_lastoid, ...) has been removed.
The syntax for declaring a table WITHOUT OIDS (or WITH (oids = false)
for CREATE TABLE) is still supported. While that requires a bit of
support code, it seems unnecessary to break applications / dumps that
do not use oids, and are explicit about not using them.
The biggest user of WITH OID columns was postgres' catalog. This
commit changes all 'magic' oid columns to be columns that are normally
declared and stored. To reduce unnecessary query breakage all the
newly added columns are still named 'oid', even if a table's column
naming scheme would indicate 'reloid' or such. This obviously
requires adapting a lot code, mostly replacing oid access via
HeapTupleGetOid() with access to the underlying Form_pg_*->oid column.
The bootstrap process now assigns oids for all oid columns in
genbki.pl that do not have an explicit value (starting at the largest
oid previously used), only oids assigned later by oids will be above
FirstBootstrapObjectId. As the oid column now is a normal column the
special bootstrap syntax for oids has been removed.
Oids are not automatically assigned during insertion anymore, all
backend code explicitly assigns oids with GetNewOidWithIndex(). For
the rare case that insertions into the catalog via SQL are called for
the new pg_nextoid() function can be used (which only works on catalog
tables).
The fact that oid columns on system tables are now normal columns
means that they will be included in the set of columns expanded
by * (i.e. SELECT * FROM pg_class will now include the table's oid,
previously it did not). It'd not technically be hard to hide oid
column by default, but that'd mean confusing behavior would either
have to be carried forward forever, or it'd cause breakage down the
line.
While it's not unlikely that further adjustments are needed, the
scope/invasiveness of the patch makes it worthwhile to get merge this
now. It's painful to maintain externally, too complicated to commit
after the code code freeze, and a dependency of a number of other
patches.
Catversion bump, for obvious reasons.
Author: Andres Freund, with contributions by John Naylor
Discussion: https://postgr.es/m/20180930034810.ywp2c7awz7opzcfr@alap3.anarazel.de
2018-11-21 07:36:57 +08:00
|
|
|
object.objectId = datForm->oid;
|
2011-09-24 05:09:34 +08:00
|
|
|
object.objectSubId = 0;
|
|
|
|
break;
|
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
case NamespaceRelationId:
|
|
|
|
nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
|
|
|
|
|
|
|
|
objtype = SELABEL_DB_SCHEMA;
|
2011-02-03 12:39:43 +08:00
|
|
|
|
|
|
|
objname = quote_object_name(database_name,
|
|
|
|
NameStr(nspForm->nspname),
|
|
|
|
NULL, NULL);
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
object.classId = NamespaceRelationId;
|
Remove WITH OIDS support, change oid catalog column visibility.
Previously tables declared WITH OIDS, including a significant fraction
of the catalog tables, stored the oid column not as a normal column,
but as part of the tuple header.
This special column was not shown by default, which was somewhat odd,
as it's often (consider e.g. pg_class.oid) one of the more important
parts of a row. Neither pg_dump nor COPY included the contents of the
oid column by default.
The fact that the oid column was not an ordinary column necessitated a
significant amount of special case code to support oid columns. That
already was painful for the existing, but upcoming work aiming to make
table storage pluggable, would have required expanding and duplicating
that "specialness" significantly.
WITH OIDS has been deprecated since 2005 (commit ff02d0a05280e0).
Remove it.
Removing includes:
- CREATE TABLE and ALTER TABLE syntax for declaring the table to be
WITH OIDS has been removed (WITH (oids[ = true]) will error out)
- pg_dump does not support dumping tables declared WITH OIDS and will
issue a warning when dumping one (and ignore the oid column).
- restoring an pg_dump archive with pg_restore will warn when
restoring a table with oid contents (and ignore the oid column)
- COPY will refuse to load binary dump that includes oids.
- pg_upgrade will error out when encountering tables declared WITH
OIDS, they have to be altered to remove the oid column first.
- Functionality to access the oid of the last inserted row (like
plpgsql's RESULT_OID, spi's SPI_lastoid, ...) has been removed.
The syntax for declaring a table WITHOUT OIDS (or WITH (oids = false)
for CREATE TABLE) is still supported. While that requires a bit of
support code, it seems unnecessary to break applications / dumps that
do not use oids, and are explicit about not using them.
