2011-01-24 09:44:48 +08:00
|
|
|
/* -------------------------------------------------------------------------
|
|
|
|
*
|
|
|
|
* contrib/sepgsql/dml.c
|
|
|
|
*
|
|
|
|
* Routines to handle DML permission checks
|
|
|
|
*
|
2022-01-08 08:04:57 +08:00
|
|
|
* Copyright (c) 2010-2022, PostgreSQL Global Development Group
|
2011-01-24 09:44:48 +08:00
|
|
|
*
|
|
|
|
* -------------------------------------------------------------------------
|
|
|
|
*/
|
|
|
|
#include "postgres.h"
|
|
|
|
|
2012-09-06 02:01:15 +08:00
|
|
|
#include "access/htup_details.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "access/sysattr.h"
|
|
|
|
#include "access/tupdesc.h"
|
|
|
|
#include "catalog/catalog.h"
|
2011-02-03 12:39:43 +08:00
|
|
|
#include "catalog/dependency.h"
|
2019-10-23 11:56:22 +08:00
|
|
|
#include "catalog/heap.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "catalog/pg_attribute.h"
|
|
|
|
#include "catalog/pg_class.h"
|
2018-04-09 02:35:29 +08:00
|
|
|
#include "catalog/pg_inherits.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "commands/seclabel.h"
|
|
|
|
#include "commands/tablecmds.h"
|
|
|
|
#include "executor/executor.h"
|
|
|
|
#include "nodes/bitmapset.h"
|
2019-10-23 11:56:22 +08:00
|
|
|
#include "sepgsql.h"
|
2011-01-24 09:44:48 +08:00
|
|
|
#include "utils/lsyscache.h"
|
|
|
|
#include "utils/syscache.h"
|
|
|
|
|
|
|
|
/*
|
|
|
|
* fixup_whole_row_references
|
|
|
|
*
|
2020-04-17 02:45:54 +08:00
|
|
|
* When user references a whole-row Var, it is equivalent to referencing
|
2011-01-24 09:44:48 +08:00
|
|
|
* all the user columns (not system columns). So, we need to fix up the
|
2020-04-17 02:45:54 +08:00
|
|
|
* given bitmapset, if it contains a whole-row reference.
|
2011-01-24 09:44:48 +08:00
|
|
|
*/
|
|
|
|
static Bitmapset *
|
|
|
|
fixup_whole_row_references(Oid relOid, Bitmapset *columns)
|
|
|
|
{
|
|
|
|
Bitmapset *result;
|
|
|
|
HeapTuple tuple;
|
|
|
|
AttrNumber natts;
|
|
|
|
AttrNumber attno;
|
|
|
|
int index;
|
|
|
|
|
2020-04-17 02:45:54 +08:00
|
|
|
/* if no whole-row references, nothing to do */
|
2011-01-24 09:44:48 +08:00
|
|
|
index = InvalidAttrNumber - FirstLowInvalidHeapAttributeNumber;
|
|
|
|
if (!bms_is_member(index, columns))
|
|
|
|
return columns;
|
|
|
|
|
|
|
|
/* obtain number of attributes */
|
|
|
|
tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relOid));
|
|
|
|
if (!HeapTupleIsValid(tuple))
|
|
|
|
elog(ERROR, "cache lookup failed for relation %u", relOid);
|
|
|
|
natts = ((Form_pg_class) GETSTRUCT(tuple))->relnatts;
|
|
|
|
ReleaseSysCache(tuple);
|
|
|
|
|
2020-04-17 02:45:54 +08:00
|
|
|
/* remove bit 0 from column set, add in all the non-dropped columns */
|
2011-01-24 09:44:48 +08:00
|
|
|
result = bms_copy(columns);
|
|
|
|
result = bms_del_member(result, index);
|
|
|
|
|
|
|
|
for (attno = 1; attno <= natts; attno++)
|
|
|
|
{
|
|
|
|
tuple = SearchSysCache2(ATTNUM,
|
|
|
|
ObjectIdGetDatum(relOid),
|
|
|
|
Int16GetDatum(attno));
|
|
|
|
if (!HeapTupleIsValid(tuple))
|
2020-04-17 02:45:54 +08:00
|
|
|
continue; /* unexpected case, should we error? */
|
2011-01-24 09:44:48 +08:00
|
|
|
|
2020-04-17 02:45:54 +08:00
|
|
|
if (!((Form_pg_attribute) GETSTRUCT(tuple))->attisdropped)
|
|
|
|
{
|
|
|
|
index = attno - FirstLowInvalidHeapAttributeNumber;
|
|
|
|
result = bms_add_member(result, index);
|
|
|
|
}
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
ReleaseSysCache(tuple);
|
|
|
|
}
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* fixup_inherited_columns
|
|
|
|
*
|
|
|
|
* When user is querying on a table with children, it implicitly accesses
|
|
|
|
* child tables also. So, we also need to check security label of child
|
|
|
|
* tables and columns, but here is no guarantee attribute numbers are
|
2019-10-30 09:03:00 +08:00
|
|
|
* same between the parent and children.
