database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-28 23:42:10 +03:00
Code Activity

Run pgindent on 9.2 source tree in preparation for first 9.3

Browse Source 
commit-fest.
This commit is contained in:
Bruce Momjian
2012-06-10 15:20:04 -04:00
parent 60801944fa
commit 927d61eeff
494 changed files with 7343 additions and 7046 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
contrib/sepgsql/database.c
View File

@ -32,19 +32,19 @@ void
sepgsql_database_post_create(Oid databaseId, const char *dtemplate)
{
Relation rel;
ScanKeyData skey;
SysScanDesc sscan;
ScanKeyData skey;
SysScanDesc sscan;
HeapTuple tuple;
char *tcontext;
char *ncontext;
char audit_name[NAMEDATALEN + 20];
ObjectAddress object;
Form_pg_database datForm;
ObjectAddress object;
Form_pg_database datForm;
/*
* Oid of the source database is not saved in pg_database catalog,
* so we collect its identifier using contextual information.
* If NULL, its default is "template1" according to createdb().
* Oid of the source database is not saved in pg_database catalog, so we
* collect its identifier using contextual information. If NULL, its
* default is "template1" according to createdb().
*/
if (!dtemplate)
dtemplate = "template1";
@ -56,6 +56,7 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)
tcontext = sepgsql_get_label(object.classId,
object.objectId,
object.objectSubId);
/*
* check db_database:{getattr} permission
*/
@ -67,11 +68,11 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)
true);
/*
* Compute a default security label of the newly created database
* based on a pair of security label of client and source database.
* Compute a default security label of the newly created database based on
* a pair of security label of client and source database.
*
* XXX - uncoming version of libselinux supports to take object
* name to handle special treatment on default security label.
* XXX - uncoming version of libselinux supports to take object name to
* handle special treatment on default security label.
*/
rel = heap_open(DatabaseRelationId, AccessShareLock);
@ -91,6 +92,7 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)
ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
tcontext,
SEPG_CLASS_DB_DATABASE);
/*
* check db_database:{create} permission
*/
@ -126,8 +128,8 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)
void
sepgsql_database_drop(Oid databaseId)
{
ObjectAddress object;
char *audit_name;
ObjectAddress object;
char *audit_name;
/*
* check db_database:{drop} permission
@ -153,8 +155,8 @@ sepgsql_database_drop(Oid databaseId)
void
sepgsql_database_relabel(Oid databaseId, const char *seclabel)
{
ObjectAddress object;
char *audit_name;
ObjectAddress object;
char *audit_name;
object.classId = DatabaseRelationId;
object.objectId = databaseId;
@ -170,6 +172,7 @@ sepgsql_database_relabel(Oid databaseId, const char *seclabel)
SEPG_DB_DATABASE__RELABELFROM,
audit_name,
true);
/*
* check db_database:{relabelto} permission
*/

2
contrib/sepgsql/dml.c
View File

@ -150,7 +150,7 @@ check_relation_privileges(Oid relOid,
uint32 required,
bool abort)
{
ObjectAddress object;
ObjectAddress object;
char *audit_name;
Bitmapset *columns;
int index;