The biggest user of WITH OID columns was postgres' catalog. This
commit changes all 'magic' oid columns to be columns that are normally
declared and stored. To reduce unnecessary query breakage all the
newly added columns are still named 'oid', even if a table's column
naming scheme would indicate 'reloid' or such. This obviously
requires adapting a lot code, mostly replacing oid access via
HeapTupleGetOid() with access to the underlying Form_pg_*->oid column.
The bootstrap process now assigns oids for all oid columns in
genbki.pl that do not have an explicit value (starting at the largest
oid previously used), only oids assigned later by oids will be above
FirstBootstrapObjectId. As the oid column now is a normal column the
special bootstrap syntax for oids has been removed.
Oids are not automatically assigned during insertion anymore, all
backend code explicitly assigns oids with GetNewOidWithIndex(). For
the rare case that insertions into the catalog via SQL are called for
the new pg_nextoid() function can be used (which only works on catalog
tables).
The fact that oid columns on system tables are now normal columns
means that they will be included in the set of columns expanded
by * (i.e. SELECT * FROM pg_class will now include the table's oid,
previously it did not). It'd not technically be hard to hide oid
column by default, but that'd mean confusing behavior would either
have to be carried forward forever, or it'd cause breakage down the
line.
While it's not unlikely that further adjustments are needed, the
scope/invasiveness of the patch makes it worthwhile to get merge this
now. It's painful to maintain externally, too complicated to commit
after the code code freeze, and a dependency of a number of other
patches.
Catversion bump, for obvious reasons.
Author: Andres Freund, with contributions by John Naylor
Discussion: https://postgr.es/m/20180930034810.ywp2c7awz7opzcfr@alap3.anarazel.de
2018-11-21 07:36:57 +08:00
|
|
|
object.objectId = nspForm->oid;
|
2011-01-24 09:44:48 +08:00
|
|
|
object.objectSubId = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case RelationRelationId:
|
|
|
|
relForm = (Form_pg_class) GETSTRUCT(tuple);
|
|
|
|
|
2017-04-10 05:01:58 +08:00
|
|
|
if (relForm->relkind == RELKIND_RELATION ||
|
|
|
|
relForm->relkind == RELKIND_PARTITIONED_TABLE)
|
2011-01-24 09:44:48 +08:00
|
|
|
objtype = SELABEL_DB_TABLE;
|
|
|
|
else if (relForm->relkind == RELKIND_SEQUENCE)
|
|
|
|
objtype = SELABEL_DB_SEQUENCE;
|
|
|
|
else if (relForm->relkind == RELKIND_VIEW)
|
|
|
|
objtype = SELABEL_DB_VIEW;
|
|
|
|
else
|
|
|
|
continue; /* no need to assign security label */
|
|
|
|
|
|
|
|
namespace_name = get_namespace_name(relForm->relnamespace);
|
2011-02-03 12:39:43 +08:00
|
|
|
objname = quote_object_name(database_name,
|
|
|
|
namespace_name,
|
|
|
|
NameStr(relForm->relname),
|
|
|
|
NULL);
|
2011-01-24 09:44:48 +08:00
|
|
|
pfree(namespace_name);
|
|
|
|
|
|
|
|
object.classId = RelationRelationId;
|
Remove WITH OIDS support, change oid catalog column visibility.
Previously tables declared WITH OIDS, including a significant fraction
of the catalog tables, stored the oid column not as a normal column,
but as part of the tuple header.
This special column was not shown by default, which was somewhat odd,
as it's often (consider e.g. pg_class.oid) one of the more important
parts of a row. Neither pg_dump nor COPY included the contents of the
oid column by default.
The fact that the oid column was not an ordinary column necessitated a
significant amount of special case code to support oid columns. That
already was painful for the existing, but upcoming work aiming to make
table storage pluggable, would have required expanding and duplicating
that "specialness" significantly.
WITH OIDS has been deprecated since 2005 (commit ff02d0a05280e0).
Remove it.
Removing includes:
- CREATE TABLE and ALTER TABLE syntax for declaring the table to be
WITH OIDS has been removed (WITH (oids[ = true]) will error out)
- pg_dump does not support dumping tables declared WITH OIDS and will
issue a warning when dumping one (and ignore the oid column).
- restoring an pg_dump archive with pg_restore will warn when
restoring a table with oid contents (and ignore the oid column)
- COPY will refuse to load binary dump that includes oids.
- pg_upgrade will error out when encountering tables declared WITH
OIDS, they have to be altered to remove the oid column first.
- Functionality to access the oid of the last inserted row (like
plpgsql's RESULT_OID, spi's SPI_lastoid, ...) has been removed.