|
2011-01-24 09:44:48 +08:00
|
|
|
* It returns a bitmapset which contains attribute number of the child
|
|
|
|
* table based on the given bitmapset of the parent.
|
|
|
|
*/
|
|
|
|
static Bitmapset *
|
|
|
|
fixup_inherited_columns(Oid parentId, Oid childId, Bitmapset *columns)
|
|
|
|
{
|
|
|
|
Bitmapset *result = NULL;
|
|
|
|
int index;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* obviously, no need to do anything here
|
|
|
|
*/
|
|
|
|
if (parentId == childId)
|
|
|
|
return columns;
|
|
|
|
|
2014-11-29 02:37:25 +08:00
|
|
|
index = -1;
|
|
|
|
while ((index = bms_next_member(columns, index)) >= 0)
|
2011-01-24 09:44:48 +08:00
|
|
|
{
|
2014-11-29 02:37:25 +08:00
|
|
|
/* bit numbers are offset by FirstLowInvalidHeapAttributeNumber */
|
|
|
|
AttrNumber attno = index + FirstLowInvalidHeapAttributeNumber;
|
|
|
|
char *attname;
|
2011-04-10 23:42:00 +08:00
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
/*
|
|
|
|
* whole-row-reference shall be fixed-up later
|
|
|
|
*/
|
|
|
|
if (attno == InvalidAttrNumber)
|
|
|
|
{
|
|
|
|
result = bms_add_member(result, index);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2018-02-13 06:30:30 +08:00
|
|
|
attname = get_attname(parentId, attno, false);
|
2011-01-24 09:44:48 +08:00
|
|
|
attno = get_attnum(childId, attname);
|
|
|
|
if (attno == InvalidAttrNumber)
|
|
|
|
elog(ERROR, "cache lookup failed for attribute %s of relation %u",
|
|
|
|
attname, childId);
|
|
|
|
|
2014-11-29 02:37:25 +08:00
|
|
|
result = bms_add_member(result,
|
|
|
|
attno - FirstLowInvalidHeapAttributeNumber);
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
pfree(attname);
|
|
|
|
}
|
|
|
|
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* check_relation_privileges
|
|
|
|
*
|
|
|
|
* It actually checks required permissions on a certain relation
|
|
|
|
* and its columns.
|
|
|
|
*/
|
|
|
|
static bool
|
|
|
|
check_relation_privileges(Oid relOid,
|
|
|
|
Bitmapset *selected,
|
2015-05-08 06:20:46 +08:00
|
|
|
Bitmapset *inserted,
|
|
|
|
Bitmapset *updated,
|
2011-01-24 09:44:48 +08:00
|
|
|
uint32 required,
|
2012-09-06 02:01:15 +08:00
|
|
|
bool abort_on_violation)
|
2011-01-24 09:44:48 +08:00
|
|
|
{
|
2011-09-01 20:37:33 +08:00
|
|
|
ObjectAddress object;
|
2011-02-03 12:39:43 +08:00
|
|
|
char *audit_name;
|
2011-01-24 09:44:48 +08:00
|
|
|
Bitmapset *columns;
|
|
|
|
int index;
|
2011-09-01 20:37:33 +08:00
|
|
|
char relkind = get_rel_relkind(relOid);
|
2011-01-24 09:44:48 +08:00
|
|
|
bool result = true;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Hardwired Policies: SE-PostgreSQL enforces - clients cannot modify
|
|
|
|
* system catalogs using DMLs - clients cannot reference/modify toast
|
|
|
|
* relations using DMLs
|
|
|
|
*/
|
|
|
|
if (sepgsql_getenforce() > 0)
|
|
|
|
{
|
Clean up the behavior and API of catalog.c's is-catalog-relation tests.
The right way for IsCatalogRelation/Class to behave is to return true
for OIDs less than FirstBootstrapObjectId (not FirstNormalObjectId),
without any of the ad-hoc fooling around with schema membership.