38
contrib/sepgsql/hooks.c
View File

@ -52,9 +52,9 @@ typedef struct
* command. Elsewhere (including the case of default) NULL.
*/
const char *createdb_dtemplate;
} sepgsql_context_info_t;
} sepgsql_context_info_t;
static sepgsql_context_info_t sepgsql_context_info;
static sepgsql_context_info_t sepgsql_context_info;
/*
* GUC: sepgsql.permissive = (on|off)
@ -101,7 +101,7 @@ sepgsql_object_access(ObjectAccessType access,
{
case DatabaseRelationId:
sepgsql_database_post_create(objectId,
sepgsql_context_info.createdb_dtemplate);
sepgsql_context_info.createdb_dtemplate);
break;
case NamespaceRelationId:
@ -115,9 +115,8 @@ sepgsql_object_access(ObjectAccessType access,
* All cases we want to apply permission checks on
* creation of a new relation are invocation of the
* heap_create_with_catalog via DefineRelation or
* OpenIntoRel.
* Elsewhere, we need neither assignment of security
* label nor permission checks.
* OpenIntoRel. Elsewhere, we need neither assignment
* of security label nor permission checks.
*/
switch (sepgsql_context_info.cmdtype)
{
@ -150,12 +149,12 @@ sepgsql_object_access(ObjectAccessType access,
case OAT_DROP:
{
ObjectAccessDrop *drop_arg = (ObjectAccessDrop *)arg;
ObjectAccessDrop *drop_arg = (ObjectAccessDrop *) arg;
/*
* No need to apply permission checks on object deletion
* due to internal cleanups; such as removal of temporary
* database object on session closed.
* No need to apply permission checks on object deletion due
* to internal cleanups; such as removal of temporary database
* object on session closed.
*/
if ((drop_arg->dropflags & PERFORM_DELETION_INTERNAL) != 0)
break;
@ -219,13 +218,13 @@ sepgsql_exec_check_perms(List *rangeTabls, bool abort)
/*
* sepgsql_executor_start
*
* It saves contextual information during ExecutorStart to distinguish
* It saves contextual information during ExecutorStart to distinguish
* a case with/without permission checks later.
*/
static void
sepgsql_executor_start(QueryDesc *queryDesc, int eflags)
{
sepgsql_context_info_t saved_context_info = sepgsql_context_info;
sepgsql_context_info_t saved_context_info = sepgsql_context_info;
PG_TRY();
{
@ -270,28 +269,29 @@ sepgsql_utility_command(Node *parsetree,
DestReceiver *dest,
char *completionTag)
{
sepgsql_context_info_t saved_context_info = sepgsql_context_info;
ListCell *cell;
sepgsql_context_info_t saved_context_info = sepgsql_context_info;
ListCell *cell;
PG_TRY();
{
/*
* Check command tag to avoid nefarious operations, and save the
* current contextual information to determine whether we should
* apply permission checks here, or not.
* current contextual information to determine whether we should apply
* permission checks here, or not.
*/
sepgsql_context_info.cmdtype = nodeTag(parsetree);
switch (nodeTag(parsetree))
{
case T_CreatedbStmt:
/*
* We hope to reference name of the source database, but it
* does not appear in system catalog. So, we save it here.
*/
foreach (cell, ((CreatedbStmt *) parsetree)->options)
foreach(cell, ((CreatedbStmt *) parsetree)->options)
{
DefElem *defel = (DefElem *) lfirst(cell);
DefElem *defel = (DefElem *) lfirst(cell);
if (strcmp(defel->defname, "template") == 0)
{
@ -303,6 +303,7 @@ sepgsql_utility_command(Node *parsetree,
break;
case T_LoadStmt:
/*
* We reject LOAD command across the board on enforcing mode,
* because a binary module can arbitrarily override hooks.
@ -315,6 +316,7 @@ sepgsql_utility_command(Node *parsetree,
}
break;
default:
/*
* Right now we don't check any other utility commands,
* because it needs more detailed information to make access

