postgresql/contrib/sepgsql/sepgsql.h

330 lines
12 KiB
C
Raw Normal View History

/* -------------------------------------------------------------------------
*
* contrib/sepgsql/sepgsql.h
*
* Definitions corresponding to SE-PostgreSQL
*
* Copyright (c) 2010-2021, PostgreSQL Global Development Group
*
* -------------------------------------------------------------------------
*/
#ifndef SEPGSQL_H
#define SEPGSQL_H
#include "catalog/objectaddress.h"
2011-03-26 11:09:17 +08:00
#include "fmgr.h"
#include <selinux/selinux.h>
#include <selinux/avc.h>
/*
* SE-PostgreSQL Label Tag
*/
#define SEPGSQL_LABEL_TAG "selinux"
/*
* SE-PostgreSQL performing mode
*/
#define SEPGSQL_MODE_DEFAULT 1
#define SEPGSQL_MODE_PERMISSIVE 2
#define SEPGSQL_MODE_INTERNAL 3
#define SEPGSQL_MODE_DISABLED 4
/*
* Internally used code of object classes
*/
#define SEPG_CLASS_PROCESS 0
#define SEPG_CLASS_FILE 1
#define SEPG_CLASS_DIR 2
#define SEPG_CLASS_LNK_FILE 3
#define SEPG_CLASS_CHR_FILE 4
#define SEPG_CLASS_BLK_FILE 5
#define SEPG_CLASS_SOCK_FILE 6
#define SEPG_CLASS_FIFO_FILE 7
#define SEPG_CLASS_DB_DATABASE 8
#define SEPG_CLASS_DB_SCHEMA 9
#define SEPG_CLASS_DB_TABLE 10
#define SEPG_CLASS_DB_SEQUENCE 11
#define SEPG_CLASS_DB_PROCEDURE 12
#define SEPG_CLASS_DB_COLUMN 13
#define SEPG_CLASS_DB_TUPLE 14
#define SEPG_CLASS_DB_BLOB 15
#define SEPG_CLASS_DB_LANGUAGE 16
#define SEPG_CLASS_DB_VIEW 17
#define SEPG_CLASS_MAX 18
/*
* Internally used code of access vectors
*/
#define SEPG_PROCESS__TRANSITION (1<<0)
#define SEPG_PROCESS__DYNTRANSITION (1<<1)
#define SEPG_PROCESS__SETCURRENT (1<<2)
#define SEPG_FILE__READ (1<<0)
#define SEPG_FILE__WRITE (1<<1)
#define SEPG_FILE__CREATE (1<<2)
#define SEPG_FILE__GETATTR (1<<3)
#define SEPG_FILE__UNLINK (1<<4)
#define SEPG_FILE__RENAME (1<<5)
#define SEPG_FILE__APPEND (1<<6)
#define SEPG_DIR__READ (SEPG_FILE__READ)
#define SEPG_DIR__WRITE (SEPG_FILE__WRITE)
#define SEPG_DIR__CREATE (SEPG_FILE__CREATE)
#define SEPG_DIR__GETATTR (SEPG_FILE__GETATTR)
#define SEPG_DIR__UNLINK (SEPG_FILE__UNLINK)
#define SEPG_DIR__RENAME (SEPG_FILE__RENAME)
#define SEPG_DIR__SEARCH (1<<6)
#define SEPG_DIR__ADD_NAME (1<<7)
#define SEPG_DIR__REMOVE_NAME (1<<8)
#define SEPG_DIR__RMDIR (1<<9)
#define SEPG_DIR__REPARENT (1<<10)
#define SEPG_LNK_FILE__READ (SEPG_FILE__READ)
#define SEPG_LNK_FILE__WRITE (SEPG_FILE__WRITE)
#define SEPG_LNK_FILE__CREATE (SEPG_FILE__CREATE)
#define SEPG_LNK_FILE__GETATTR (SEPG_FILE__GETATTR)
#define SEPG_LNK_FILE__UNLINK (SEPG_FILE__UNLINK)
#define SEPG_LNK_FILE__RENAME (SEPG_FILE__RENAME)
#define SEPG_CHR_FILE__READ (SEPG_FILE__READ)
#define SEPG_CHR_FILE__WRITE (SEPG_FILE__WRITE)
#define SEPG_CHR_FILE__CREATE (SEPG_FILE__CREATE)
#define SEPG_CHR_FILE__GETATTR (SEPG_FILE__GETATTR)
#define SEPG_CHR_FILE__UNLINK (SEPG_FILE__UNLINK)
#define SEPG_CHR_FILE__RENAME (SEPG_FILE__RENAME)
#define SEPG_BLK_FILE__READ (SEPG_FILE__READ)
#define SEPG_BLK_FILE__WRITE (SEPG_FILE__WRITE)
#define SEPG_BLK_FILE__CREATE (SEPG_FILE__CREATE)
#define SEPG_BLK_FILE__GETATTR (SEPG_FILE__GETATTR)
#define SEPG_BLK_FILE__UNLINK (SEPG_FILE__UNLINK)
#define SEPG_BLK_FILE__RENAME (SEPG_FILE__RENAME)
#define SEPG_SOCK_FILE__READ (SEPG_FILE__READ)
#define SEPG_SOCK_FILE__WRITE (SEPG_FILE__WRITE)
#define SEPG_SOCK_FILE__CREATE (SEPG_FILE__CREATE)
#define SEPG_SOCK_FILE__GETATTR (SEPG_FILE__GETATTR)
#define SEPG_SOCK_FILE__UNLINK (SEPG_FILE__UNLINK)
