2011-01-24 02:44:48 +01:00
|
|
|
/* -------------------------------------------------------------------------
|
|
|
|
|
*
|
|
|
|
|
* contrib/sepgsql/hooks.c
|
|
|
|
|
*
|
|
|
|
|
* Entrypoints of the hooks in PostgreSQL, and dispatches the callbacks.
|
|
|
|
|
*
|
2020-01-01 18:21:45 +01:00
|
|
|
* Copyright (c) 2010-2020, PostgreSQL Global Development Group
|
2011-01-24 02:44:48 +01:00
|
|
|
*
|
|
|
|
|
* -------------------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#include "postgres.h"
|
|
|
|
|
|
2012-03-09 21:18:45 +01:00
|
|
|
#include "catalog/dependency.h"
|
2011-01-24 02:44:48 +01:00
|
|
|
#include "catalog/objectaccess.h"
|
|
|
|
|
#include "catalog/pg_class.h"
|
2011-09-23 23:09:34 +02:00
|
|
|
#include "catalog/pg_database.h"
|
2011-01-24 02:44:48 +01:00
|
|
|
#include "catalog/pg_namespace.h"
|
|
|
|
|
#include "catalog/pg_proc.h"
|
|
|
|
|
#include "commands/seclabel.h"
|
|
|
|
|
#include "executor/executor.h"
|
|
|
|
|
#include "fmgr.h"
|
|
|
|
|
#include "miscadmin.h"
|
2019-10-23 05:56:22 +02:00
|
|
|
#include "sepgsql.h"
|
2011-01-24 02:44:48 +01:00
|
|
|
#include "tcop/utility.h"
|
|
|
|
|
#include "utils/guc.h"
|
2017-04-01 07:10:12 +02:00
|
|
|
#include "utils/queryenvironment.h"
|
2011-01-24 02:44:48 +01:00
|
|
|
|
|
|
|
|
PG_MODULE_MAGIC;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Declarations
|
|
|
|
|
*/
|
2011-04-10 17:42:00 +02:00
|
|
|
void _PG_init(void);
|
2011-01-24 02:44:48 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Saved hook entries (if stacked)
|
|
|
|
|
*/
|
2011-04-10 17:42:00 +02:00
|
|
|
static object_access_hook_type next_object_access_hook = NULL;
|
|
|
|
|
static ExecutorCheckPerms_hook_type next_exec_check_perms_hook = NULL;
|
|
|
|
|
static ProcessUtility_hook_type next_ProcessUtility_hook = NULL;
|
2011-12-21 15:12:43 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Contextual information on DDL commands
|
|
|
|
|
*/
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
|
|
|
|
NodeTag cmdtype;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Name of the template database given by users on CREATE DATABASE
|
|
|
|
|
* command. Elsewhere (including the case of default) NULL.
|
|
|
|
|
*/
|
|
|
|
|
const char *createdb_dtemplate;
|
2017-06-21 20:39:04 +02:00
|
|
|
} sepgsql_context_info_t;
|
2011-12-21 15:12:43 +01:00
|
|
|
|
2012-06-10 21:20:04 +02:00
|
|
|
static sepgsql_context_info_t sepgsql_context_info;
|
2011-01-24 02:44:48 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* GUC: sepgsql.permissive = (on|off)
|
|
|
|
|
*/
|
|
|
|
|
static bool sepgsql_permissive;
|
|
|
|
|
|
|
|
|
|
bool
|
|
|
|
|
sepgsql_get_permissive(void)
|
|
|
|
|
{
|
|
|
|
|
return sepgsql_permissive;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* GUC: sepgsql.debug_audit = (on|off)
|
|
|
|
|
*/
|
|
|
|
|
static bool sepgsql_debug_audit;
|
|
|
|
|
|
|
|
|
|
bool
|
|
|
|
|
sepgsql_get_debug_audit(void)
|
|
|
|
|
{
|
|
|
|
|
return sepgsql_debug_audit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* sepgsql_object_access
|
|
|
|
|
*
|
|
|
|
|
