2010-09-28 02:55:27 +02:00
|
|
|
/* -------------------------------------------------------------------------
|
|
|
|
|
*
|
|
|
|
|
* seclabel.c
|
2011-04-10 17:42:00 +02:00
|
|
|
* routines to support security label feature.
|
2010-09-28 02:55:27 +02:00
|
|
|
*
|
2019-01-02 18:44:25 +01:00
|
|
|
* Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
|
2010-09-28 02:55:27 +02:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
|
|
|
*
|
|
|
|
|
* -------------------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#include "postgres.h"
|
|
|
|
|
|
|
|
|
|
#include "access/genam.h"
|
2012-08-30 22:15:44 +02:00
|
|
|
#include "access/htup_details.h"
|
2019-01-21 19:18:20 +01:00
|
|
|
#include "access/relation.h"
|
|
|
|
|
#include "access/table.h"
|
2010-09-28 02:55:27 +02:00
|
|
|
#include "catalog/catalog.h"
|
|
|
|
|
#include "catalog/indexing.h"
|
|
|
|
|
#include "catalog/pg_seclabel.h"
|
2011-07-20 19:18:24 +02:00
|
|
|
#include "catalog/pg_shseclabel.h"
|
2010-09-28 02:55:27 +02:00
|
|
|
#include "commands/seclabel.h"
|
|
|
|
|
#include "miscadmin.h"
|
|
|
|
|
#include "utils/builtins.h"
|
|
|
|
|
#include "utils/fmgroids.h"
|
|
|
|
|
#include "utils/memutils.h"
|
2011-03-26 04:10:07 +01:00
|
|
|
#include "utils/rel.h"
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
|
|
|
|
const char *provider_name;
|
2011-04-10 17:42:00 +02:00
|
|
|
check_object_relabel_type hook;
|
2010-09-28 02:55:27 +02:00
|
|
|
} LabelProvider;
|
|
|
|
|
|
|
|
|
|
static List *label_provider_list = NIL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* ExecSecLabelStmt --
|
|
|
|
|
*
|
|
|
|
|
* Apply a security label to a database object.
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
*
|
|
|
|
|
* Returns the ObjectAddress of the object to which the policy was applied.
|
2010-09-28 02:55:27 +02:00
|
|
|
*/
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
ObjectAddress
|
2010-09-28 02:55:27 +02:00
|
|
|
ExecSecLabelStmt(SecLabelStmt *stmt)
|
|
|
|
|
{
|
|
|
|
|
LabelProvider *provider = NULL;
|
2011-04-10 17:42:00 +02:00
|
|
|
ObjectAddress address;
|
|
|
|
|
Relation relation;
|
|
|
|
|
ListCell *lc;
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Find the named label provider, or if none specified, check whether
|
|
|
|
|
* there's exactly one, and if so use it.
|
|
|
|
|
*/
|
|
|
|
|
if (stmt->provider == NULL)
|
|
|
|
|
{
|
|
|
|
|
if (label_provider_list == NIL)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
2011-04-10 17:42:00 +02:00
|
|
|
errmsg("no security label providers have been loaded")));
|
2010-09-28 02:55:27 +02:00
|
|
|
if (lnext(list_head(label_provider_list)) != NULL)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
2011-04-10 17:42:00 +02:00
|
|
|
errmsg("must specify provider when multiple security label providers have been loaded")));
|
2010-09-28 02:55:27 +02:00
|
|
|
provider = (LabelProvider *) linitial(label_provider_list);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2011-04-10 17:42:00 +02:00
|
|
|
foreach(lc, label_provider_list)
|
2010-09-28 02:55:27 +02:00
|
|
|
{
|
|
|
|
|
LabelProvider *lp = lfirst(lc);
|
|
|
|
|
|
|
|
|
|
if (strcmp(stmt->provider, lp->provider_name) == 0)
|
|
|
|
|
{
|
|
|
|
|
provider = lp;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (provider == NULL)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
|
|
|
|
|
errmsg("security label provider \"%s\" is not loaded",
|
|
|
|
|
stmt->provider)));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2011-04-10 17:42:00 +02:00
|
|
|
* Translate the parser representation which identifies this object into
|
|
|
|
|
* an ObjectAddress. get_object_address() will throw an error if the
|
|
|
|
|
* object does not exist, and will also acquire a lock on the target to
|
|
|
|
|
* guard against concurrent modifications.
