mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-07-23 22:59:39 +02:00
a61b1f7482
Currently, information about the permissions to be checked on relations mentioned in a query is stored in their range table entries. So the executor must scan the entire range table looking for relations that need to have permissions checked. This can make the permission checking part of the executor initialization needlessly expensive when many inheritance children are present in the range range. While the permissions need not be checked on the individual child relations, the executor still must visit every range table entry to filter them out. This commit moves the permission checking information out of the range table entries into a new plan node called RTEPermissionInfo. Every top-level (inheritance "root") RTE_RELATION entry in the range table gets one and a list of those is maintained alongside the range table. This new list is initialized by the parser when initializing the range table. The rewriter can add more entries to it as rules/views are expanded. Finally, the planner combines the lists of the individual subqueries into one flat list that is passed to the executor for checking. To make it quick to find the RTEPermissionInfo entry belonging to a given relation, RangeTblEntry gets a new Index field 'perminfoindex' that stores the corresponding RTEPermissionInfo's index in the query's list of the latter. ExecutorCheckPerms_hook has gained another List * argument; the signature is now: typedef bool (*ExecutorCheckPerms_hook_type) (List *rangeTable, List *rtePermInfos, bool ereport_on_violation); The first argument is no longer used by any in-core uses of the hook, but we leave it in place because there may be other implementations that do. Implementations should likely scan the rtePermInfos list to determine which operations to allow or deny. Author: Amit Langote <amitlangote09@gmail.com> Discussion: https://postgr.es/m/CA+HiwqGjJDmUhDSfv-U2qhKJjt9ST7Xh9JXC_irsAQ1TAUsJYg@mail.gmail.com
359 lines
9.2 KiB
C
359 lines
9.2 KiB
C
/* -------------------------------------------------------------------------
|
|
*
|
|
* contrib/sepgsql/dml.c
|
|
*
|
|
* Routines to handle DML permission checks
|
|
*
|
|
* Copyright (c) 2010-2022, PostgreSQL Global Development Group
|
|
*
|
|
* -------------------------------------------------------------------------
|
|
*/
|
|
#include "postgres.h"
|
|
|
|
#include "access/htup_details.h"
|
|
#include "access/sysattr.h"
|
|
#include "access/tupdesc.h"
|
|
#include "catalog/catalog.h"
|
|
#include "catalog/dependency.h"
|
|
#include "catalog/heap.h"
|
|
#include "catalog/pg_attribute.h"
|
|
#include "catalog/pg_class.h"
|
|
#include "catalog/pg_inherits.h"
|
|
#include "commands/seclabel.h"
|
|
#include "commands/tablecmds.h"
|
|
#include "executor/executor.h"
|
|
#include "nodes/bitmapset.h"
|
|
#include "parser/parsetree.h"
|
|
#include "sepgsql.h"
|
|
#include "utils/lsyscache.h"
|
|
#include "utils/syscache.h"
|
|
|
|
/*
|
|
* fixup_whole_row_references
|
|
*
|
|
* When user references a whole-row Var, it is equivalent to referencing
|
|
* all the user columns (not system columns). So, we need to fix up the
|
|
* given bitmapset, if it contains a whole-row reference.
|
|
*/
|
|
static Bitmapset *
|
|
fixup_whole_row_references(Oid relOid, Bitmapset *columns)
|
|
{
|
|
Bitmapset *result;
|
|
HeapTuple tuple;
|
|
AttrNumber natts;
|
|
AttrNumber attno;
|
|
int index;
|
|
|
|
/* if no whole-row references, nothing to do */
|
|
index = InvalidAttrNumber - FirstLowInvalidHeapAttributeNumber;
|
|
if (!bms_is_member(index, columns))
|
|
return columns;
|
|
|
|
/* obtain number of attributes */
|
|
tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relOid));
|
|
if (!HeapTupleIsValid(tuple))
|
|
elog(ERROR, "cache lookup failed for relation %u", relOid);
|
|
natts = ((Form_pg_class) GETSTRUCT(tuple))->relnatts;
|
|
ReleaseSysCache(tuple);
|
|
|
|
/* remove bit 0 from column set, add in all the non-dropped columns */
|
|
result = bms_copy(columns);
|
|
result = bms_del_member(result, index);
|
|
|
|
for (attno = 1; attno <= natts; attno++)
|
|
{
|
|
tuple = SearchSysCache2(ATTNUM,
|
|
ObjectIdGetDatum(relOid),
|
|
Int16GetDatum(attno));
|
|
if (!HeapTupleIsValid(tuple))
|
|
continue; /* unexpected case, should we error? */
|
|
|
|
if (!((Form_pg_attribute) GETSTRUCT(tuple))->attisdropped)
|
|
{
|
|
index = attno - FirstLowInvalidHeapAttributeNumber;
|
|
result = bms_add_member(result, index);
|
|
}
|
|
|
|
ReleaseSysCache(tuple);
|
|
}
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
* fixup_inherited_columns
|
|
*
|
|
* When user is querying on a table with children, it implicitly accesses
|
|
* child tables also. So, we also need to check security label of child
|
|
* tables and columns, but there is no guarantee attribute numbers are
|
|
* same between the parent and children.