* Entrypoint of the object_access_hook. This routine performs as
|
|
|
|
|
* a dispatcher of invocation based on access type and object classes.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
|
|
|
|
sepgsql_object_access(ObjectAccessType access,
|
2011-04-10 17:42:00 +02:00
|
|
|
Oid classId,
|
|
|
|
|
Oid objectId,
|
2012-03-09 21:18:45 +01:00
|
|
|
int subId,
|
|
|
|
|
void *arg)
|
2011-01-24 02:44:48 +01:00
|
|
|
{
|
|
|
|
|
if (next_object_access_hook)
|
2012-03-09 21:18:45 +01:00
|
|
|
(*next_object_access_hook) (access, classId, objectId, subId, arg);
|
2011-01-24 02:44:48 +01:00
|
|
|
|
|
|
|
|
switch (access)
|
|
|
|
|
{
|
|
|
|
|
case OAT_POST_CREATE:
|
|
|
|
|
{
|
2012-10-23 23:07:26 +02:00
|
|
|
ObjectAccessPostCreate *pc_arg = arg;
|
2013-05-29 22:58:43 +02:00
|
|
|
bool is_internal;
|
2011-09-23 23:09:34 +02:00
|
|
|
|
2012-10-23 23:07:26 +02:00
|
|
|
is_internal = pc_arg ? pc_arg->is_internal : false;
|
2011-01-24 02:44:48 +01:00
|
|
|
|
2012-10-23 23:07:26 +02:00
|
|
|
switch (classId)
|
|
|
|
|
{
|
|
|
|
|
case DatabaseRelationId:
|
|
|
|
|
Assert(!is_internal);
|
|
|
|
|
sepgsql_database_post_create(objectId,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
sepgsql_context_info.createdb_dtemplate);
|
2012-10-23 23:07:26 +02:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case NamespaceRelationId:
|
|
|
|
|
Assert(!is_internal);
|
|
|
|
|
sepgsql_schema_post_create(objectId);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case RelationRelationId:
|
|
|
|
|
if (subId == 0)
|
2011-12-21 15:12:43 +01:00
|
|
|
{
|
2012-10-23 23:07:26 +02:00
|
|
|
/*
|
|
|
|
|
* The cases in which we want to apply permission
|
|
|
|
|
* checks on creation of a new relation correspond
|
|
|
|
|
* to direct user invocation. For internal uses,
|
|
|
|
|
* that is creation of toast tables, index rebuild
|
|
|
|
|
* or ALTER TABLE commands, we need neither
|
|
|
|
|
* assignment of security labels nor permission
|
|
|
|
|
* checks.
|
|
|
|
|
*/
|
|
|
|
|
if (is_internal)
|
2011-12-21 15:12:43 +01:00
|
|
|
break;
|
2012-10-23 23:07:26 +02:00
|
|
|
|
|
|
|
|
sepgsql_relation_post_create(objectId);
|
2011-12-21 15:12:43 +01:00
|
|
|
}
|
2012-10-23 23:07:26 +02:00
|
|
|
else
|
|
|
|
|
sepgsql_attribute_post_create(objectId, subId);
|
|
|
|
|
break;
|
2011-01-24 02:44:48 +01:00
|
|
|
|
2012-10-23 23:07:26 +02:00
|
|
|
case ProcedureRelationId:
|
|
|
|
|
Assert(!is_internal);
|
|
|
|
|
sepgsql_proc_post_create(objectId);
|
|
|
|
|
break;
|
2011-01-24 02:44:48 +01:00
|
|
|
|
2012-10-23 23:07:26 +02:00
|
|
|
default:
|
|
|
|
|
/* Ignore unsupported object classes */
|
|
|
|
|
break;
|
|
|
|
|
}
|
2011-01-24 02:44:48 +01:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2012-03-09 21:18:45 +01:00
|
|
|
case OAT_DROP:
|
|
|
|
|
{
|
2012-06-10 21:20:04 +02:00
|
|
|
ObjectAccessDrop *drop_arg = (ObjectAccessDrop *) arg;
|
2012-03-09 21:18:45 +01:00
|
|
|
|
|
|
|
|
/*
|
2012-06-10 21:20:04 +02:00
|
|
|
* No need to apply permission checks on object deletion due
|
|
|
|
|
* to internal cleanups; such as removal of temporary database
|
|
|
|
|
* object on session closed.