|
2010-09-28 02:55:27 +02:00
|
|
|
*/
|
Remove objname/objargs split for referring to objects
In simpler times, it might have worked to refer to all kinds of objects
by a list of name components and an optional argument list. But this
doesn't work for all objects, which has resulted in a collection of
hacks to place various other nodes types into these fields, which have
to be unpacked at the other end. This makes it also weird to represent
lists of such things in the grammar, because they would have to be lists
of singleton lists, to make the unpacking work consistently. The other
problem is that keeping separate name and args fields makes it awkward
to deal with lists of functions.
Change that by dropping the objargs field and have objname, renamed to
object, be a generic Node, which can then be flexibly assigned and
managed using the normal Node mechanisms. In many cases it will still
be a List of names, in some cases it will be a string Value, for types
it will be the existing Typename, for functions it will now use the
existing ObjectWithArgs node type. Some of the more obscure object
types still use somewhat arbitrary nested lists.
Reviewed-by: Jim Nasby <Jim.Nasby@BlueTreble.com>
Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
2016-11-12 18:00:00 +01:00
|
|
|
address = get_object_address(stmt->objtype, stmt->object,
|
2011-06-28 03:17:25 +02:00
|
|
|
&relation, ShareUpdateExclusiveLock, false);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
2011-03-04 23:26:37 +01:00
|
|
|
/* Require ownership of the target object. */
|
|
|
|
|
check_object_ownership(GetUserId(), stmt->objtype, address,
|
Remove objname/objargs split for referring to objects
In simpler times, it might have worked to refer to all kinds of objects
by a list of name components and an optional argument list. But this
doesn't work for all objects, which has resulted in a collection of
hacks to place various other nodes types into these fields, which have
to be unpacked at the other end. This makes it also weird to represent
lists of such things in the grammar, because they would have to be lists
of singleton lists, to make the unpacking work consistently. The other
problem is that keeping separate name and args fields makes it awkward
to deal with lists of functions.
Change that by dropping the objargs field and have objname, renamed to
object, be a generic Node, which can then be flexibly assigned and
managed using the normal Node mechanisms. In many cases it will still
be a List of names, in some cases it will be a string Value, for types
it will be the existing Typename, for functions it will now use the
existing ObjectWithArgs node type. Some of the more obscure object
types still use somewhat arbitrary nested lists.
Reviewed-by: Jim Nasby <Jim.Nasby@BlueTreble.com>
Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
2016-11-12 18:00:00 +01:00
|
|
|
stmt->object, relation);
|
2011-03-04 23:26:37 +01:00
|
|
|
|
|
|
|
|
/* Perform other integrity checks as needed. */
|
2010-09-28 02:55:27 +02:00
|
|
|
switch (stmt->objtype)
|
|
|
|
|
{
|
|
|
|
|
case OBJECT_COLUMN:
|
2011-04-10 17:42:00 +02:00
|
|
|
|
2011-03-04 23:26:37 +01:00
|
|
|
/*
|
|
|
|
|
* Allow security labels only on columns of tables, views,
|
2013-03-04 01:23:31 +01:00
|
|
|
* materialized views, composite types, and foreign tables (which
|
|
|
|
|
* are the only relkinds for which pg_dump will dump labels).
|
2011-03-04 23:26:37 +01:00
|
|
|
*/
|
|
|
|
|
if (relation->rd_rel->relkind != RELKIND_RELATION &&
|
|
|
|
|
relation->rd_rel->relkind != RELKIND_VIEW &&
|
2013-03-04 01:23:31 +01:00
|
|
|
relation->rd_rel->relkind != RELKIND_MATVIEW &&
|
2011-03-04 23:26:37 +01:00
|
|
|
relation->rd_rel->relkind != RELKIND_COMPOSITE_TYPE &&
|
Implement table partitioning.
Table partitioning is like table inheritance and reuses much of the
existing infrastructure, but there are some important differences.
The parent is called a partitioned table and is always empty; it may
not have indexes or non-inherited constraints, since those make no
sense for a relation with no data of its own. The children are called
partitions and contain all of the actual data. Each partition has an
implicit partitioning constraint. Multiple inheritance is not
allowed, and partitioning and inheritance can't be mixed. Partitions
can't have extra columns and may not allow nulls unless the parent
does. Tuples inserted into the parent are automatically routed to the
correct partition, so tuple-routing ON INSERT triggers are not needed.
