Userspace access vector cache for contrib/sepgsql.

KaiGai Kohei
2025-07-27 12:41:57 +03:00 · 2011-09-01 08:37:33 -04:00
parent 3d14bd2563
commit 4232c4b406
12 changed files with 661 additions and 211 deletions
--- a/contrib/sepgsql/proc.c
+++ b/contrib/sepgsql/proc.c
@ -96,64 +96,30 @@ sepgsql_proc_post_create(Oid functionId)
 void
 sepgsql_proc_relabel(Oid functionId, const char *seclabel)
 {
-	char	   *scontext = sepgsql_get_client_label();
-	char	   *tcontext;
-	char	   *audit_name;
+	ObjectAddress	object;
+	char		   *audit_name;

-	audit_name = getObjectDescriptionOids(ProcedureRelationId, functionId);
+	object.classId = ProcedureRelationId;
+	object.objectId = functionId;
+	object.objectSubId = 0;
+	audit_name = getObjectDescription(&object);

 	/*
 	 * check db_procedure:{setattr relabelfrom} permission
 	 */
-	tcontext = sepgsql_get_label(ProcedureRelationId, functionId, 0);
-	sepgsql_check_perms(scontext,
-						tcontext,
-						SEPG_CLASS_DB_PROCEDURE,
-						SEPG_DB_PROCEDURE__SETATTR |
-						SEPG_DB_PROCEDURE__RELABELFROM,
-						audit_name,
-						true);
-	pfree(tcontext);
-
+	sepgsql_avc_check_perms(&object,
+							SEPG_CLASS_DB_PROCEDURE,
+							SEPG_DB_PROCEDURE__SETATTR |
+							SEPG_DB_PROCEDURE__RELABELFROM,
+							audit_name,
+							true);
 	/*
 	 * check db_procedure:{relabelto} permission
 	 */
-	sepgsql_check_perms(scontext,
-						seclabel,
-						SEPG_CLASS_DB_PROCEDURE,
-						SEPG_DB_PROCEDURE__RELABELTO,
-						audit_name,
-						true);
+	sepgsql_avc_check_perms_label(seclabel,
+								  SEPG_CLASS_DB_PROCEDURE,
+								  SEPG_DB_PROCEDURE__RELABELTO,
+								  audit_name,
+								  true);
 	pfree(audit_name);
 }
-
-/*
- * sepgsql_proc_get_domtrans
- *
- * It computes security label of the client that shall be applied when
- * the current client invokes the supplied function.
- * This computed label is either same or different from the current one.
- * If security policy informed the function is a trusted-procedure,
- * we need to switch security label of the client during execution of
- * the function.
- *
- * Also note that the translated label shall be allocated using palloc().
- * So, need to switch memory context, if you want to hold the string in
- * someone except for CurrentMemoryContext.
- */
-char *
-sepgsql_proc_get_domtrans(Oid functionId)
-{
-	char	   *scontext = sepgsql_get_client_label();
-	char	   *tcontext;
-	char	   *ncontext;
-
-	tcontext = sepgsql_get_label(ProcedureRelationId, functionId, 0);
-
-	ncontext = sepgsql_compute_create(scontext,
-									  tcontext,
-									  SEPG_CLASS_PROCESS);
-	pfree(tcontext);
-
-	return ncontext;
-}