The syntax for declaring a table WITHOUT OIDS (or WITH (oids = false)
for CREATE TABLE) is still supported. While that requires a bit of
support code, it seems unnecessary to break applications / dumps that
do not use oids, and are explicit about not using them.
The biggest user of WITH OID columns was postgres' catalog. This
commit changes all 'magic' oid columns to be columns that are normally
declared and stored. To reduce unnecessary query breakage all the
newly added columns are still named 'oid', even if a table's column
naming scheme would indicate 'reloid' or such. This obviously
requires adapting a lot code, mostly replacing oid access via
HeapTupleGetOid() with access to the underlying Form_pg_*->oid column.
The bootstrap process now assigns oids for all oid columns in
genbki.pl that do not have an explicit value (starting at the largest
oid previously used), only oids assigned later by oids will be above
FirstBootstrapObjectId. As the oid column now is a normal column the
special bootstrap syntax for oids has been removed.
Oids are not automatically assigned during insertion anymore, all
backend code explicitly assigns oids with GetNewOidWithIndex(). For
the rare case that insertions into the catalog via SQL are called for
the new pg_nextoid() function can be used (which only works on catalog
tables).
The fact that oid columns on system tables are now normal columns
means that they will be included in the set of columns expanded
by * (i.e. SELECT * FROM pg_class will now include the table's oid,
previously it did not). It'd not technically be hard to hide oid
column by default, but that'd mean confusing behavior would either
have to be carried forward forever, or it'd cause breakage down the
line.
While it's not unlikely that further adjustments are needed, the
scope/invasiveness of the patch makes it worthwhile to get merge this
now. It's painful to maintain externally, too complicated to commit
after the code code freeze, and a dependency of a number of other
patches.
Catversion bump, for obvious reasons.
Author: Andres Freund, with contributions by John Naylor
Discussion: https://postgr.es/m/20180930034810.ywp2c7awz7opzcfr@alap3.anarazel.de
2018-11-21 07:36:57 +08:00
|
|
|
object.objectId = relForm->oid;
|
2011-01-24 09:44:48 +08:00
|
|
|
object.objectSubId = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case AttributeRelationId:
|
|
|
|
attForm = (Form_pg_attribute) GETSTRUCT(tuple);
|
|
|
|
|
2017-04-10 05:01:58 +08:00
|
|
|
if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION &&
|
|
|
|
get_rel_relkind(attForm->attrelid) != RELKIND_PARTITIONED_TABLE)
|
2011-01-24 09:44:48 +08:00
|
|
|
continue; /* no need to assign security label */
|
|
|
|
|
|
|
|
objtype = SELABEL_DB_COLUMN;
|
|
|
|
|
|
|
|
namespace_id = get_rel_namespace(attForm->attrelid);
|
|
|
|
namespace_name = get_namespace_name(namespace_id);
|
|
|
|
relation_name = get_rel_name(attForm->attrelid);
|
2011-02-03 12:39:43 +08:00
|
|
|
objname = quote_object_name(database_name,
|
|
|
|
namespace_name,
|
|
|
|
relation_name,
|
|
|
|
NameStr(attForm->attname));
|
2011-01-24 09:44:48 +08:00
|
|
|
pfree(namespace_name);
|
2011-02-03 12:39:43 +08:00
|
|
|
pfree(relation_name);
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
object.classId = RelationRelationId;
|
|
|
|
object.objectId = attForm->attrelid;
|
|
|
|
object.objectSubId = attForm->attnum;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case ProcedureRelationId:
|
|
|
|
proForm = (Form_pg_proc) GETSTRUCT(tuple);
|
|
|
|
|
|
|
|
objtype = SELABEL_DB_PROCEDURE;
|
|
|
|
|
|
|
|
namespace_name = get_namespace_name(proForm->pronamespace);
|
2011-02-03 12:39:43 +08:00
|
|
|
objname = quote_object_name(database_name,
|
|
|
|
namespace_name,
|
|
|
|
NameStr(proForm->proname),
|
|
|
|
NULL);
|
2011-01-24 09:44:48 +08:00
|
|
|
pfree(namespace_name);
|
|
|
|
|
|
|
|
object.classId = ProcedureRelationId;
|
Remove WITH OIDS support, change oid catalog column visibility.
Previously tables declared WITH OIDS, including a significant fraction
of the catalog tables, stored the oid column not as a normal column,
but as part of the tuple header.
