mirror of
https://github.com/postgres/postgres.git
synced 2025-07-27 12:41:57 +03:00
Update sepgsql to add mandatory access control for TRUNCATE
Use SELinux "db_table: { truncate }" to check if permission is granted to TRUNCATE. Update example SELinux policy to grant needed permission for TRUNCATE. Add new regression test to demonstrate a positive and negative cases. Test will only be run if the loaded SELinux policy has the "db_table: { truncate }" permission. Makes use of recent commit which added object TRUNCATE hook. Patch by Yuli Khodorkovskiy with minor editorialization by me. Not back-patched because the object TRUNCATE hook was not. Author: Yuli Khodorkovskiy Reviewed-by: Joe Conway Discussion: https://postgr.es/m/CAFL5wJcomybj1Xdw7qWmPJRpGuFukKgNrDb6uVBaCMgYS9dkaA%40mail.gmail.com
This commit is contained in:
@ -188,6 +188,20 @@ sepgsql_object_access(ObjectAccessType access,
|
||||
}
|
||||
break;
|
||||
|
||||
case OAT_TRUNCATE:
|
||||
{
|
||||
switch (classId)
|
||||
{
|
||||
case RelationRelationId:
|
||||
sepgsql_relation_truncate(objectId);
|
||||
break;
|
||||
default:
|
||||
/* Ignore unsupported object classes */
|
||||
break;
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
case OAT_POST_ALTER:
|
||||
{
|
||||
ObjectAccessPostAlter *pa_arg = arg;
|
||||
|
Reference in New Issue
Block a user