|
2012-03-09 21:18:45 +01:00
|
|
|
*/
|
|
|
|
|
if ((drop_arg->dropflags & PERFORM_DELETION_INTERNAL) != 0)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
switch (classId)
|
|
|
|
|
{
|
|
|
|
|
case DatabaseRelationId:
|
|
|
|
|
sepgsql_database_drop(objectId);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case NamespaceRelationId:
|
|
|
|
|
sepgsql_schema_drop(objectId);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case RelationRelationId:
|
|
|
|
|
if (subId == 0)
|
|
|
|
|
sepgsql_relation_drop(objectId);
|
|
|
|
|
else
|
|
|
|
|
sepgsql_attribute_drop(objectId, subId);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ProcedureRelationId:
|
|
|
|
|
sepgsql_proc_drop(objectId);
|
|
|
|
|
break;
|
2013-03-27 13:10:14 +01:00
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
/* Ignore unsupported object classes */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2019-11-23 16:41:52 +01:00
|
|
|
case OAT_TRUNCATE:
|
|
|
|
|
{
|
|
|
|
|
switch (classId)
|
|
|
|
|
{
|
|
|
|
|
case RelationRelationId:
|
|
|
|
|
sepgsql_relation_truncate(objectId);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
/* Ignore unsupported object classes */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2013-03-27 13:10:14 +01:00
|
|
|
case OAT_POST_ALTER:
|
|
|
|
|
{
|
2013-05-29 22:58:43 +02:00
|
|
|
ObjectAccessPostAlter *pa_arg = arg;
|
|
|
|
|
bool is_internal = pa_arg->is_internal;
|
2013-03-27 13:10:14 +01:00
|
|
|
|
|
|
|
|
switch (classId)
|
|
|
|
|
{
|
|
|
|
|
case DatabaseRelationId:
|
|
|
|
|
Assert(!is_internal);
|
|
|
|
|
sepgsql_database_setattr(objectId);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case NamespaceRelationId:
|
|
|
|
|
Assert(!is_internal);
|
|
|
|
|
sepgsql_schema_setattr(objectId);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case RelationRelationId:
|
|
|
|
|
if (subId == 0)
|
2013-05-29 22:58:43 +02:00
|
|
|
{
|
2013-03-27 13:10:14 +01:00
|
|
|
/*
|
|
|
|
|
* A case when we don't want to apply permission
|
|
|
|
|
* check is that relation is internally altered
|
2013-05-29 22:58:43 +02:00
|
|
|
* without user's intention. E.g, no need to check
|
|
|
|
|
* on toast table/index to be renamed at end of
|
|
|
|
|
* the table rewrites.
|
2013-03-27 13:10:14 +01:00
|
|
|
*/
|
|
|
|
|
if (is_internal)
|
2013-05-29 22:58:43 +02:00
|
|
|
break;
|
2013-03-27 13:10:14 +01:00
|
|
|
|
|
|
|
|
sepgsql_relation_setattr(objectId);
|
2013-05-29 22:58:43 +02:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
sepgsql_attribute_setattr(objectId, subId);
|
2013-03-27 13:10:14 +01:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ProcedureRelationId:
|
|
|
|
|
Assert(!is_internal);
|
|
|
|
|
sepgsql_proc_setattr(objectId);
|
|
|
|
|
break;
|
2012-03-09 21:18:45 +01:00
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
/* Ignore unsupported object classes */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2013-04-05 14:51:31 +02:00
|
|
|
case OAT_NAMESPACE_SEARCH:
|
|
|
|
|
{
|
2013-05-29 22:58:43 +02:00
|
|
|
ObjectAccessNamespaceSearch *ns_arg = arg;
|
2013-04-05 14:51:31 +02:00
|
|
|
|
|
|
|
|
/*
|
2013-05-29 22:58:43 +02:00
|
|
|
* If stacked extension already decided not to allow users to
|
|
|
|
|
* search this schema, we just stick with that decision.
|
2013-04-05 14:51:31 +02:00
|
|
|
*/
|
|
|
|
|
if (!ns_arg->result)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
Assert(classId == NamespaceRelationId);
|
|
|
|
|
Assert(ns_arg->result);
|
|
|
|
|
ns_arg->result
|
|
|
|
|
= sepgsql_schema_search(objectId,
|
|
|
|
|
ns_arg->ereport_on_violation);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2013-04-12 14:55:56 +02:00
|
|
|
case OAT_FUNCTION_EXECUTE:
|
|
|
|
|
{
|
|
|
|
|
Assert(classId == ProcedureRelationId);
|
|
|
|
|
sepgsql_proc_execute(objectId);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
2011-01-24 02:44:48 +01:00
|
|
|
default:
|
2011-04-10 17:42:00 +02:00
|
|
|
elog(ERROR, "unexpected object access type: %d", (int) access);
|
2011-01-24 02:44:48 +01:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* sepgsql_exec_check_perms
|
|
|
|
|
*
|
|
|
|
|
* Entrypoint of DML permissions
|
|
|
|
|
*/
|
|
|
|
|
static bool
|
|
|
|
|
sepgsql_exec_check_perms(List *rangeTabls, bool abort)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2011-04-10 17:42:00 +02:00
|
|
|
* If security provider is stacking and one of them replied 'false' at
|
|
|
|
|
* least, we don't need to check any more.
|
2011-01-24 02:44:48 +01:00
|
|
|
*/
|
|
|
|
|
if (next_exec_check_perms_hook &&
|
2011-04-10 17:42:00 +02:00
|
|
|
!(*next_exec_check_perms_hook) (rangeTabls, abort))
|
2011-01-24 02:44:48 +01:00
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (!sepgsql_dml_privileges(rangeTabls, abort))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* sepgsql_utility_command
|
|
|
|
|
*
|
|
|
|
|
* It tries to rough-grained control on utility commands; some of them can
|
|
|
|
|
* break whole of the things if nefarious user would use.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
Change representation of statement lists, and add statement location info.