Tuple routing isn't yet supported for partitions which are foreign
tables, and it doesn't handle updates that cross partition boundaries.
Currently, tables can be range-partitioned or list-partitioned. List
partitioning is limited to a single column, but range partitioning can
involve multiple columns. A partitioning "column" can be an
expression.
Because table partitioning is less general than table inheritance, it
is hoped that it will be easier to reason about properties of
partitions, and therefore that this will serve as a better foundation
for a variety of possible optimizations, including query planner
optimizations. The tuple routing based which this patch does based on
the implicit partitioning constraints is an example of this, but it
seems likely that many other useful optimizations are also possible.
Amit Langote, reviewed and tested by Robert Haas, Ashutosh Bapat,
Amit Kapila, Rajkumar Raghuwanshi, Corey Huinker, Jaime Casanova,
Rushabh Lathia, Erik Rijkers, among others. Minor revisions by me.
2016-12-07 19:17:43 +01:00
|
|
|
relation->rd_rel->relkind != RELKIND_FOREIGN_TABLE &&
|
|
|
|
|
relation->rd_rel->relkind != RELKIND_PARTITIONED_TABLE)
|
2010-09-28 02:55:27 +02:00
|
|
|
ereport(ERROR,
|
2011-03-04 23:26:37 +01:00
|
|
|
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
|
2013-07-05 21:25:51 +02:00
|
|
|
errmsg("\"%s\" is not a table, view, materialized view, composite type, or foreign table",
|
2011-03-04 23:26:37 +01:00
|
|
|
RelationGetRelationName(relation))));
|
2010-09-28 02:55:27 +02:00
|
|
|
break;
|
|
|
|
|
default:
|
2011-03-04 23:26:37 +01:00
|
|
|
break;
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Provider gets control here, may throw ERROR to veto new label. */
|
2017-09-07 18:06:23 +02:00
|
|
|
provider->hook(&address, stmt->label);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
/* Apply new label. */
|
|
|
|
|
SetSecurityLabel(&address, provider->provider_name, stmt->label);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If get_object_address() opened the relation for us, we close it to keep
|
|
|
|
|
* the reference count correct - but we retain any locks acquired by
|
|
|
|
|
* get_object_address() until commit time, to guard against concurrent
|
|
|
|
|
* activity.
|
|
|
|
|
*/
|
|
|
|
|
if (relation != NULL)
|
|
|
|
|
relation_close(relation, NoLock);
|
2012-12-29 13:55:37 +01:00
|
|
|
|
Change many routines to return ObjectAddress rather than OID
The changed routines are mostly those that can be directly called by
ProcessUtilitySlow; the intention is to make the affected object
information more precise, in support for future event trigger changes.
Originally it was envisioned that the OID of the affected object would
be enough, and in most cases that is correct, but upon actually
implementing the event trigger changes it turned out that ObjectAddress
is more widely useful.
Additionally, some command execution routines grew an output argument
that's an object address which provides further info about the executed
command. To wit:
* for ALTER DOMAIN / ADD CONSTRAINT, it corresponds to the address of
the new constraint
* for ALTER OBJECT / SET SCHEMA, it corresponds to the address of the
schema that originally contained the object.
* for ALTER EXTENSION {ADD, DROP} OBJECT, it corresponds to the address
of the object added to or dropped from the extension.
There's no user-visible change in this commit, and no functional change
either.
Discussion: 20150218213255.GC6717@tamriel.snowman.net
Reviewed-By: Stephen Frost, Andres Freund
2015-03-03 18:10:50 +01:00
|
|
|
return address;
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2011-07-20 19:18:24 +02:00
|
|
|
* GetSharedSecurityLabel returns the security label for a shared object for
|
|
|
|
|
* a given provider, or NULL if there is no such label.