58
contrib/sepgsql/label.c
View File

@ -58,17 +58,18 @@ static fmgr_hook_type next_fmgr_hook = NULL;
* we use the list client_label_pending of pending_label to keep track of which
* labels were set during the (sub-)transactions.
*/
static char *client_label_peer = NULL; /* set by getpeercon(3) */
static List *client_label_pending = NIL; /* pending list being set by
* sepgsql_setcon() */
static char *client_label_committed = NULL; /* set by sepgsql_setcon(),
* and already committed */
static char *client_label_func = NULL; /* set by trusted procedure */
static char *client_label_peer = NULL; /* set by getpeercon(3) */
static List *client_label_pending = NIL; /* pending list being set by
* sepgsql_setcon() */
static char *client_label_committed = NULL; /* set by sepgsql_setcon(),
* and already committed */
static char *client_label_func = NULL; /* set by trusted procedure */
typedef struct {
SubTransactionId subid;
char *label;
} pending_label;
typedef struct
{
SubTransactionId subid;
char *label;
} pending_label;
/*
* sepgsql_get_client_label
@ -87,7 +88,7 @@ sepgsql_get_client_label(void)
/* uncommitted sepgsql_setcon() value */
if (client_label_pending)
{
pending_label *plabel = llast(client_label_pending);
pending_label *plabel = llast(client_label_pending);
if (plabel->label)
return plabel->label;
@ -104,16 +105,16 @@ sepgsql_get_client_label(void)
* sepgsql_set_client_label
*
* This routine tries to switch the current security label of the client, and
* checks related permissions. The supplied new label shall be added to the
* checks related permissions. The supplied new label shall be added to the
* client_label_pending list, then saved at transaction-commit time to ensure
* transaction-awareness.
*/
static void
sepgsql_set_client_label(const char *new_label)
{
const char *tcontext;
MemoryContext oldcxt;
pending_label *plabel;
const char *tcontext;
MemoryContext oldcxt;
pending_label *plabel;
/* Reset to the initial client label, if NULL */
if (!new_label)
@ -140,9 +141,10 @@ sepgsql_set_client_label(const char *new_label)
SEPG_PROCESS__DYNTRANSITION,
NULL,
true);
/*
* Append the supplied new_label on the pending list until
* the current transaction is committed.
* Append the supplied new_label on the pending list until the current
* transaction is committed.
*/
oldcxt = MemoryContextSwitchTo(CurTransactionContext);
@ -158,7 +160,7 @@ sepgsql_set_client_label(const char *new_label)
/*
* sepgsql_xact_callback
*
* A callback routine of transaction commit/abort/prepare. Commmit or abort
* A callback routine of transaction commit/abort/prepare. Commmit or abort
* changes in the client_label_pending list.
*/
static void
@ -168,8 +170,8 @@ sepgsql_xact_callback(XactEvent event, void *arg)
{
if (client_label_pending != NIL)
{
pending_label *plabel = llast(client_label_pending);
char *new_label;
pending_label *plabel = llast(client_label_pending);
char *new_label;
if (plabel->label)
new_label = MemoryContextStrdup(TopMemoryContext,
@ -181,10 +183,11 @@ sepgsql_xact_callback(XactEvent event, void *arg)
pfree(client_label_committed);
client_label_committed = new_label;
/*
* XXX - Note that items of client_label_pending are allocated
* on CurTransactionContext, thus, all acquired memory region
* shall be released implicitly.
* XXX - Note that items of client_label_pending are allocated on
* CurTransactionContext, thus, all acquired memory region shall
* be released implicitly.
*/
client_label_pending = NIL;
}
@ -212,7 +215,8 @@ sepgsql_subxact_callback(SubXactEvent event, SubTransactionId mySubid,
prev = NULL;
for (cell = list_head(client_label_pending); cell; cell = next)
{
pending_label *plabel = lfirst(cell);
pending_label *plabel = lfirst(cell);
next = lnext(cell);
if (plabel->subid == mySubid)
@ -272,7 +276,7 @@ sepgsql_client_auth(Port *port, int status)
static bool
sepgsql_needs_fmgr_hook(Oid functionId)
{
ObjectAddress object;
ObjectAddress object;
if (next_needs_fmgr_hook &&
(*next_needs_fmgr_hook) (functionId))
@ -340,8 +344,8 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
/*
* process:transition permission between old and new label,
* when user tries to switch security label of the client
* on execution of trusted procedure.
* when user tries to switch security label of the client on
* execution of trusted procedure.
*/
if (stack->new_label)
sepgsql_avc_check_perms_label(stack->new_label,