#define SEPG_SOCK_FILE__RENAME (SEPG_FILE__RENAME)
#define SEPG_FIFO_FILE__READ (SEPG_FILE__READ)
#define SEPG_FIFO_FILE__WRITE (SEPG_FILE__WRITE)
#define SEPG_FIFO_FILE__CREATE (SEPG_FILE__CREATE)
#define SEPG_FIFO_FILE__GETATTR (SEPG_FILE__GETATTR)
#define SEPG_FIFO_FILE__UNLINK (SEPG_FILE__UNLINK)
#define SEPG_FIFO_FILE__RENAME (SEPG_FILE__RENAME)
#define SEPG_DB_DATABASE__CREATE (1<<0)
#define SEPG_DB_DATABASE__DROP (1<<1)
#define SEPG_DB_DATABASE__GETATTR (1<<2)
#define SEPG_DB_DATABASE__SETATTR (1<<3)
#define SEPG_DB_DATABASE__RELABELFROM (1<<4)
#define SEPG_DB_DATABASE__RELABELTO (1<<5)
#define SEPG_DB_DATABASE__ACCESS (1<<6)
#define SEPG_DB_DATABASE__LOAD_MODULE (1<<7)
#define SEPG_DB_SCHEMA__CREATE (SEPG_DB_DATABASE__CREATE)
#define SEPG_DB_SCHEMA__DROP (SEPG_DB_DATABASE__DROP)
#define SEPG_DB_SCHEMA__GETATTR (SEPG_DB_DATABASE__GETATTR)
#define SEPG_DB_SCHEMA__SETATTR (SEPG_DB_DATABASE__SETATTR)
#define SEPG_DB_SCHEMA__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
#define SEPG_DB_SCHEMA__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_SCHEMA__SEARCH (1<<6)
#define SEPG_DB_SCHEMA__ADD_NAME (1<<7)
#define SEPG_DB_SCHEMA__REMOVE_NAME (1<<8)
#define SEPG_DB_TABLE__CREATE (SEPG_DB_DATABASE__CREATE)
#define SEPG_DB_TABLE__DROP (SEPG_DB_DATABASE__DROP)
#define SEPG_DB_TABLE__GETATTR (SEPG_DB_DATABASE__GETATTR)
#define SEPG_DB_TABLE__SETATTR (SEPG_DB_DATABASE__SETATTR)
#define SEPG_DB_TABLE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
#define SEPG_DB_TABLE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_TABLE__SELECT (1<<6)
#define SEPG_DB_TABLE__UPDATE (1<<7)
#define SEPG_DB_TABLE__INSERT (1<<8)
#define SEPG_DB_TABLE__DELETE (1<<9)
#define SEPG_DB_TABLE__LOCK (1<<10)
#define SEPG_DB_TABLE__TRUNCATE (1<<11)
#define SEPG_DB_SEQUENCE__CREATE (SEPG_DB_DATABASE__CREATE)
#define SEPG_DB_SEQUENCE__DROP (SEPG_DB_DATABASE__DROP)
#define SEPG_DB_SEQUENCE__GETATTR (SEPG_DB_DATABASE__GETATTR)
#define SEPG_DB_SEQUENCE__SETATTR (SEPG_DB_DATABASE__SETATTR)
#define SEPG_DB_SEQUENCE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
#define SEPG_DB_SEQUENCE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_SEQUENCE__GET_VALUE (1<<6)
#define SEPG_DB_SEQUENCE__NEXT_VALUE (1<<7)
#define SEPG_DB_SEQUENCE__SET_VALUE (1<<8)
#define SEPG_DB_PROCEDURE__CREATE (SEPG_DB_DATABASE__CREATE)
#define SEPG_DB_PROCEDURE__DROP (SEPG_DB_DATABASE__DROP)
#define SEPG_DB_PROCEDURE__GETATTR (SEPG_DB_DATABASE__GETATTR)
#define SEPG_DB_PROCEDURE__SETATTR (SEPG_DB_DATABASE__SETATTR)
#define SEPG_DB_PROCEDURE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
#define SEPG_DB_PROCEDURE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_PROCEDURE__EXECUTE (1<<6)
#define SEPG_DB_PROCEDURE__ENTRYPOINT (1<<7)
#define SEPG_DB_PROCEDURE__INSTALL (1<<8)
#define SEPG_DB_COLUMN__CREATE (SEPG_DB_DATABASE__CREATE)
#define SEPG_DB_COLUMN__DROP (SEPG_DB_DATABASE__DROP)
#define SEPG_DB_COLUMN__GETATTR (SEPG_DB_DATABASE__GETATTR)
#define SEPG_DB_COLUMN__SETATTR (SEPG_DB_DATABASE__SETATTR)
#define SEPG_DB_COLUMN__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
#define SEPG_DB_COLUMN__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_COLUMN__SELECT (1<<6)
#define SEPG_DB_COLUMN__UPDATE (1<<7)
#define SEPG_DB_COLUMN__INSERT (1<<8)
#define SEPG_DB_TUPLE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