|
|
|
|
|
*/
|
|
|
|
|
static char *
|
|
|
|
|
GetSharedSecurityLabel(const ObjectAddress *object, const char *provider)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_shseclabel;
|
|
|
|
|
ScanKeyData keys[3];
|
|
|
|
|
SysScanDesc scan;
|
|
|
|
|
HeapTuple tuple;
|
|
|
|
|
Datum datum;
|
|
|
|
|
bool isnull;
|
|
|
|
|
char *seclabel = NULL;
|
|
|
|
|
|
|
|
|
|
ScanKeyInit(&keys[0],
|
|
|
|
|
Anum_pg_shseclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&keys[1],
|
|
|
|
|
Anum_pg_shseclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
ScanKeyInit(&keys[2],
|
|
|
|
|
Anum_pg_shseclabel_provider,
|
2015-05-19 16:40:04 +02:00
|
|
|
BTEqualStrategyNumber, F_TEXTEQ,
|
|
|
|
|
CStringGetTextDatum(provider));
|
2011-07-20 19:18:24 +02:00
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_shseclabel = table_open(SharedSecLabelRelationId, AccessShareLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, 3, keys);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
tuple = systable_getnext(scan);
|
|
|
|
|
if (HeapTupleIsValid(tuple))
|
|
|
|
|
{
|
|
|
|
|
datum = heap_getattr(tuple, Anum_pg_shseclabel_label,
|
|
|
|
|
RelationGetDescr(pg_shseclabel), &isnull);
|
|
|
|
|
if (!isnull)
|
|
|
|
|
seclabel = TextDatumGetCString(datum);
|
|
|
|
|
}
|
|
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_shseclabel, AccessShareLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
return seclabel;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* GetSecurityLabel returns the security label for a shared or database object
|
|
|
|
|
* for a given provider, or NULL if there is no such label.
|
2010-09-28 02:55:27 +02:00
|
|
|
*/
|
|
|
|
|
char *
|
|
|
|
|
GetSecurityLabel(const ObjectAddress *object, const char *provider)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_seclabel;
|
2011-04-10 17:42:00 +02:00
|
|
|
ScanKeyData keys[4];
|
|
|
|
|
SysScanDesc scan;
|
2010-09-28 02:55:27 +02:00
|
|
|
HeapTuple tuple;
|
|
|
|
|
Datum datum;
|
|
|
|
|
bool isnull;
|
|
|
|
|
char *seclabel = NULL;
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/* Shared objects have their own security label catalog. */
|
|
|
|
|
if (IsSharedRelation(object->classId))
|
|
|
|
|
return GetSharedSecurityLabel(object, provider);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/* Must be an unshared object, so examine pg_seclabel. */
|
2010-09-28 02:55:27 +02:00
|
|
|
ScanKeyInit(&keys[0],
|
|
|
|
|
Anum_pg_seclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&keys[1],
|
|
|
|
|
Anum_pg_seclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
ScanKeyInit(&keys[2],
|
|
|
|
|
Anum_pg_seclabel_objsubid,
|
|
|
|
|
BTEqualStrategyNumber, F_INT4EQ,
|
|
|
|
|
Int32GetDatum(object->objectSubId));
|
|
|
|
|
ScanKeyInit(&keys[3],
|
|
|
|
|
Anum_pg_seclabel_provider,
|
2015-05-19 16:40:04 +02:00
|
|
|
BTEqualStrategyNumber, F_TEXTEQ,
|
|
|
|
|
CStringGetTextDatum(provider));
|
2010-09-28 02:55:27 +02:00
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_seclabel = table_open(SecLabelRelationId, AccessShareLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, 4, keys);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
tuple = systable_getnext(scan);
|
|
|
|
|
if (HeapTupleIsValid(tuple))
|
|
|
|
|
{
|
|
|
|
|
datum = heap_getattr(tuple, Anum_pg_seclabel_label,
|
|
|
|
|
RelationGetDescr(pg_seclabel), &isnull);
|
|
|
|
|
if (!isnull)
|
|
|
|
|
seclabel = TextDatumGetCString(datum);
|
|
|
|
|
}
|
|