This patch makes several changes that improve the consistency of
representation of lists of statements. It's always been the case
that the output of parse analysis is a list of Query nodes, whatever
the types of the individual statements in the list. This patch brings
similar consistency to the outputs of raw parsing and planning steps:
* The output of raw parsing is now always a list of RawStmt nodes;
the statement-type-dependent nodes are one level down from that.
* The output of pg_plan_queries() is now always a list of PlannedStmt
nodes, even for utility statements. In the case of a utility statement,
"planning" just consists of wrapping a CMD_UTILITY PlannedStmt around
the utility node. This list representation is now used in Portal and
CachedPlan plan lists, replacing the former convention of intermixing
PlannedStmts with bare utility-statement nodes.
Now, every list of statements has a consistent head-node type depending
on how far along it is in processing. This allows changing many places
that formerly used generic "Node *" pointers to use a more specific
pointer type, thus reducing the number of IsA() tests and casts needed,
as well as improving code clarity.
Also, the post-parse-analysis representation of DECLARE CURSOR is changed
so that it looks more like EXPLAIN, PREPARE, etc. That is, the contained
SELECT remains a child of the DeclareCursorStmt rather than getting flipped
around to be the other way. It's now true for both Query and PlannedStmt
that utilityStmt is non-null if and only if commandType is CMD_UTILITY.
That allows simplifying a lot of places that were testing both fields.
(I think some of those were just defensive programming, but in many places,
it was actually necessary to avoid confusing DECLARE CURSOR with SELECT.)
Because PlannedStmt carries a canSetTag field, we're also able to get rid
of some ad-hoc rules about how to reconstruct canSetTag for a bare utility
statement; specifically, the assumption that a utility is canSetTag if and
only if it's the only one in its list. While I see no near-term need for
relaxing that restriction, it's nice to get rid of the ad-hocery.
The API of ProcessUtility() is changed so that what it's passed is the
wrapper PlannedStmt not just the bare utility statement. This will affect
all users of ProcessUtility_hook, but the changes are pretty trivial; see
the affected contrib modules for examples of the minimum change needed.
(Most compilers should give pointer-type-mismatch warnings for uncorrected
code.)
There's also a change in the API of ExplainOneQuery_hook, to pass through
cursorOptions instead of expecting hook functions to know what to pick.
This is needed because of the DECLARE CURSOR changes, but really should
have been done in 9.6; it's unlikely that any extant hook functions
know about using CURSOR_OPT_PARALLEL_OK.
Finally, teach gram.y to save statement boundary locations in RawStmt
nodes, and pass those through to Query and PlannedStmt nodes. This allows
more intelligent handling of cases where a source query string contains
multiple statements. This patch doesn't actually do anything with the
information, but a follow-on patch will. (Passing this information through
cleanly is the true motivation for these changes; while I think this is all
good cleanup, it's unlikely we'd have bothered without this end goal.)
catversion bump because addition of location fields to struct Query
affects stored rules.
This patch is by me, but it owes a good deal to Fabien Coelho who did
a lot of preliminary work on the problem, and also reviewed the patch.
Discussion: https://postgr.es/m/alpine.DEB.2.20.1612200926310.29821@lancre
2017-01-14 22:02:35 +01:00
|
|
|
sepgsql_utility_command(PlannedStmt *pstmt,
|
2011-01-24 02:44:48 +01:00
|
|
|
const char *queryString,
|
2013-04-28 06:18:45 +02:00
|
|
|
ProcessUtilityContext context,
|
2011-01-24 02:44:48 +01:00
|
|
|
ParamListInfo params,
|
2017-04-01 07:10:12 +02:00
|
|
|
QueryEnvironment *queryEnv,
|
2011-01-24 02:44:48 +01:00
|
|
|
DestReceiver *dest,
|
2013-04-28 06:18:45 +02:00
|
|
|
char *completionTag)
|
2011-01-24 02:44:48 +01:00
|
|
|
{
|
Change representation of statement lists, and add statement location info.
