sepgsql DROP support.

KaiGai Kohei

sepgsql DROP support.
KaiGai Kohei
e914a144 · Robert Haas · 07d1edb9 · e914a144 · e914a144 · e914a144
Commit e914a144 authored Mar 09, 2012 by Robert Haas
10 changed files
--- a/contrib/sepgsql/database.c
+++ b/contrib/sepgsql/database.c
@@ -118,6 +118,33 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)
 	pfree(tcontext);
 }

+/*
+ * sepgsql_database_drop
+ *
+ * It checks privileges to drop the supplied database
+ */
+void
+sepgsql_database_drop(Oid databaseId)
+{
+	ObjectAddress	object;
+	char		   *audit_name;
+
+	/*
+	 * check db_database:{drop} permission
+	 */
+	object.classId = DatabaseRelationId;
+	object.objectId = databaseId;
+	object.objectSubId = 0;
+	audit_name = getObjectDescription(&object);
+
+	sepgsql_avc_check_perms(&object,
+							SEPG_CLASS_DB_DATABASE,
+							SEPG_DB_DATABASE__DROP,
+							audit_name,
+							true);
+	pfree(audit_name);
+}
+
 /*
 * sepgsql_database_relabel
 *

--- a/contrib/sepgsql/expected/create.out
+++ b/contrib/sepgsql/expected/create.out
--- a/contrib/sepgsql/hooks.c
+++ b/contrib/sepgsql/hooks.c
@@ -10,6 +10,7 @@
 */
 #include "postgres.h"

+#include "catalog/dependency.h"
 #include "catalog/objectaccess.h"
 #include "catalog/pg_class.h"
 #include "catalog/pg_database.h"
@@ -87,10 +88,11 @@ static void
 sepgsql_object_access(ObjectAccessType access,
 					  Oid classId,
 					  Oid objectId,
-					  int subId)
+					  int subId,
+					  void *arg)
 {
 	if (next_object_access_hook)
-		(*next_object_access_hook) (access, classId, objectId, subId);
+		(*next_object_access_hook) (access, classId, objectId, subId, arg);

 	switch (access)
 	{
@@ -146,6 +148,46 @@ sepgsql_object_access(ObjectAccessType access,
 			}
 			break;

+		case OAT_DROP:
+			{
+				ObjectAccessDrop *drop_arg = (ObjectAccessDrop *)arg;
+
+				/*
+				 * No need to apply permission checks on object deletion
+				 * due to internal cleanups; such as removal of temporary
+				 * database object on session closed.
+				 */
+				if ((drop_arg->dropflags & PERFORM_DELETION_INTERNAL) != 0)
+					break;
+
+				switch (classId)
+				{
+					case DatabaseRelationId:
+						sepgsql_database_drop(objectId);
+						break;
+
+					case NamespaceRelationId:
+						sepgsql_schema_drop(objectId);
+						break;
+
+					case RelationRelationId:
+						if (subId == 0)
+							sepgsql_relation_drop(objectId);
+						else
+							sepgsql_attribute_drop(objectId, subId);
+						break;
+
+					case ProcedureRelationId:
+						sepgsql_proc_drop(objectId);
+						break;
+
+					default:
+						/* Ignore unsupported object classes */
+						break;
+				}
+			}
+			break;
+
 		default:
 			elog(ERROR, "unexpected object access type: %d", (int) access);
 			break;

--- a/contrib/sepgsql/proc.c
+++ b/contrib/sepgsql/proc.c
@@ -130,6 +130,48 @@ sepgsql_proc_post_create(Oid functionId)
 	pfree(ncontext);
 }