The previous code was wrong because (1) it claimed that
information_schema tables were not catalog relations but their toast
tables were, which is silly; and (2) if you dropped and recreated
information_schema, which is a supported operation, the behavior
changed. That's even sillier. With this definition, "catalog
relations" are exactly the ones traceable to the postgres.bki data,
which seems like what we want.
With this simplification, we don't actually need access to the pg_class
tuple to identify a catalog relation; we only need its OID. Hence,
replace IsCatalogClass with "IsCatalogRelationOid(oid)". But keep
IsCatalogRelation as a convenience function.
This allows fixing some arguably-wrong semantics in contrib/sepgsql and
ReindexRelationConcurrently, which were using an IsSystemNamespace test
where what they really should be using is IsCatalogRelationOid. The
previous coding failed to protect toast tables of system catalogs, and
also was not on board with the general principle that user-created tables
do not become catalogs just by virtue of being renamed into pg_catalog.
We can also get rid of a messy hack in ReindexMultipleTables.
While we're at it, also rename IsSystemNamespace to IsCatalogNamespace,
because the previous name invited confusion with the more expansive
semantics used by IsSystemRelation/Class.
Also improve the comments in catalog.c.
There are a few remaining places in replication-related code that are
special-casing OIDs below FirstNormalObjectId. I'm inclined to think
those are wrong too, and if there should be any special case it should
just extend to FirstBootstrapObjectId. But first we need to debate
whether a FOR ALL TABLES publication should include information_schema.
Discussion: https://postgr.es/m/21697.1557092753@sss.pgh.pa.us
Discussion: https://postgr.es/m/15150.1557257111@sss.pgh.pa.us
2019-05-09 11:27:29 +08:00
|
|
|
if ((required & (SEPG_DB_TABLE__UPDATE |
|
2011-01-24 09:44:48 +08:00
|
|
|
SEPG_DB_TABLE__INSERT |
|
Clean up the behavior and API of catalog.c's is-catalog-relation tests.
The right way for IsCatalogRelation/Class to behave is to return true
for OIDs less than FirstBootstrapObjectId (not FirstNormalObjectId),
without any of the ad-hoc fooling around with schema membership.
The previous code was wrong because (1) it claimed that
information_schema tables were not catalog relations but their toast
tables were, which is silly; and (2) if you dropped and recreated
information_schema, which is a supported operation, the behavior
changed. That's even sillier. With this definition, "catalog
relations" are exactly the ones traceable to the postgres.bki data,
which seems like what we want.
With this simplification, we don't actually need access to the pg_class
tuple to identify a catalog relation; we only need its OID. Hence,
replace IsCatalogClass with "IsCatalogRelationOid(oid)". But keep
IsCatalogRelation as a convenience function.
This allows fixing some arguably-wrong semantics in contrib/sepgsql and
ReindexRelationConcurrently, which were using an IsSystemNamespace test
where what they really should be using is IsCatalogRelationOid. The
previous coding failed to protect toast tables of system catalogs, and
also was not on board with the general principle that user-created tables
do not become catalogs just by virtue of being renamed into pg_catalog.
We can also get rid of a messy hack in ReindexMultipleTables.
While we're at it, also rename IsSystemNamespace to IsCatalogNamespace,
because the previous name invited confusion with the more expansive
semantics used by IsSystemRelation/Class.
Also improve the comments in catalog.c.
There are a few remaining places in replication-related code that are
special-casing OIDs below FirstNormalObjectId. I'm inclined to think
those are wrong too, and if there should be any special case it should
just extend to FirstBootstrapObjectId. But first we need to debate
whether a FOR ALL TABLES publication should include information_schema.