This patch makes several changes that improve the consistency of
representation of lists of statements. It's always been the case
that the output of parse analysis is a list of Query nodes, whatever
the types of the individual statements in the list. This patch brings
similar consistency to the outputs of raw parsing and planning steps:
* The output of raw parsing is now always a list of RawStmt nodes;
the statement-type-dependent nodes are one level down from that.
* The output of pg_plan_queries() is now always a list of PlannedStmt
nodes, even for utility statements. In the case of a utility statement,
"planning" just consists of wrapping a CMD_UTILITY PlannedStmt around
the utility node. This list representation is now used in Portal and
CachedPlan plan lists, replacing the former convention of intermixing
PlannedStmts with bare utility-statement nodes.
Now, every list of statements has a consistent head-node type depending
on how far along it is in processing. This allows changing many places
that formerly used generic "Node *" pointers to use a more specific
pointer type, thus reducing the number of IsA() tests and casts needed,
as well as improving code clarity.
Also, the post-parse-analysis representation of DECLARE CURSOR is changed
so that it looks more like EXPLAIN, PREPARE, etc. That is, the contained
SELECT remains a child of the DeclareCursorStmt rather than getting flipped
around to be the other way. It's now true for both Query and PlannedStmt
that utilityStmt is non-null if and only if commandType is CMD_UTILITY.
That allows simplifying a lot of places that were testing both fields.
(I think some of those were just defensive programming, but in many places,
it was actually necessary to avoid confusing DECLARE CURSOR with SELECT.)
Because PlannedStmt carries a canSetTag field, we're also able to get rid
of some ad-hoc rules about how to reconstruct canSetTag for a bare utility
statement; specifically, the assumption that a utility is canSetTag if and
only if it's the only one in its list. While I see no near-term need for
relaxing that restriction, it's nice to get rid of the ad-hocery.
The API of ProcessUtility() is changed so that what it's passed is the
wrapper PlannedStmt not just the bare utility statement. This will affect
all users of ProcessUtility_hook, but the changes are pretty trivial; see
the affected contrib modules for examples of the minimum change needed.
(Most compilers should give pointer-type-mismatch warnings for uncorrected
code.)
There's also a change in the API of ExplainOneQuery_hook, to pass through
cursorOptions instead of expecting hook functions to know what to pick.
This is needed because of the DECLARE CURSOR changes, but really should
have been done in 9.6; it's unlikely that any extant hook functions
know about using CURSOR_OPT_PARALLEL_OK.
Finally, teach gram.y to save statement boundary locations in RawStmt
nodes, and pass those through to Query and PlannedStmt nodes. This allows
more intelligent handling of cases where a source query string contains
multiple statements. This patch doesn't actually do anything with the
information, but a follow-on patch will. (Passing this information through
cleanly is the true motivation for these changes; while I think this is all
good cleanup, it's unlikely we'd have bothered without this end goal.)
catversion bump because addition of location fields to struct Query
affects stored rules.
This patch is by me, but it owes a good deal to Fabien Coelho who did
a lot of preliminary work on the problem, and also reviewed the patch.
Discussion: https://postgr.es/m/alpine.DEB.2.20.1612200926310.29821@lancre
2017-01-14 22:02:35 +01:00
|
|
|
Node *parsetree = pstmt->utilityStmt;
|
2012-06-10 21:20:04 +02:00
|
|
|
sepgsql_context_info_t saved_context_info = sepgsql_context_info;
|
|
|
|
|
ListCell *cell;
|
2011-01-24 02:44:48 +01:00
|
|
|
|
2011-12-21 15:12:43 +01:00
|
|
|
PG_TRY();
|
2011-01-24 02:44:48 +01:00
|
|
|
{
|
2011-12-21 15:12:43 +01:00
|
|
|
/*
|
|
|
|
|
* Check command tag to avoid nefarious operations, and save the
|
2012-06-10 21:20:04 +02:00
|
|
|
* current contextual information to determine whether we should apply
|
|
|
|
|
* permission checks here, or not.
|
2011-12-21 15:12:43 +01:00
|
|
|
*/
|
|
|
|
|
sepgsql_context_info.cmdtype = nodeTag(parsetree);
|
|
|
|
|
|
|
|
|
|
switch (nodeTag(parsetree))
|
|
|
|
|
{
|
|
|
|
|
case T_CreatedbStmt:
|
2012-06-10 21:20:04 +02:00
|
|
|
|
2011-12-21 15:12:43 +01:00
|
|
|
/*
|
|
|
|
|
* We hope to reference name of the source database, but it
|
|
|
|
|
* does not appear in system catalog. So, we save it here.