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_seclabel, AccessShareLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
return seclabel;
|
|
|
|
|
}
|
|
|
|
|
|
2012-06-10 21:20:04 +02:00
|
|
|
/*
|
2011-07-20 19:18:24 +02:00
|
|
|
* SetSharedSecurityLabel is a helper function of SetSecurityLabel to
|
|
|
|
|
* handle shared database objects.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
SetSharedSecurityLabel(const ObjectAddress *object,
|
|
|
|
|
const char *provider, const char *label)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_shseclabel;
|
2012-06-10 21:20:04 +02:00
|
|
|
ScanKeyData keys[4];
|
|
|
|
|
SysScanDesc scan;
|
2011-07-20 19:18:24 +02:00
|
|
|
HeapTuple oldtup;
|
|
|
|
|
HeapTuple newtup = NULL;
|
|
|
|
|
Datum values[Natts_pg_shseclabel];
|
|
|
|
|
bool nulls[Natts_pg_shseclabel];
|
|
|
|
|
bool replaces[Natts_pg_shseclabel];
|
|
|
|
|
|
|
|
|
|
/* Prepare to form or update a tuple, if necessary. */
|
|
|
|
|
memset(nulls, false, sizeof(nulls));
|
|
|
|
|
memset(replaces, false, sizeof(replaces));
|
|
|
|
|
values[Anum_pg_shseclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
|
|
|
|
|
values[Anum_pg_shseclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
|
2015-05-19 16:40:04 +02:00
|
|
|
values[Anum_pg_shseclabel_provider - 1] = CStringGetTextDatum(provider);
|
2011-07-20 19:18:24 +02:00
|
|
|
if (label != NULL)
|
|
|
|
|
values[Anum_pg_shseclabel_label - 1] = CStringGetTextDatum(label);
|
|
|
|
|
|
|
|
|
|
/* Use the index to search for a matching old tuple */
|
|
|
|
|
ScanKeyInit(&keys[0],
|
|
|
|
|
Anum_pg_shseclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&keys[1],
|
|
|
|
|
Anum_pg_shseclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
ScanKeyInit(&keys[2],
|
|
|
|
|
Anum_pg_shseclabel_provider,
|
2015-05-19 16:40:04 +02:00
|
|
|
BTEqualStrategyNumber, F_TEXTEQ,
|
|
|
|
|
CStringGetTextDatum(provider));
|
2011-07-20 19:18:24 +02:00
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, 3, keys);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
oldtup = systable_getnext(scan);
|
|
|
|
|
if (HeapTupleIsValid(oldtup))
|
|
|
|
|
{
|
|
|
|
|
if (label == NULL)
|
2017-02-01 22:13:30 +01:00
|
|
|
CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
|
2011-07-20 19:18:24 +02:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
replaces[Anum_pg_shseclabel_label - 1] = true;
|
|
|
|
|
newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_shseclabel),
|
|
|
|
|
values, nulls, replaces);
|
2017-01-31 22:42:24 +01:00
|
|
|
CatalogTupleUpdate(pg_shseclabel, &oldtup->t_self, newtup);
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
|
|
|
|
/* If we didn't find an old tuple, insert a new one */
|
|
|
|
|
if (newtup == NULL && label != NULL)
|
|
|
|
|
{
|
|
|
|
|
newtup = heap_form_tuple(RelationGetDescr(pg_shseclabel),
|
|
|
|
|
values, nulls);
|
2017-01-31 22:42:24 +01:00
|
|
|
CatalogTupleInsert(pg_shseclabel, newtup);
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (newtup != NULL)
|
|
|
|
|
heap_freetuple(newtup);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_shseclabel, RowExclusiveLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
|
2010-09-28 02:55:27 +02:00
|
|
|
/*
|
|
|
|
|
* SetSecurityLabel attempts to set the security label for the specified
|
|
|
|
|
* provider on the specified object to the given value. NULL means that any
|
2018-09-08 21:24:19 +02:00
|
|
|
* existing label should be deleted.