+/*
+ * sepgsql_proc_drop
+ *
+ * It checks privileges to drop the supplied function.
+ */
+void
+sepgsql_proc_drop(Oid functionId)
+{
+	ObjectAddress	object;
+	char		   *audit_name;
+
+	/*
+	 * check db_schema:{remove_name} permission
+	 */
+	object.classId = NamespaceRelationId;
+	object.objectId = get_func_namespace(functionId);
+	object.objectSubId = 0;
+	audit_name = getObjectDescription(&object);
+
+	sepgsql_avc_check_perms(&object,
+							SEPG_CLASS_DB_SCHEMA,
+							SEPG_DB_SCHEMA__REMOVE_NAME,
+							audit_name,
+							true);
+	pfree(audit_name);
+
+    /*
+     * check db_procedure:{drop} permission
+     */
+	object.classId = ProcedureRelationId;
+	object.objectId = functionId;
+	object.objectSubId = 0;
+	audit_name = getObjectDescription(&object);
+
+    sepgsql_avc_check_perms(&object,
+                            SEPG_CLASS_DB_PROCEDURE,
+                            SEPG_DB_PROCEDURE__DROP,
+                            audit_name,
+                            true);
+	pfree(audit_name);
+}
+
 /*
 * sepgsql_proc_relabel
 *

--- a/contrib/sepgsql/relation.c
+++ b/contrib/sepgsql/relation.c
@@ -21,6 +21,7 @@
 #include "commands/seclabel.h"
 #include "utils/fmgroids.h"
 #include "utils/lsyscache.h"
+#include "utils/syscache.h"
 #include "utils/tqual.h"

 #include "sepgsql.h"
@@ -109,6 +110,36 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
 	pfree(ncontext);
 }

+/*
+ * sepgsql_attribute_drop
+ *
+ * It checks privileges to drop the supplied column.
+ */
+void
+sepgsql_attribute_drop(Oid relOid, AttrNumber attnum)
+{
+	ObjectAddress	object;
+	char		   *audit_name;
+
+	if (get_rel_relkind(relOid) != RELKIND_RELATION)
+		return;
+
+	/*
+	 * check db_column:{drop} permission
+	 */
+	object.classId = RelationRelationId;
+	object.objectId = relOid;
+	object.objectSubId = attnum;
+	audit_name = getObjectDescription(&object);
+
+	sepgsql_avc_check_perms(&object,
+							SEPG_CLASS_DB_COLUMN,
+							SEPG_DB_COLUMN__DROP,
+							audit_name,
+							true);
+	pfree(audit_name);
+}
+
 /*
 * sepgsql_attribute_relabel
 *
@@ -309,6 +340,94 @@ out:
 	heap_close(rel, AccessShareLock);
 }