|
|
|
|
|
*/
|
2012-06-10 21:20:04 +02:00
|
|
|
foreach(cell, ((CreatedbStmt *) parsetree)->options)
|
2011-12-21 15:12:43 +01:00
|
|
|
{
|
2012-06-10 21:20:04 +02:00
|
|
|
DefElem *defel = (DefElem *) lfirst(cell);
|
2011-12-21 15:12:43 +01:00
|
|
|
|
|
|
|
|
if (strcmp(defel->defname, "template") == 0)
|
|
|
|
|
{
|
|
|
|
|
sepgsql_context_info.createdb_dtemplate
|
|
|
|
|
= strVal(defel->arg);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case T_LoadStmt:
|
2012-06-10 21:20:04 +02:00
|
|
|
|
2011-12-21 15:12:43 +01:00
|
|
|
/*
|
|
|
|
|
* We reject LOAD command across the board on enforcing mode,
|
|
|
|
|
* because a binary module can arbitrarily override hooks.
|
|
|
|
|
*/
|
|
|
|
|
if (sepgsql_getenforce())
|
|
|
|
|
{
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
|
|
|
|
errmsg("SELinux: LOAD is not permitted")));
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2012-06-10 21:20:04 +02:00
|
|
|
|
2011-12-21 15:12:43 +01:00
|
|
|
/*
|
|
|
|
|
* Right now we don't check any other utility commands,
|
|
|
|
|
* because it needs more detailed information to make access
|
|
|
|
|
* control decision here, but we don't want to have two parse
|
|
|
|
|
* and analyze routines individually.
|
|
|
|
|
*/
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (next_ProcessUtility_hook)
|
Change representation of statement lists, and add statement location info.
This patch makes several changes that improve the consistency of
representation of lists of statements. It's always been the case
that the output of parse analysis is a list of Query nodes, whatever
the types of the individual statements in the list. This patch brings
similar consistency to the outputs of raw parsing and planning steps:
* The output of raw parsing is now always a list of RawStmt nodes;
the statement-type-dependent nodes are one level down from that.
* The output of pg_plan_queries() is now always a list of PlannedStmt
nodes, even for utility statements. In the case of a utility statement,
"planning" just consists of wrapping a CMD_UTILITY PlannedStmt around
the utility node. This list representation is now used in Portal and
CachedPlan plan lists, replacing the former convention of intermixing
PlannedStmts with bare utility-statement nodes.
Now, every list of statements has a consistent head-node type depending
on how far along it is in processing. This allows changing many places
that formerly used generic "Node *" pointers to use a more specific
pointer type, thus reducing the number of IsA() tests and casts needed,
as well as improving code clarity.
Also, the post-parse-analysis representation of DECLARE CURSOR is changed
so that it looks more like EXPLAIN, PREPARE, etc. That is, the contained
SELECT remains a child of the DeclareCursorStmt rather than getting flipped
around to be the other way. It's now true for both Query and PlannedStmt
that utilityStmt is non-null if and only if commandType is CMD_UTILITY.
That allows simplifying a lot of places that were testing both fields.
(I think some of those were just defensive programming, but in many places,
it was actually necessary to avoid confusing DECLARE CURSOR with SELECT.)
Because PlannedStmt carries a canSetTag field, we're also able to get rid
of some ad-hoc rules about how to reconstruct canSetTag for a bare utility
statement; specifically, the assumption that a utility is canSetTag if and
only if it's the only one in its list. While I see no near-term need for
relaxing that restriction, it's nice to get rid of the ad-hocery.
The API of ProcessUtility() is changed so that what it's passed is the
wrapper PlannedStmt not just the bare utility statement. This will affect
all users of ProcessUtility_hook, but the changes are pretty trivial; see
the affected contrib modules for examples of the minimum change needed.
(Most compilers should give pointer-type-mismatch warnings for uncorrected
code.)
There's also a change in the API of ExplainOneQuery_hook, to pass through
cursorOptions instead of expecting hook functions to know what to pick.
This is needed because of the DECLARE CURSOR changes, but really should
have been done in 9.6; it's unlikely that any extant hook functions
know about using CURSOR_OPT_PARALLEL_OK.
Finally, teach gram.y to save statement boundary locations in RawStmt
nodes, and pass those through to Query and PlannedStmt nodes. This allows
more intelligent handling of cases where a source query string contains
multiple statements. This patch doesn't actually do anything with the
information, but a follow-on patch will. (Passing this information through
cleanly is the true motivation for these changes; while I think this is all
good cleanup, it's unlikely we'd have bothered without this end goal.)
catversion bump because addition of location fields to struct Query
affects stored rules.