This special column was not shown by default, which was somewhat odd,
as it's often (consider e.g. pg_class.oid) one of the more important
parts of a row. Neither pg_dump nor COPY included the contents of the
oid column by default.
The fact that the oid column was not an ordinary column necessitated a
significant amount of special case code to support oid columns. That
already was painful for the existing, but upcoming work aiming to make
table storage pluggable, would have required expanding and duplicating
that "specialness" significantly.
WITH OIDS has been deprecated since 2005 (commit ff02d0a05280e0).
Remove it.
Removing includes:
- CREATE TABLE and ALTER TABLE syntax for declaring the table to be
WITH OIDS has been removed (WITH (oids[ = true]) will error out)
- pg_dump does not support dumping tables declared WITH OIDS and will
issue a warning when dumping one (and ignore the oid column).
- restoring an pg_dump archive with pg_restore will warn when
restoring a table with oid contents (and ignore the oid column)
- COPY will refuse to load binary dump that includes oids.
- pg_upgrade will error out when encountering tables declared WITH
OIDS, they have to be altered to remove the oid column first.
- Functionality to access the oid of the last inserted row (like
plpgsql's RESULT_OID, spi's SPI_lastoid, ...) has been removed.
The syntax for declaring a table WITHOUT OIDS (or WITH (oids = false)
for CREATE TABLE) is still supported. While that requires a bit of
support code, it seems unnecessary to break applications / dumps that
do not use oids, and are explicit about not using them.
The biggest user of WITH OID columns was postgres' catalog. This
commit changes all 'magic' oid columns to be columns that are normally
declared and stored. To reduce unnecessary query breakage all the
newly added columns are still named 'oid', even if a table's column
naming scheme would indicate 'reloid' or such. This obviously
requires adapting a lot code, mostly replacing oid access via
HeapTupleGetOid() with access to the underlying Form_pg_*->oid column.
The bootstrap process now assigns oids for all oid columns in
genbki.pl that do not have an explicit value (starting at the largest
oid previously used), only oids assigned later by oids will be above
FirstBootstrapObjectId. As the oid column now is a normal column the
special bootstrap syntax for oids has been removed.
Oids are not automatically assigned during insertion anymore, all
backend code explicitly assigns oids with GetNewOidWithIndex(). For
the rare case that insertions into the catalog via SQL are called for
the new pg_nextoid() function can be used (which only works on catalog
tables).
The fact that oid columns on system tables are now normal columns
means that they will be included in the set of columns expanded
by * (i.e. SELECT * FROM pg_class will now include the table's oid,
previously it did not). It'd not technically be hard to hide oid
column by default, but that'd mean confusing behavior would either
have to be carried forward forever, or it'd cause breakage down the
line.
While it's not unlikely that further adjustments are needed, the
scope/invasiveness of the patch makes it worthwhile to get merge this
now. It's painful to maintain externally, too complicated to commit
after the code code freeze, and a dependency of a number of other
patches.
Catversion bump, for obvious reasons.
Author: Andres Freund, with contributions by John Naylor
Discussion: https://postgr.es/m/20180930034810.ywp2c7awz7opzcfr@alap3.anarazel.de
2018-11-21 07:36:57 +08:00
|
|
|
object.objectId = proForm->oid;
|
2011-01-24 09:44:48 +08:00
|
|
|
object.objectSubId = 0;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2011-01-24 11:47:16 +08:00
|
|
|
elog(ERROR, "unexpected catalog id: %u", catalogId);
|
2011-04-10 23:42:00 +08:00
|
|
|
objname = NULL; /* for compiler quiet */
|
2011-01-24 09:44:48 +08:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (selabel_lookup_raw(sehnd, &context, objname, objtype) == 0)
|
|
|
|
{
|
|
|
|
PG_TRY();
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Check SELinux permission to relabel the fetched object,
|
|
|
|
* then do the actual relabeling.