|
|
* It returns a bitmapset which contains attribute number of the child
|
|
* table based on the given bitmapset of the parent.
|
|
*/
|
|
static Bitmapset *
|
|
fixup_inherited_columns(Oid parentId, Oid childId, Bitmapset *columns)
|
|
{
|
|
Bitmapset *result = NULL;
|
|
int index;
|
|
|
|
/*
|
|
* obviously, no need to do anything here
|
|
*/
|
|
if (parentId == childId)
|
|
return columns;
|
|
|
|
index = -1;
|
|
while ((index = bms_next_member(columns, index)) >= 0)
|
|
{
|
|
/* bit numbers are offset by FirstLowInvalidHeapAttributeNumber */
|
|
AttrNumber attno = index + FirstLowInvalidHeapAttributeNumber;
|
|
char *attname;
|
|
|
|
/*
|
|
* whole-row-reference shall be fixed-up later
|
|
*/
|
|
if (attno == InvalidAttrNumber)
|
|
{
|
|
result = bms_add_member(result, index);
|
|
continue;
|
|
}
|
|
|
|
attname = get_attname(parentId, attno, false);
|
|
attno = get_attnum(childId, attname);
|
|
if (attno == InvalidAttrNumber)
|
|
elog(ERROR, "cache lookup failed for attribute %s of relation %u",
|
|
attname, childId);
|
|
|
|
result = bms_add_member(result,
|
|
attno - FirstLowInvalidHeapAttributeNumber);
|
|
|
|
pfree(attname);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
* check_relation_privileges
|
|
*
|
|
* It actually checks required permissions on a certain relation
|
|
* and its columns.
|
|
*/
|
|
static bool
|
|
check_relation_privileges(Oid relOid,
|
|
Bitmapset *selected,
|
|
Bitmapset *inserted,
|
|
Bitmapset *updated,
|
|
uint32 required,
|
|
bool abort_on_violation)
|
|
{
|
|
ObjectAddress object;
|
|
char *audit_name;
|
|
Bitmapset *columns;
|
|
int index;
|
|
char relkind = get_rel_relkind(relOid);
|
|
bool result = true;
|
|
|
|
/*
|
|
* Hardwired Policies: SE-PostgreSQL enforces - clients cannot modify
|
|
* system catalogs using DMLs - clients cannot reference/modify toast
|
|
* relations using DMLs
|
|
*/
|
|
if (sepgsql_getenforce() > 0)
|
|
{
|
|
if ((required & (SEPG_DB_TABLE__UPDATE |
|
|
SEPG_DB_TABLE__INSERT |
|
|
SEPG_DB_TABLE__DELETE)) != 0 &&
|
|
IsCatalogRelationOid(relOid))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
|
errmsg("SELinux: hardwired security policy violation")));
|
|
|
|
if (relkind == RELKIND_TOASTVALUE)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
|
errmsg("SELinux: hardwired security policy violation")));
|
|
}
|
|
|
|
/*
|
|
* Check permissions on the relation
|
|
*/
|
|
object.classId = RelationRelationId;
|
|
object.objectId = relOid;
|
|
object.objectSubId = 0;
|
|
audit_name = getObjectIdentity(&object, false);
|
|
switch (relkind)
|
|
{
|
|
case RELKIND_RELATION:
|
|
case RELKIND_PARTITIONED_TABLE:
|
|
result = sepgsql_avc_check_perms(&object,
|
|
SEPG_CLASS_DB_TABLE,
|
|
required,
|
|
audit_name,
|
|
abort_on_violation);
|
|
break;
|
|
|
|
case RELKIND_SEQUENCE:
|
|
Assert((required & ~SEPG_DB_TABLE__SELECT) == 0);
|
|
|
|
if (required & SEPG_DB_TABLE__SELECT)
|
|
result = sepgsql_avc_check_perms(&object,
|
|
SEPG_CLASS_DB_SEQUENCE,
|
|
SEPG_DB_SEQUENCE__GET_VALUE,
|
|
audit_name,
|
|
abort_on_violation);
|
|
break;
|
|
|
|
case RELKIND_VIEW:
|
|
result = sepgsql_avc_check_perms(&object,
|
|
SEPG_CLASS_DB_VIEW,
|
|
SEPG_DB_VIEW__EXPAND,
|
|
audit_name,
|
|
abort_on_violation);
|
|
break;
|
|
|
|
default:
|
|
/* nothing to be checked */
|
|
break;
|
|
}
|
|
pfree(audit_name);
|
|
|
|
/*
|
|
* Only columns owned by relations shall be checked
|
|
*/
|
|
if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
|
|
return true;
|
|
|
|
/*
|
|
* Check permissions on the columns
|