This patch is by me, but it owes a good deal to Fabien Coelho who did
a lot of preliminary work on the problem, and also reviewed the patch.
Discussion: https://postgr.es/m/alpine.DEB.2.20.1612200926310.29821@lancre
2017-01-14 22:02:35 +01:00
|
|
|
(*next_ProcessUtility_hook) (pstmt, queryString,
|
2017-04-01 07:10:12 +02:00
|
|
|
context, params, queryEnv,
|
2013-04-28 06:18:45 +02:00
|
|
|
dest, completionTag);
|
2011-12-21 15:12:43 +01:00
|
|
|
else
|
Change representation of statement lists, and add statement location info.
This patch makes several changes that improve the consistency of
representation of lists of statements. It's always been the case
that the output of parse analysis is a list of Query nodes, whatever
the types of the individual statements in the list. This patch brings
similar consistency to the outputs of raw parsing and planning steps:
* The output of raw parsing is now always a list of RawStmt nodes;
the statement-type-dependent nodes are one level down from that.
* The output of pg_plan_queries() is now always a list of PlannedStmt
nodes, even for utility statements. In the case of a utility statement,
"planning" just consists of wrapping a CMD_UTILITY PlannedStmt around
the utility node. This list representation is now used in Portal and
CachedPlan plan lists, replacing the former convention of intermixing
PlannedStmts with bare utility-statement nodes.
Now, every list of statements has a consistent head-node type depending
on how far along it is in processing. This allows changing many places
that formerly used generic "Node *" pointers to use a more specific
pointer type, thus reducing the number of IsA() tests and casts needed,
as well as improving code clarity.
Also, the post-parse-analysis representation of DECLARE CURSOR is changed
so that it looks more like EXPLAIN, PREPARE, etc. That is, the contained
SELECT remains a child of the DeclareCursorStmt rather than getting flipped
around to be the other way. It's now true for both Query and PlannedStmt
that utilityStmt is non-null if and only if commandType is CMD_UTILITY.
That allows simplifying a lot of places that were testing both fields.
(I think some of those were just defensive programming, but in many places,
it was actually necessary to avoid confusing DECLARE CURSOR with SELECT.)
Because PlannedStmt carries a canSetTag field, we're also able to get rid
of some ad-hoc rules about how to reconstruct canSetTag for a bare utility
statement; specifically, the assumption that a utility is canSetTag if and
only if it's the only one in its list. While I see no near-term need for
relaxing that restriction, it's nice to get rid of the ad-hocery.
The API of ProcessUtility() is changed so that what it's passed is the
wrapper PlannedStmt not just the bare utility statement. This will affect
all users of ProcessUtility_hook, but the changes are pretty trivial; see
the affected contrib modules for examples of the minimum change needed.
(Most compilers should give pointer-type-mismatch warnings for uncorrected
code.)
There's also a change in the API of ExplainOneQuery_hook, to pass through
cursorOptions instead of expecting hook functions to know what to pick.
This is needed because of the DECLARE CURSOR changes, but really should
have been done in 9.6; it's unlikely that any extant hook functions
know about using CURSOR_OPT_PARALLEL_OK.
Finally, teach gram.y to save statement boundary locations in RawStmt
nodes, and pass those through to Query and PlannedStmt nodes. This allows
more intelligent handling of cases where a source query string contains
multiple statements. This patch doesn't actually do anything with the
information, but a follow-on patch will. (Passing this information through
cleanly is the true motivation for these changes; while I think this is all
good cleanup, it's unlikely we'd have bothered without this end goal.)
catversion bump because addition of location fields to struct Query
affects stored rules.
This patch is by me, but it owes a good deal to Fabien Coelho who did
a lot of preliminary work on the problem, and also reviewed the patch.
Discussion: https://postgr.es/m/alpine.DEB.2.20.1612200926310.29821@lancre
2017-01-14 22:02:35 +01:00
|
|
|
standard_ProcessUtility(pstmt, queryString,
|
2017-04-01 07:10:12 +02:00
|
|
|
context, params, queryEnv,
|
2013-04-28 06:18:45 +02:00
|
|
|
dest, completionTag);
|
2011-01-24 02:44:48 +01:00
|
|
|
}
|
2019-11-01 11:09:52 +01:00
|
|
|
PG_FINALLY();
|
2011-12-21 15:12:43 +01:00
|
|
|
{
|
|
|
|
|
sepgsql_context_info = saved_context_info;
|
|
|
|
|
}
|
|
|
|
|
PG_END_TRY();
|
2011-01-24 02:44:48 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Module load/unload callback
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
_PG_init(void)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* We allow to load the SE-PostgreSQL module on single-user-mode or
|
|
|
|
|
* shared_preload_libraries settings only.