#define SEPG_DB_TUPLE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_TUPLE__SELECT (SEPG_DB_DATABASE__GETATTR)
#define SEPG_DB_TUPLE__UPDATE (SEPG_DB_DATABASE__SETATTR)
#define SEPG_DB_TUPLE__INSERT (SEPG_DB_DATABASE__CREATE)
#define SEPG_DB_TUPLE__DELETE (SEPG_DB_DATABASE__DROP)
#define SEPG_DB_BLOB__CREATE (SEPG_DB_DATABASE__CREATE)
#define SEPG_DB_BLOB__DROP (SEPG_DB_DATABASE__DROP)
#define SEPG_DB_BLOB__GETATTR (SEPG_DB_DATABASE__GETATTR)
#define SEPG_DB_BLOB__SETATTR (SEPG_DB_DATABASE__SETATTR)
#define SEPG_DB_BLOB__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
#define SEPG_DB_BLOB__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_BLOB__READ (1<<6)
#define SEPG_DB_BLOB__WRITE (1<<7)
#define SEPG_DB_BLOB__IMPORT (1<<8)
#define SEPG_DB_BLOB__EXPORT (1<<9)
#define SEPG_DB_LANGUAGE__CREATE (SEPG_DB_DATABASE__CREATE)
#define SEPG_DB_LANGUAGE__DROP (SEPG_DB_DATABASE__DROP)
#define SEPG_DB_LANGUAGE__GETATTR (SEPG_DB_DATABASE__GETATTR)
#define SEPG_DB_LANGUAGE__SETATTR (SEPG_DB_DATABASE__SETATTR)
#define SEPG_DB_LANGUAGE__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
#define SEPG_DB_LANGUAGE__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_LANGUAGE__IMPLEMENT (1<<6)
#define SEPG_DB_LANGUAGE__EXECUTE (1<<7)
#define SEPG_DB_VIEW__CREATE (SEPG_DB_DATABASE__CREATE)
#define SEPG_DB_VIEW__DROP (SEPG_DB_DATABASE__DROP)
#define SEPG_DB_VIEW__GETATTR (SEPG_DB_DATABASE__GETATTR)
#define SEPG_DB_VIEW__SETATTR (SEPG_DB_DATABASE__SETATTR)
#define SEPG_DB_VIEW__RELABELFROM (SEPG_DB_DATABASE__RELABELFROM)
#define SEPG_DB_VIEW__RELABELTO (SEPG_DB_DATABASE__RELABELTO)
#define SEPG_DB_VIEW__EXPAND (1<<6)
/*
* hooks.c
*/
extern bool sepgsql_get_permissive(void);
extern bool sepgsql_get_debug_audit(void);
/*
* selinux.c
*/
2011-04-10 23:42:00 +08:00
extern bool sepgsql_is_enabled(void);
extern int sepgsql_get_mode(void);
extern int sepgsql_set_mode(int new_mode);
extern bool sepgsql_getenforce(void);
extern void sepgsql_audit_log(bool denied,
const char *scontext,
const char *tcontext,
uint16 tclass,
uint32 audited,
const char *audit_name);
extern void sepgsql_compute_avd(const char *scontext,
const char *tcontext,
uint16 tclass,
struct av_decision *avd);
extern char *sepgsql_compute_create(const char *scontext,
const char *tcontext,
uint16 tclass,
const char *objname);
extern bool sepgsql_check_perms(const char *scontext,
const char *tcontext,
uint16 tclass,
uint32 required,
const char *audit_name,
bool abort_on_violation);
/*
* uavc.c
*/
#define SEPGSQL_AVC_NOAUDIT ((void *)(-1))
extern bool sepgsql_avc_check_perms_label(const char *tcontext,
uint16 tclass,
uint32 required,
const char *audit_name,
bool abort_on_violation);
extern bool sepgsql_avc_check_perms(const ObjectAddress *tobject,
uint16 tclass,
uint32 required,
const char *audit_name,
bool abort_on_violation);
extern char *sepgsql_avc_trusted_proc(Oid functionId);
extern void sepgsql_avc_init(void);
2011-04-10 23:42:00 +08:00
/*
* label.c
*/
extern char *sepgsql_get_client_label(void);
extern void sepgsql_init_client_label(void);
extern char *sepgsql_get_label(Oid classId, Oid objectId, int32 subId);
2011-04-10 23:42:00 +08:00
extern void sepgsql_object_relabel(const ObjectAddress *object,
const char *seclabel);
/*
* dml.c
*/
extern bool sepgsql_dml_privileges(List *rangeTabls, bool abort_on_violation);
/*
* database.c