|
2010-09-28 02:55:27 +02:00
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
SetSecurityLabel(const ObjectAddress *object,
|
|
|
|
|
const char *provider, const char *label)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_seclabel;
|
2011-04-10 17:42:00 +02:00
|
|
|
ScanKeyData keys[4];
|
|
|
|
|
SysScanDesc scan;
|
2010-09-28 02:55:27 +02:00
|
|
|
HeapTuple oldtup;
|
|
|
|
|
HeapTuple newtup = NULL;
|
|
|
|
|
Datum values[Natts_pg_seclabel];
|
|
|
|
|
bool nulls[Natts_pg_seclabel];
|
|
|
|
|
bool replaces[Natts_pg_seclabel];
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/* Shared objects have their own security label catalog. */
|
|
|
|
|
if (IsSharedRelation(object->classId))
|
|
|
|
|
{
|
|
|
|
|
SetSharedSecurityLabel(object, provider, label);
|
|
|
|
|
return;
|
|
|
|
|
}
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
/* Prepare to form or update a tuple, if necessary. */
|
|
|
|
|
memset(nulls, false, sizeof(nulls));
|
|
|
|
|
memset(replaces, false, sizeof(replaces));
|
|
|
|
|
values[Anum_pg_seclabel_objoid - 1] = ObjectIdGetDatum(object->objectId);
|
|
|
|
|
values[Anum_pg_seclabel_classoid - 1] = ObjectIdGetDatum(object->classId);
|
|
|
|
|
values[Anum_pg_seclabel_objsubid - 1] = Int32GetDatum(object->objectSubId);
|
2015-05-19 16:40:04 +02:00
|
|
|
values[Anum_pg_seclabel_provider - 1] = CStringGetTextDatum(provider);
|
2010-09-28 02:55:27 +02:00
|
|
|
if (label != NULL)
|
|
|
|
|
values[Anum_pg_seclabel_label - 1] = CStringGetTextDatum(label);
|
|
|
|
|
|
|
|
|
|
/* Use the index to search for a matching old tuple */
|
|
|
|
|
ScanKeyInit(&keys[0],
|
|
|
|
|
Anum_pg_seclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&keys[1],
|
|
|
|
|
Anum_pg_seclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
ScanKeyInit(&keys[2],
|
|
|
|
|
Anum_pg_seclabel_objsubid,
|
|
|
|
|
BTEqualStrategyNumber, F_INT4EQ,
|
|
|
|
|
Int32GetDatum(object->objectSubId));
|
|
|
|
|
ScanKeyInit(&keys[3],
|
|
|
|
|
Anum_pg_seclabel_provider,
|
2015-05-19 16:40:04 +02:00
|
|
|
BTEqualStrategyNumber, F_TEXTEQ,
|
|
|
|
|
CStringGetTextDatum(provider));
|
2010-09-28 02:55:27 +02:00
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, 4, keys);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
oldtup = systable_getnext(scan);
|
|
|
|
|
if (HeapTupleIsValid(oldtup))
|
|
|
|
|
{
|
|
|
|
|
if (label == NULL)
|
2017-02-01 22:13:30 +01:00
|
|
|
CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
|
2010-09-28 02:55:27 +02:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
replaces[Anum_pg_seclabel_label - 1] = true;
|
|
|
|
|
newtup = heap_modify_tuple(oldtup, RelationGetDescr(pg_seclabel),
|
|
|
|
|
values, nulls, replaces);
|
2017-01-31 22:42:24 +01:00
|
|
|
CatalogTupleUpdate(pg_seclabel, &oldtup->t_self, newtup);
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
|
|
|
|
/* If we didn't find an old tuple, insert a new one */
|
|
|
|
|
if (newtup == NULL && label != NULL)
|
|
|
|
|
{
|
|
|
|
|
newtup = heap_form_tuple(RelationGetDescr(pg_seclabel),
|
|
|
|
|
values, nulls);
|
2017-01-31 22:42:24 +01:00
|
|
|
CatalogTupleInsert(pg_seclabel, newtup);
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Update indexes, if necessary */
|
|
|
|
|
if (newtup != NULL)
|
|
|
|
|
heap_freetuple(newtup);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_seclabel, RowExclusiveLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/*
|
|
|
|
|
* DeleteSharedSecurityLabel is a helper function of DeleteSecurityLabel
|
|
|
|
|
* to handle shared database objects.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
DeleteSharedSecurityLabel(Oid objectId, Oid classId)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_shseclabel;
|
2012-06-10 21:20:04 +02:00
|
|
|
ScanKeyData skey[2];
|
|
|
|
|
SysScanDesc scan;
|
2011-07-20 19:18:24 +02:00
|
|
|
HeapTuple oldtup;
|
|
|
|
|
|
|
|
|
|
ScanKeyInit(&skey[0],
|
|
|
|
|
Anum_pg_shseclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(objectId));
|
|
|
|
|
ScanKeyInit(&skey[1],
|
|
|
|
|
Anum_pg_shseclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(classId));
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_shseclabel = table_open(SharedSecLabelRelationId, RowExclusiveLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_shseclabel, SharedSecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, 2, skey);
|
2011-07-20 19:18:24 +02:00
|
|
|
while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
|
2017-02-01 22:13:30 +01:00
|
|
|
CatalogTupleDelete(pg_shseclabel, &oldtup->t_self);
|
2011-07-20 19:18:24 +02:00
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_shseclabel, RowExclusiveLock);
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
|
|
|
|
|
2010-09-28 02:55:27 +02:00
|
|
|
/*
|
|
|
|
|
* DeleteSecurityLabel removes all security labels for an object (and any
|
|
|
|
|
* sub-objects, if applicable).