|
|
|
|
*/
|
|
|
|
sepgsql_object_relabel(&object, context);
|
|
|
|
|
|
|
|
SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, context);
|
|
|
|
}
|
|
|
|
PG_CATCH();
|
|
|
|
{
|
|
|
|
freecon(context);
|
|
|
|
PG_RE_THROW();
|
|
|
|
}
|
|
|
|
PG_END_TRY();
|
|
|
|
freecon(context);
|
|
|
|
}
|
|
|
|
else if (errno == ENOENT)
|
|
|
|
ereport(WARNING,
|
2011-01-24 11:47:16 +08:00
|
|
|
(errmsg("SELinux: no initial label assigned for %s (type=%d), skipping",
|
2011-01-24 09:44:48 +08:00
|
|
|
objname, objtype)));
|
|
|
|
else
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INTERNAL_ERROR),
|
2011-02-03 12:39:43 +08:00
|
|
|
errmsg("SELinux: could not determine initial security label for %s (type=%d): %m", objname, objtype)));
|
|
|
|
|
|
|
|
pfree(objname);
|
2011-01-24 09:44:48 +08:00
|
|
|
}
|
|
|
|
systable_endscan(sscan);
|
|
|
|
|
|
|
|
heap_close(rel, NoLock);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* BOOL sepgsql_restorecon(TEXT specfile)
|
|
|
|
*
|
|
|
|
* This function tries to assign initial security labels on all the object
|
|
|
|
* within the current database, according to the system setting.
|
|
|
|
* It is typically invoked by sepgsql-install script just after initdb, to
|
|
|
|
* assign initial security labels.
|
|
|
|
*
|
|
|
|
* If @specfile is not NULL, it uses explicitly specified specfile, instead
|
|
|
|
* of the system default.
|
|
|
|
*/
|
|
|
|
PG_FUNCTION_INFO_V1(sepgsql_restorecon);
|
|
|
|
Datum
|
|
|
|
sepgsql_restorecon(PG_FUNCTION_ARGS)
|
|
|
|
{
|
2011-04-10 23:42:00 +08:00
|
|
|
struct selabel_handle *sehnd;
|
|
|
|
struct selinux_opt seopts;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* SELinux has to be enabled on the running platform.
|
|
|
|
*/
|
|
|
|
if (!sepgsql_is_enabled())
|
|
|
|
ereport(ERROR,
|
2011-01-24 11:47:16 +08:00
|
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
|
|
|
errmsg("sepgsql is not currently enabled")));
|
2011-04-10 23:42:00 +08:00
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
/*
|
2011-04-10 23:42:00 +08:00
|
|
|
* Check DAC permission. Only superuser can set up initial security
|
|
|
|
* labels, like root-user in filesystems
|
2011-01-24 09:44:48 +08:00
|
|
|
*/
|
|
|
|
if (!superuser())
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-22 03:35:54 +08:00
|
|
|
errmsg("SELinux: must be superuser to restore initial contexts")));
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
/*
|
2011-04-10 23:42:00 +08:00
|
|
|
* Open selabel_lookup(3) stuff. It provides a set of mapping between an
|
|
|
|
* initial security label and object class/name due to the system setting.
|
2011-01-24 09:44:48 +08:00
|
|
|
*/
|
|
|
|
if (PG_ARGISNULL(0))
|
|
|
|
{
|
|
|
|
seopts.type = SELABEL_OPT_UNUSED;
|
|
|
|
seopts.value = NULL;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
seopts.type = SELABEL_OPT_PATH;
|
|
|
|
seopts.value = TextDatumGetCString(PG_GETARG_DATUM(0));
|
|
|
|
}
|
|
|
|
sehnd = selabel_open(SELABEL_CTX_DB, &seopts, 1);
|
|
|
|
if (!sehnd)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INTERNAL_ERROR),
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-22 03:35:54 +08:00
|
|
|
errmsg("SELinux: failed to initialize labeling handle: %m")));
|
2011-01-24 09:44:48 +08:00
|
|
|
PG_TRY();
|
|
|
|
{
|
2011-09-24 05:09:34 +08:00
|
|
|
exec_object_restorecon(sehnd, DatabaseRelationId);
|
2011-01-24 09:44:48 +08:00
|
|
|
exec_object_restorecon(sehnd, NamespaceRelationId);
|
|
|
|
exec_object_restorecon(sehnd, RelationRelationId);
|
|
|
|
exec_object_restorecon(sehnd, AttributeRelationId);
|
|
|
|
exec_object_restorecon(sehnd, ProcedureRelationId);
|
|
|
|
}
|
|
|
|
PG_CATCH();
|
|
|
|
{
|
|
|
|
selabel_close(sehnd);
|
|
|
|
PG_RE_THROW();
|
|
|
|
}
|
2011-04-10 23:42:00 +08:00
|
|
|
PG_END_TRY();
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
selabel_close(sehnd);
|
|
|
|
|
|
|
|
PG_RETURN_BOOL(true);
|
|
|
|
}
|