+/*
+ * sepgsql_relation_drop
+ *
+ * It checks privileges to drop the supplied relation.
+ */
+void
+sepgsql_relation_drop(Oid relOid)
+{
+	ObjectAddress	object;
+	char		   *audit_name;
+	uint16_t		tclass = 0;
+	char			relkind;
+
+	relkind = get_rel_relkind(relOid);
+	if (relkind == RELKIND_RELATION)
+		tclass = SEPG_CLASS_DB_TABLE;
+	else if (relkind == RELKIND_SEQUENCE)
+		tclass = SEPG_CLASS_DB_SEQUENCE;
+	else if (relkind == RELKIND_VIEW)
+		tclass = SEPG_CLASS_DB_VIEW;
+	else
+		return;
+
+	/*
+	 * check db_schema:{remove_name} permission
+	 */
+	object.classId = NamespaceRelationId;
+	object.objectId = get_rel_namespace(relOid);
+	object.objectSubId = 0;
+	audit_name = getObjectDescription(&object);
+
+	sepgsql_avc_check_perms(&object,
+							SEPG_CLASS_DB_SCHEMA,
+							SEPG_DB_SCHEMA__REMOVE_NAME,
+							audit_name,
+							true);
+	pfree(audit_name);
+
+	/*
+	 * check db_table/sequence/view:{drop} permission
+	 */
+	object.classId = RelationRelationId;
+	object.objectId = relOid;
+	object.objectSubId = 0;
+	audit_name = getObjectDescription(&object);
+
+	sepgsql_avc_check_perms(&object,
+							tclass,
+							SEPG_DB_TABLE__DROP,
+							audit_name,
+							true);
+	pfree(audit_name);
+
+	/*
+	 * check db_column:{drop} permission
+	 */
+	if (relkind == RELKIND_RELATION)
+	{
+		Form_pg_attribute	attForm;
+		CatCList   *attrList;
+		HeapTuple	atttup;
+		int			i;
+
+		attrList = SearchSysCacheList1(ATTNUM, ObjectIdGetDatum(relOid));
+		for (i=0; i < attrList->n_members; i++)
+		{
+			atttup = &attrList->members[i]->tuple;
+			attForm = (Form_pg_attribute) GETSTRUCT(atttup);
+
+			if (attForm->attisdropped)
+				continue;
+
+			object.classId = RelationRelationId;
+			object.objectId = relOid;
+			object.objectSubId = attForm->attnum;
+			audit_name = getObjectDescription(&object);
+
+			sepgsql_avc_check_perms(&object,
+									SEPG_CLASS_DB_COLUMN,
+									SEPG_DB_COLUMN__DROP,
+									audit_name,
+									true);
+			pfree(audit_name);
+		}
+		ReleaseCatCacheList(attrList);
+	}
+}
+
 /*
 * sepgsql_relation_relabel
 *

--- a/contrib/sepgsql/schema.c
+++ b/contrib/sepgsql/schema.c
@@ -96,6 +96,33 @@ sepgsql_schema_post_create(Oid namespaceId)
 	pfree(tcontext);
 }

+/*
+ * sepgsql_schema_drop
+ *
+ * It checks privileges to drop the supplied schema object.
+ */
+void
+sepgsql_schema_drop(Oid namespaceId)
+{
+	ObjectAddress	object;
+	char		   *audit_name;
+
+	/*
+	 * check db_schema:{drop} permission
+	 */
+	object.classId = NamespaceRelationId;
+	object.objectId = namespaceId;
+	object.objectSubId = 0;
+	audit_name = getObjectDescription(&object);
+
+	sepgsql_avc_check_perms(&object,
+                            SEPG_CLASS_DB_SCHEMA,
+							SEPG_DB_SCHEMA__DROP,
+							audit_name,
+							true);
+	pfree(audit_name);
+}
+
 /*
 * sepgsql_schema_relabel
 *

--- a/contrib/sepgsql/sepgsql.h
+++ b/contrib/sepgsql/sepgsql.h
@@ -288,27 +288,32 @@ extern bool sepgsql_dml_privileges(List *rangeTabls, bool abort);
 */
 extern void sepgsql_database_post_create(Oid databaseId,
 										 const char *dtemplate);
+extern void sepgsql_database_drop(Oid databaseId);
 extern void sepgsql_database_relabel(Oid databaseId, const char *seclabel);

 /*
 * schema.c
 */
 extern void sepgsql_schema_post_create(Oid namespaceId);
+extern void sepgsql_schema_drop(Oid namespaceId);
 extern void sepgsql_schema_relabel(Oid namespaceId, const char *seclabel);

 /*
 * relation.c
 */
 extern void sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum);
+extern void sepgsql_attribute_drop(Oid relOid, AttrNumber attnum);
 extern void sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
 						  const char *seclabel);
 extern void sepgsql_relation_post_create(Oid relOid);
+extern void sepgsql_relation_drop(Oid relOid);
 extern void sepgsql_relation_relabel(Oid relOid, const char *seclabel);

 /*
 * proc.c
 */
 extern void sepgsql_proc_post_create(Oid functionId);
+extern void sepgsql_proc_drop(Oid functionId);
 extern void sepgsql_proc_relabel(Oid functionId, const char *seclabel);