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
DeleteSecurityLabel(const ObjectAddress *object)
|
|
|
|
|
{
|
|
|
|
|
Relation pg_seclabel;
|
2011-04-10 17:42:00 +02:00
|
|
|
ScanKeyData skey[3];
|
|
|
|
|
SysScanDesc scan;
|
2010-09-28 02:55:27 +02:00
|
|
|
HeapTuple oldtup;
|
|
|
|
|
int nkeys;
|
|
|
|
|
|
2011-07-20 19:18:24 +02:00
|
|
|
/* Shared objects have their own security label catalog. */
|
2010-09-28 02:55:27 +02:00
|
|
|
if (IsSharedRelation(object->classId))
|
2011-07-20 19:18:24 +02:00
|
|
|
{
|
|
|
|
|
Assert(object->objectSubId == 0);
|
|
|
|
|
DeleteSharedSecurityLabel(object->objectId, object->classId);
|
2010-09-28 02:55:27 +02:00
|
|
|
return;
|
2011-07-20 19:18:24 +02:00
|
|
|
}
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
ScanKeyInit(&skey[0],
|
|
|
|
|
Anum_pg_seclabel_objoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->objectId));
|
|
|
|
|
ScanKeyInit(&skey[1],
|
|
|
|
|
Anum_pg_seclabel_classoid,
|
|
|
|
|
BTEqualStrategyNumber, F_OIDEQ,
|
|
|
|
|
ObjectIdGetDatum(object->classId));
|
|
|
|
|
if (object->objectSubId != 0)
|
|
|
|
|
{
|
|
|
|
|
ScanKeyInit(&skey[2],
|
|
|
|
|
Anum_pg_seclabel_objsubid,
|
|
|
|
|
BTEqualStrategyNumber, F_INT4EQ,
|
|
|
|
|
Int32GetDatum(object->objectSubId));
|
|
|
|
|
nkeys = 3;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
nkeys = 2;
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
pg_seclabel = table_open(SecLabelRelationId, RowExclusiveLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
scan = systable_beginscan(pg_seclabel, SecLabelObjectIndexId, true,
|
Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row. In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result. This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.
The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow. However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads. To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed. The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all. Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.
Patch by me. Review by Michael Paquier and Andres Freund.
2013-07-02 15:47:01 +02:00
|
|
|
NULL, nkeys, skey);
|
2010-09-28 02:55:27 +02:00
|
|
|
while (HeapTupleIsValid(oldtup = systable_getnext(scan)))
|
2017-02-01 22:13:30 +01:00
|
|
|
CatalogTupleDelete(pg_seclabel, &oldtup->t_self);
|
2010-09-28 02:55:27 +02:00
|
|
|
systable_endscan(scan);
|
|
|
|
|
|
2019-01-21 19:32:19 +01:00
|
|
|
table_close(pg_seclabel, RowExclusiveLock);
|
2010-09-28 02:55:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
register_label_provider(const char *provider_name, check_object_relabel_type hook)
|
|
|
|
|
{
|
2011-04-10 17:42:00 +02:00
|
|
|
LabelProvider *provider;
|
|
|
|
|
MemoryContext oldcxt;
|
2010-09-28 02:55:27 +02:00
|
|
|
|
|
|
|
|
oldcxt = MemoryContextSwitchTo(TopMemoryContext);
|
|
|
|
|
provider = palloc(sizeof(LabelProvider));
|
|
|
|
|
provider->provider_name = pstrdup(provider_name);
|
|
|
|
|
provider->hook = hook;
|
|
|
|
|
label_provider_list = lappend(label_provider_list, provider);
|
|
|
|
|
MemoryContextSwitchTo(oldcxt);
|
|
|
|
|
}
|