|
|
|
|
|
*/
|
|
|
|
|
if (IsUnderPostmaster)
|
|
|
|
|
ereport(ERROR,
|
2011-01-24 04:47:16 +01:00
|
|
|
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
errmsg("sepgsql must be loaded via shared_preload_libraries")));
|
2011-01-24 02:44:48 +01:00
|
|
|
|
|
|
|
|
/*
|
2011-04-10 17:42:00 +02:00
|
|
|
* Check availability of SELinux on the platform. If disabled, we cannot
|
|
|
|
|
* activate any SE-PostgreSQL features, and we have to skip rest of
|
|
|
|
|
* initialization.
|
2011-01-24 02:44:48 +01:00
|
|
|
*/
|
|
|
|
|
if (is_selinux_enabled() < 1)
|
|
|
|
|
{
|
|
|
|
|
sepgsql_set_mode(SEPGSQL_MODE_DISABLED);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* sepgsql.permissive = (on|off)
|
|
|
|
|
*
|
2011-04-10 17:42:00 +02:00
|
|
|
* This variable controls performing mode of SE-PostgreSQL on user's
|
|
|
|
|
* session.
|
2011-01-24 02:44:48 +01:00
|
|
|
*/
|
|
|
|
|
DefineCustomBoolVariable("sepgsql.permissive",
|
|
|
|
|
"Turn on/off permissive mode in SE-PostgreSQL",
|
|
|
|
|
NULL,
|
|
|
|
|
&sepgsql_permissive,
|
|
|
|
|
false,
|
|
|
|
|
PGC_SIGHUP,
|
|
|
|
|
GUC_NOT_IN_SAMPLE,
|
|
|
|
|
NULL,
|
2011-04-07 06:11:01 +02:00
|
|
|
NULL,
|
2011-01-24 02:44:48 +01:00
|
|
|
NULL);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* sepgsql.debug_audit = (on|off)
|
|
|
|
|
*
|
2011-04-10 17:42:00 +02:00
|
|
|
* This variable allows users to turn on/off audit logs on access control
|
|
|
|
|
* decisions, independent from auditallow/auditdeny setting in the
|
|
|
|
|
* security policy. We intend to use this option for debugging purpose.
|
2011-01-24 02:44:48 +01:00
|
|
|
*/
|
|
|
|
|
DefineCustomBoolVariable("sepgsql.debug_audit",
|
|
|
|
|
"Turn on/off debug audit messages",
|
|
|
|
|
NULL,
|
|
|
|
|
&sepgsql_debug_audit,
|
|
|
|
|
false,
|
|
|
|
|
PGC_USERSET,
|
|
|
|
|
GUC_NOT_IN_SAMPLE,
|
|
|
|
|
NULL,
|
2011-04-07 06:11:01 +02:00
|
|
|
NULL,
|
2011-01-24 02:44:48 +01:00
|
|
|
NULL);
|
|
|
|
|
|
2011-09-01 14:37:33 +02:00
|
|
|
/* Initialize userspace access vector cache */
|
|
|
|
|
sepgsql_avc_init();
|
|
|
|
|
|
2012-02-15 19:54:26 +01:00
|
|
|
/* Initialize security label of the client and related stuff */
|
|
|
|
|
sepgsql_init_client_label();
|
|
|
|
|
|
2011-01-24 02:44:48 +01:00
|
|
|
/* Security label provider hook */
|
|
|
|
|
register_label_provider(SEPGSQL_LABEL_TAG,
|
|
|
|
|
sepgsql_object_relabel);
|
|
|
|
|
|
|
|
|
|
/* Object access hook */
|
|
|
|
|
next_object_access_hook = object_access_hook;
|
|
|
|
|
object_access_hook = sepgsql_object_access;
|
|
|
|
|
|
|
|
|
|
/* DML permission check */
|
|
|
|
|
next_exec_check_perms_hook = ExecutorCheckPerms_hook;
|
|
|
|
|
ExecutorCheckPerms_hook = sepgsql_exec_check_perms;
|
|
|
|
|
|
|
|
|
|
/* ProcessUtility hook */
|
|
|
|
|
next_ProcessUtility_hook = ProcessUtility_hook;
|
|
|
|
|
ProcessUtility_hook = sepgsql_utility_command;
|
2011-12-21 15:12:43 +01:00
|
|
|
|
|
|
|
|
/* init contextual info */
|
|
|
|
|
memset(&sepgsql_context_info, 0, sizeof(sepgsql_context_info));
|
2011-01-24 02:44:48 +01:00
|
|
|
}
|