|
*/
|
|
selected = fixup_whole_row_references(relOid, selected);
|
|
inserted = fixup_whole_row_references(relOid, inserted);
|
|
updated = fixup_whole_row_references(relOid, updated);
|
|
columns = bms_union(selected, bms_union(inserted, updated));
|
|
|
|
while ((index = bms_first_member(columns)) >= 0)
|
|
{
|
|
AttrNumber attnum;
|
|
uint32 column_perms = 0;
|
|
|
|
if (bms_is_member(index, selected))
|
|
column_perms |= SEPG_DB_COLUMN__SELECT;
|
|
if (bms_is_member(index, inserted))
|
|
{
|
|
if (required & SEPG_DB_TABLE__INSERT)
|
|
column_perms |= SEPG_DB_COLUMN__INSERT;
|
|
}
|
|
if (bms_is_member(index, updated))
|
|
{
|
|
if (required & SEPG_DB_TABLE__UPDATE)
|
|
column_perms |= SEPG_DB_COLUMN__UPDATE;
|
|
}
|
|
if (column_perms == 0)
|
|
continue;
|
|
|
|
/* obtain column's permission */
|
|
attnum = index + FirstLowInvalidHeapAttributeNumber;
|
|
|
|
object.classId = RelationRelationId;
|
|
object.objectId = relOid;
|
|
object.objectSubId = attnum;
|
|
audit_name = getObjectDescription(&object, false);
|
|
|
|
result = sepgsql_avc_check_perms(&object,
|
|
SEPG_CLASS_DB_COLUMN,
|
|
column_perms,
|
|
audit_name,
|
|
abort_on_violation);
|
|
pfree(audit_name);
|
|
|
|
if (!result)
|
|
return result;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* sepgsql_dml_privileges
|
|
*
|
|
* Entrypoint of the DML permission checks
|
|
*/
|
|
bool
|
|
sepgsql_dml_privileges(List *rangeTbls, List *rteperminfos,
|
|
bool abort_on_violation)
|
|
{
|
|
ListCell *lr;
|
|
|
|
foreach(lr, rteperminfos)
|
|
{
|
|
RTEPermissionInfo *perminfo = lfirst_node(RTEPermissionInfo, lr);
|
|
uint32 required = 0;
|
|
List *tableIds;
|
|
ListCell *li;
|
|
|
|
/*
|
|
* Find out required permissions
|
|
*/
|
|
if (perminfo->requiredPerms & ACL_SELECT)
|
|
required |= SEPG_DB_TABLE__SELECT;
|
|
if (perminfo->requiredPerms & ACL_INSERT)
|
|
required |= SEPG_DB_TABLE__INSERT;
|
|
if (perminfo->requiredPerms & ACL_UPDATE)
|
|
{
|
|
if (!bms_is_empty(perminfo->updatedCols))
|
|
required |= SEPG_DB_TABLE__UPDATE;
|
|
else
|
|
required |= SEPG_DB_TABLE__LOCK;
|
|
}
|
|
if (perminfo->requiredPerms & ACL_DELETE)
|
|
required |= SEPG_DB_TABLE__DELETE;
|
|
|
|
/*
|
|
* Skip, if nothing to be checked
|
|
*/
|
|
if (required == 0)
|
|
continue;
|
|
|
|
/*
|
|
* If this RangeTblEntry is also supposed to reference inherited
|
|
* tables, we need to check security label of the child tables. So, we
|
|
* expand rte->relid into list of OIDs of inheritance hierarchy, then
|
|
* checker routine will be invoked for each relations.
|
|
*/
|
|
if (!perminfo->inh)
|
|
tableIds = list_make1_oid(perminfo->relid);
|
|
else
|
|
tableIds = find_all_inheritors(perminfo->relid, NoLock, NULL);
|
|
|
|
foreach(li, tableIds)
|
|
{
|
|
Oid tableOid = lfirst_oid(li);
|
|
Bitmapset *selectedCols;
|
|
Bitmapset *insertedCols;
|
|
Bitmapset *updatedCols;
|
|
|
|
/*
|
|
* child table has different attribute numbers, so we need to fix
|
|
* up them.
|
|
*/
|
|
selectedCols = fixup_inherited_columns(perminfo->relid, tableOid,
|
|
perminfo->selectedCols);
|
|
insertedCols = fixup_inherited_columns(perminfo->relid, tableOid,
|
|
perminfo->insertedCols);
|
|
updatedCols = fixup_inherited_columns(perminfo->relid, tableOid,
|
|
perminfo->updatedCols);
|
|
|
|
/*
|
|
* check permissions on individual tables
|
|
*/
|
|
if (!check_relation_privileges(tableOid,
|
|
selectedCols,
|
|
insertedCols,
|
|
updatedCols,
|
|
required, abort_on_violation))
|
|
return false;
|
|
}
|
|
list_free(tableIds);
|
|
}
|
|
return true;
|
|
}
|