 #endif   /* SEPGSQL_H */
--- a/contrib/sepgsql/sql/create.sql
+++ b/contrib/sepgsql/sql/create.sql
 --
-- Regression Test for Creation of Object Permission Checks
+-- Regression Test for DDL of Object Permission Checks
 --

 -- confirm required permissions using audit messages
@@ -7,10 +7,17 @@
 SET sepgsql.debug_audit = true;
 SET client_min_messages = LOG;

+--
+-- CREATE Permission checks
+--
 CREATE DATABASE regtest_sepgsql_test_database;

+CREATE USER regtest_sepgsql_test_user;
+
 CREATE SCHEMA regtest_schema;

+GRANT ALL ON SCHEMA regtest_schema TO regtest_sepgsql_test_user;
+
 SET search_path = regtest_schema, public;

 CREATE TABLE regtest_table (x serial primary key, y text);
@@ -38,9 +45,37 @@ CREATE AGGREGATE regtest_agg (
           sfunc1 = int4pl, basetype = int4, stype1 = int4, initcond1 = '0'
 );

+-- CREATE objects owned by others
+SET SESSION AUTHORIZATION regtest_sepgsql_test_user;
+
+SET search_path = regtest_schema, public;
+
+CREATE TABLE regtest_table_3 (x int, y serial);
+
+CREATE VIEW regtest_view_2 AS SELECT * FROM regtest_table_3 WHERE x < y;
+
+CREATE FUNCTION regtest_func_2(int) RETURNS bool LANGUAGE plpgsql
+           AS 'BEGIN RETURN $1 * $1 < 100; END';
+
+RESET SESSION AUTHORIZATION;
+
 --
-- clean-up
+-- DROP Permission checks (with clean-up)
 --
-DROP DATABASE IF EXISTS regtest_sepgsql_test_database;

+DROP FUNCTION regtest_func(text,int[]);
+DROP AGGREGATE regtest_agg(int);
+
+DROP SEQUENCE regtest_seq;
+DROP VIEW regtest_view;
+
+ALTER TABLE regtest_table DROP COLUMN y;
+ALTER TABLE regtest_table_2 SET WITHOUT OIDS;
+
+DROP TABLE regtest_table;
+
+DROP OWNED BY regtest_sepgsql_test_user;
+
+DROP DATABASE regtest_sepgsql_test_database;
+DROP USER regtest_sepgsql_test_user;
 DROP SCHEMA IF EXISTS regtest_schema CASCADE;
--- a/contrib/sepgsql/test_sepgsql
+++ b/contrib/sepgsql/test_sepgsql
@@ -259,6 +259,6 @@ echo "found ${NUM}"
 echo
 echo "============== running sepgsql regression tests       =============="

-make REGRESS="label dml create misc" REGRESS_OPTS="--launcher ./launcher" installcheck
+make REGRESS="label dml ddl misc" REGRESS_OPTS="--launcher ./launcher" installcheck

 # exit with the exit code provided by "make"
--- a/doc/src/sgml/sepgsql.sgml
+++ b/doc/src/sgml/sepgsql.sgml
@@ -440,6 +440,20 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100;
    on the schema, not only <literal>create</> on the new object itself.
   </para>

+   <para>
+    When <literal>DROP</> command is executed, <literal>drop</> will be
+    checked on the object being removed for each object types.
+    Please note that it shall not be checked on the objects removed by
+    cascaded deletion according to the standard manner in SQL.
+   </para>
+   <para>
+    A few additional checks are applied depending on object types.
+    On deletion of objects underlying a particula schema (tables, views,
+    sequences and procedures), <literal>remove_name</> shall be also checked
+    on the schema, not only <literal>drop</> on the object being removed
+    itself.
+   </para>
+
   <para>
    When <xref linkend="sql-security-label"> is executed, <literal>setattr</>
    and <literal>relabelfrom</> will be checked on the object being relabeled