Discussion: https://postgr.es/m/21697.1557092753@sss.pgh.pa.us
Discussion: https://postgr.es/m/15150.1557257111@sss.pgh.pa.us
2019-05-09 11:27:29 +08:00
|
|
|
SEPG_DB_TABLE__DELETE)) != 0 &&
|
|
|
|
IsCatalogRelationOid(relOid))
|
2011-01-24 09:44:48 +08:00
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
2011-01-24 11:47:16 +08:00
|
|
|
errmsg("SELinux: hardwired security policy violation")));
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
if (relkind == RELKIND_TOASTVALUE)
|
|
|
|
ereport(ERROR,
|
|
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
2011-01-24 11:47:16 +08:00
|
|
|
errmsg("SELinux: hardwired security policy violation")));
|
2011-01-24 09:44:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check permissions on the relation
|
|
|
|
*/
|
2011-09-01 20:37:33 +08:00
|
|
|
object.classId = RelationRelationId;
|
|
|
|
object.objectId = relOid;
|
|
|
|
object.objectSubId = 0;
|
2020-07-15 08:03:10 +08:00
|
|
|
audit_name = getObjectIdentity(&object, false);
|
2011-01-24 09:44:48 +08:00
|
|
|
switch (relkind)
|
|
|
|
{
|
|
|
|
case RELKIND_RELATION:
|
2017-04-10 05:01:58 +08:00
|
|
|
case RELKIND_PARTITIONED_TABLE:
|
2011-09-01 20:37:33 +08:00
|
|
|
result = sepgsql_avc_check_perms(&object,
|
|
|
|
SEPG_CLASS_DB_TABLE,
|
|
|
|
required,
|
|
|
|
audit_name,
|
2012-09-06 02:01:15 +08:00
|
|
|
abort_on_violation);
|
2011-01-24 09:44:48 +08:00
|
|
|
break;
|
|
|
|
|
|
|
|
case RELKIND_SEQUENCE:
|
|
|
|
Assert((required & ~SEPG_DB_TABLE__SELECT) == 0);
|
|
|
|
|
|
|
|
if (required & SEPG_DB_TABLE__SELECT)
|
2011-09-01 20:37:33 +08:00
|
|
|
result = sepgsql_avc_check_perms(&object,
|
|
|
|
SEPG_CLASS_DB_SEQUENCE,
|
|
|
|
SEPG_DB_SEQUENCE__GET_VALUE,
|
|
|
|
audit_name,
|
2012-09-06 02:01:15 +08:00
|
|
|
abort_on_violation);
|
2011-02-03 12:39:43 +08:00
|
|
|
break;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
case RELKIND_VIEW:
|
2011-09-01 20:37:33 +08:00
|
|
|
result = sepgsql_avc_check_perms(&object,
|
|
|
|
SEPG_CLASS_DB_VIEW,
|
|
|
|
SEPG_DB_VIEW__EXPAND,
|
|
|
|
audit_name,
|
2012-09-06 02:01:15 +08:00
|
|
|
abort_on_violation);
|
2011-02-03 12:39:43 +08:00
|
|
|
break;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
default:
|
|
|
|
/* nothing to be checked */
|
2011-02-03 12:39:43 +08:00
|
|
|
break;
|
2011-01-24 09:44:48 +08:00
|
|
|
}
|
2011-02-03 12:39:43 +08:00
|
|
|
pfree(audit_name);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Only columns owned by relations shall be checked
|
|
|
|
*/
|
2017-04-10 05:01:58 +08:00
|
|
|
if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
|
2011-02-03 12:39:43 +08:00
|
|
|
return true;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Check permissions on the columns
|
|
|
|
*/
|
|
|
|
selected = fixup_whole_row_references(relOid, selected);
|
2015-05-08 06:20:46 +08:00
|
|
|
inserted = fixup_whole_row_references(relOid, inserted);
|
|
|
|
updated = fixup_whole_row_references(relOid, updated);
|
|
|
|
columns = bms_union(selected, bms_union(inserted, updated));
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
while ((index = bms_first_member(columns)) >= 0)
|
|
|
|
{
|
|
|
|
AttrNumber attnum;
|
|
|
|
uint32 column_perms = 0;
|
|
|
|
|
|
|
|
if (bms_is_member(index, selected))
|
|
|
|
column_perms |= SEPG_DB_COLUMN__SELECT;
|
2015-05-08 06:20:46 +08:00
|
|
|
if (bms_is_member(index, inserted))
|
2011-01-24 09:44:48 +08:00
|
|
|
{
|
|
|
|
if (required & SEPG_DB_TABLE__INSERT)
|
|
|
|
column_perms |= SEPG_DB_COLUMN__INSERT;
|
|
|
|
}
|
2015-05-08 06:20:46 +08:00
|
|
|
if (bms_is_member(index, updated))
|
|
|
|
{
|
|
|
|
if (required & SEPG_DB_TABLE__UPDATE)
|
|
|
|
column_perms |= SEPG_DB_COLUMN__UPDATE;
|
|
|
|
}
|
2011-01-24 09:44:48 +08:00
|
|
|