*/
extern void sepgsql_database_post_create(Oid databaseId,
const char *dtemplate);
2012-03-10 04:18:45 +08:00
extern void sepgsql_database_drop(Oid databaseId);
extern void sepgsql_database_relabel(Oid databaseId, const char *seclabel);
extern void sepgsql_database_setattr(Oid databaseId);
/*
* schema.c
*/
extern void sepgsql_schema_post_create(Oid namespaceId);
2012-03-10 04:18:45 +08:00
extern void sepgsql_schema_drop(Oid namespaceId);
extern void sepgsql_schema_relabel(Oid namespaceId, const char *seclabel);
extern void sepgsql_schema_setattr(Oid namespaceId);
extern bool sepgsql_schema_search(Oid namespaceId, bool abort_on_violation);
extern void sepgsql_schema_add_name(Oid namespaceId);
extern void sepgsql_schema_remove_name(Oid namespaceId);
extern void sepgsql_schema_rename(Oid namespaceId);
/*
* relation.c
*/
extern void sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum);
2012-03-10 04:18:45 +08:00
extern void sepgsql_attribute_drop(Oid relOid, AttrNumber attnum);
extern void sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
const char *seclabel);
extern void sepgsql_attribute_setattr(Oid relOid, AttrNumber attnum);
extern void sepgsql_relation_post_create(Oid relOid);
2012-03-10 04:18:45 +08:00
extern void sepgsql_relation_drop(Oid relOid);
extern void sepgsql_relation_truncate(Oid relOid);
extern void sepgsql_relation_relabel(Oid relOid, const char *seclabel);
extern void sepgsql_relation_setattr(Oid relOid);
/*
* proc.c
*/
extern void sepgsql_proc_post_create(Oid functionId);
2012-03-10 04:18:45 +08:00
extern void sepgsql_proc_drop(Oid functionId);
extern void sepgsql_proc_relabel(Oid functionId, const char *seclabel);
extern void sepgsql_proc_setattr(Oid functionId);
extern void sepgsql_proc_execute(Oid functionId);
Phase 2 of pgindent updates. Change pg_bsd_indent to follow upstream rules for placement of comments to the right of code, and remove pgindent hack that caused comments following #endif to not obey the general rule. Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using the published version of pg_bsd_indent, but a hacked-up version that tried to minimize the amount of movement of comments to the right of code. The situation of interest is where such a comment has to be moved to the right of its default placement at column 33 because there's code there. BSD indent has always moved right in units of tab stops in such cases --- but in the previous incarnation, indent was working in 8-space tab stops, while now it knows we use 4-space tabs. So the net result is that in about half the cases, such comments are placed one tab stop left of before. This is better all around: it leaves more room on the line for comment text, and it means that in such cases the comment uniformly starts at the next 4-space tab stop after the code, rather than sometimes one and sometimes two tabs after. Also, ensure that comments following #endif are indented the same as comments following other preprocessor commands such as #else. That inconsistency turns out to have been self-inflicted damage from a poorly-thought-through post-indent "fixup" in pgindent. This patch is much less interesting than the first round of indent changes, but also bulkier, so I thought it best to separate the effects. Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-22 03:18:54 +08:00
#endif /* SEPGSQL_H */