38
contrib/sepgsql/proc.c
View File

@ -42,9 +42,9 @@ sepgsql_proc_post_create(Oid functionId)
char *tcontext;
char *ncontext;
int i;
StringInfoData audit_name;
ObjectAddress object;
Form_pg_proc proForm;
StringInfoData audit_name;
ObjectAddress object;
Form_pg_proc proForm;
/*
* Fetch namespace of the new procedure. Because pg_proc entry is not
@ -77,6 +77,7 @@ sepgsql_proc_post_create(Oid functionId)
SEPG_DB_SCHEMA__ADD_NAME,
getObjectDescription(&object),
true);
/*
* XXX - db_language:{implement} also should be checked here
*/
@ -97,9 +98,10 @@ sepgsql_proc_post_create(Oid functionId)
*/
initStringInfo(&audit_name);
appendStringInfo(&audit_name, "function %s(", NameStr(proForm->proname));
for (i=0; i < proForm->pronargs; i++)
for (i = 0; i < proForm->pronargs; i++)
{
Oid typeoid = proForm->proargtypes.values[i];
Oid typeoid = proForm->proargtypes.values[i];
if (i > 0)
appendStringInfoChar(&audit_name, ',');
appendStringInfoString(&audit_name, format_type_be(typeoid));
@ -111,6 +113,7 @@ sepgsql_proc_post_create(Oid functionId)
SEPG_DB_PROCEDURE__CREATE,
audit_name.data,
true);
/*
* Assign the default security label on a new procedure
*/
@ -138,8 +141,8 @@ sepgsql_proc_post_create(Oid functionId)
void
sepgsql_proc_drop(Oid functionId)
{
ObjectAddress object;
char *audit_name;
ObjectAddress object;
char *audit_name;
/*
* check db_schema:{remove_name} permission
@ -156,19 +159,19 @@ sepgsql_proc_drop(Oid functionId)
true);
pfree(audit_name);
/*
* check db_procedure:{drop} permission
*/
/*
* check db_procedure:{drop} permission
*/
object.classId = ProcedureRelationId;
object.objectId = functionId;
object.objectSubId = 0;
audit_name = getObjectDescription(&object);
sepgsql_avc_check_perms(&object,
SEPG_CLASS_DB_PROCEDURE,
SEPG_DB_PROCEDURE__DROP,
audit_name,
true);
sepgsql_avc_check_perms(&object,
SEPG_CLASS_DB_PROCEDURE,
SEPG_DB_PROCEDURE__DROP,
audit_name,
true);
pfree(audit_name);
}
@ -181,8 +184,8 @@ sepgsql_proc_drop(Oid functionId)
void
sepgsql_proc_relabel(Oid functionId, const char *seclabel)
{
ObjectAddress object;
char *audit_name;
ObjectAddress object;
char *audit_name;
object.classId = ProcedureRelationId;
object.objectId = functionId;
@ -198,6 +201,7 @@ sepgsql_proc_relabel(Oid functionId, const char *seclabel)
SEPG_DB_PROCEDURE__RELABELFROM,
audit_name,
true);
/*
* check db_procedure:{relabelto} permission
*/