if (column_perms == 0)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
/* obtain column's permission */
|
|
|
|
attnum = index + FirstLowInvalidHeapAttributeNumber;
|
2011-02-03 12:39:43 +08:00
|
|
|
|
|
|
|
object.classId = RelationRelationId;
|
|
|
|
object.objectId = relOid;
|
|
|
|
object.objectSubId = attnum;
|
2020-07-15 08:03:10 +08:00
|
|
|
audit_name = getObjectDescription(&object, false);
|
2011-01-24 09:44:48 +08:00
|
|
|
|
2011-09-01 20:37:33 +08:00
|
|
|
result = sepgsql_avc_check_perms(&object,
|
|
|
|
SEPG_CLASS_DB_COLUMN,
|
|
|
|
column_perms,
|
|
|
|
audit_name,
|
2012-09-06 02:01:15 +08:00
|
|
|
abort_on_violation);
|
2011-02-03 12:39:43 +08:00
|
|
|
pfree(audit_name);
|
|
|
|
|
2011-01-24 09:44:48 +08:00
|
|
|
if (!result)
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sepgsql_dml_privileges
|
|
|
|
*
|
|
|
|
* Entrypoint of the DML permission checks
|
|
|
|
*/
|
|
|
|
bool
|
2012-09-06 02:01:15 +08:00
|
|
|
sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation)
|
2011-01-24 09:44:48 +08:00
|
|
|
{
|
|
|
|
ListCell *lr;
|
|
|
|
|
|
|
|
foreach(lr, rangeTabls)
|
|
|
|
{
|
|
|
|
RangeTblEntry *rte = lfirst(lr);
|
|
|
|
uint32 required = 0;
|
|
|
|
List *tableIds;
|
|
|
|
ListCell *li;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Only regular relations shall be checked
|
|
|
|
*/
|
|
|
|
if (rte->rtekind != RTE_RELATION)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Find out required permissions
|
|
|
|
*/
|
|
|
|
if (rte->requiredPerms & ACL_SELECT)
|
|
|
|
required |= SEPG_DB_TABLE__SELECT;
|
|
|
|
if (rte->requiredPerms & ACL_INSERT)
|
|
|
|
required |= SEPG_DB_TABLE__INSERT;
|
|
|
|
if (rte->requiredPerms & ACL_UPDATE)
|
|
|
|
{
|
2015-05-08 06:20:46 +08:00
|
|
|
if (!bms_is_empty(rte->updatedCols))
|
2011-01-24 09:44:48 +08:00
|
|
|
required |= SEPG_DB_TABLE__UPDATE;
|
|
|
|
else
|
|
|
|
required |= SEPG_DB_TABLE__LOCK;
|
|
|
|
}
|
|
|
|
if (rte->requiredPerms & ACL_DELETE)
|
|
|
|
required |= SEPG_DB_TABLE__DELETE;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Skip, if nothing to be checked
|
|
|
|
*/
|
|
|
|
if (required == 0)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If this RangeTblEntry is also supposed to reference inherited
|
|
|
|
* tables, we need to check security label of the child tables. So, we
|
|
|
|
* expand rte->relid into list of OIDs of inheritance hierarchy, then
|
|
|
|
* checker routine will be invoked for each relations.
|
|
|
|
*/
|
|
|
|
if (!rte->inh)
|
|
|
|
tableIds = list_make1_oid(rte->relid);
|
|
|
|
else
|
|
|
|
tableIds = find_all_inheritors(rte->relid, NoLock, NULL);
|
|
|
|
|
|
|
|
foreach(li, tableIds)
|
|
|
|
{
|
|
|
|
Oid tableOid = lfirst_oid(li);
|
|
|
|
Bitmapset *selectedCols;
|
2015-05-08 06:20:46 +08:00
|
|
|
Bitmapset *insertedCols;
|
|
|
|
Bitmapset *updatedCols;
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* child table has different attribute numbers, so we need to fix
|
|
|
|
* up them.
|
|
|
|
*/
|
|
|
|
selectedCols = fixup_inherited_columns(rte->relid, tableOid,
|
|
|
|
rte->selectedCols);
|
2015-05-08 06:20:46 +08:00
|
|
|
insertedCols = fixup_inherited_columns(rte->relid, tableOid,
|
|
|
|
rte->insertedCols);
|
|
|
|
updatedCols = fixup_inherited_columns(rte->relid, tableOid,
|
|
|
|
rte->updatedCols);
|
2011-01-24 09:44:48 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* check permissions on individual tables
|
|
|
|
*/
|
|
|
|
if (!check_relation_privileges(tableOid,
|
|
|
|
selectedCols,
|
2015-05-08 06:20:46 +08:00
|
|
|
insertedCols,
|
|
|
|
updatedCols,
|
2012-09-06 02:01:15 +08:00
|
|
|
required, abort_on_violation))
|
2011-01-24 09:44:48 +08:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
list_free(tableIds);
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|