38
contrib/sepgsql/relation.c
View File

@ -44,9 +44,9 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
char *scontext;
char *tcontext;
char *ncontext;
char audit_name[2*NAMEDATALEN + 20];
char audit_name[2 * NAMEDATALEN + 20];
ObjectAddress object;
Form_pg_attribute attForm;
Form_pg_attribute attForm;
/*
* Only attributes within regular relation have individual security
@ -84,6 +84,7 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
tcontext = sepgsql_get_label(RelationRelationId, relOid, 0);
ncontext = sepgsql_compute_create(scontext, tcontext,
SEPG_CLASS_DB_COLUMN);
/*
* check db_column:{create} permission
*/
@ -118,8 +119,8 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
void
sepgsql_attribute_drop(Oid relOid, AttrNumber attnum)
{
ObjectAddress object;
char *audit_name;
ObjectAddress object;
char *audit_name;
if (get_rel_relkind(relOid) != RELKIND_RELATION)
return;
@ -151,7 +152,7 @@ sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
const char *seclabel)
{
ObjectAddress object;
char *audit_name;
char *audit_name;
if (get_rel_relkind(relOid) != RELKIND_RELATION)
ereport(ERROR,
@ -172,6 +173,7 @@ sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
SEPG_DB_COLUMN__RELABELFROM,
audit_name,
true);
/*
* check db_column:{relabelto} permission
*/
@ -203,7 +205,7 @@ sepgsql_relation_post_create(Oid relOid)
char *tcontext; /* schema */
char *rcontext; /* relation */
char *ccontext; /* column */
char audit_name[2*NAMEDATALEN + 20];
char audit_name[2 * NAMEDATALEN + 20];
/*
* Fetch catalog record of the new relation. Because pg_class entry is not
@ -254,6 +256,7 @@ sepgsql_relation_post_create(Oid relOid)
SEPG_DB_SCHEMA__ADD_NAME,
getObjectDescription(&object),
true);
/*
* Compute a default security label when we create a new relation object
* under the specified namespace.
@ -273,6 +276,7 @@ sepgsql_relation_post_create(Oid relOid)
SEPG_DB_DATABASE__CREATE,
audit_name,
true);
/*
* Assign the default security label on the new relation
*/
@ -288,10 +292,10 @@ sepgsql_relation_post_create(Oid relOid)
if (classForm->relkind == RELKIND_RELATION)
{
Relation arel;
ScanKeyData akey;
SysScanDesc ascan;
ScanKeyData akey;
SysScanDesc ascan;
HeapTuple atup;
Form_pg_attribute attForm;
Form_pg_attribute attForm;
arel = heap_open(AttributeRelationId, AccessShareLock);
@ -315,6 +319,7 @@ sepgsql_relation_post_create(Oid relOid)
ccontext = sepgsql_compute_create(scontext,
rcontext,
SEPG_CLASS_DB_COLUMN);
/*
* check db_column:{create} permission
*/
@ -348,10 +353,10 @@ out:
void
sepgsql_relation_drop(Oid relOid)
{
ObjectAddress object;
char *audit_name;
uint16_t tclass = 0;
char relkind;
ObjectAddress object;
char *audit_name;
uint16_t tclass = 0;
char relkind;
relkind = get_rel_relkind(relOid);
if (relkind == RELKIND_RELATION)
@ -398,13 +403,13 @@ sepgsql_relation_drop(Oid relOid)
*/
if (relkind == RELKIND_RELATION)
{
Form_pg_attribute attForm;
Form_pg_attribute attForm;
CatCList *attrList;
HeapTuple atttup;
int i;
attrList = SearchSysCacheList1(ATTNUM, ObjectIdGetDatum(relOid));
for (i=0; i < attrList->n_members; i++)
for (i = 0; i < attrList->n_members; i++)
{
atttup = &attrList->members[i]->tuple;
attForm = (Form_pg_attribute) GETSTRUCT(atttup);
@ -436,7 +441,7 @@ sepgsql_relation_drop(Oid relOid)
void
sepgsql_relation_relabel(Oid relOid, const char *seclabel)
{
ObjectAddress object;
ObjectAddress object;
char *audit_name;
char relkind;
uint16_t tclass = 0;
@ -468,6 +473,7 @@ sepgsql_relation_relabel(Oid relOid, const char *seclabel)
SEPG_DB_TABLE__RELABELFROM,
audit_name,
true);
/*
* check db_xxx:{relabelto} permission
*/

26
contrib/sepgsql/schema.c
View File

@ -35,22 +35,22 @@ void
sepgsql_schema_post_create(Oid namespaceId)
{
Relation rel;
ScanKeyData skey;
SysScanDesc sscan;
ScanKeyData skey;
SysScanDesc sscan;
HeapTuple tuple;
char *tcontext;
char *ncontext;
char audit_name[NAMEDATALEN + 20];
ObjectAddress object;
Form_pg_namespace nspForm;
ObjectAddress object;
Form_pg_namespace nspForm;
/*
* Compute a default security label when we create a new schema object
* under the working database.
*
* XXX - uncoming version of libselinux supports to take object
* name to handle special treatment on default security label;
* such as special label on "pg_temp" schema.
* XXX - uncoming version of libselinux supports to take object name to
* handle special treatment on default security label; such as special
* label on "pg_temp" schema.
*/
rel = heap_open(NamespaceRelationId, AccessShareLock);
@ -71,6 +71,7 @@ sepgsql_schema_post_create(Oid namespaceId)
ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
tcontext,
SEPG_CLASS_DB_SCHEMA);
/*
* check db_schema:{create}
*/
@ -104,8 +105,8 @@ sepgsql_schema_post_create(Oid namespaceId)
void
sepgsql_schema_drop(Oid namespaceId)
{
ObjectAddress object;
char *audit_name;
ObjectAddress object;
char *audit_name;
/*
* check db_schema:{drop} permission
@ -116,7 +117,7 @@ sepgsql_schema_drop(Oid namespaceId)
audit_name = getObjectDescription(&object);
sepgsql_avc_check_perms(&object,
SEPG_CLASS_DB_SCHEMA,
SEPG_CLASS_DB_SCHEMA,
SEPG_DB_SCHEMA__DROP,
audit_name,
true);
@ -132,8 +133,8 @@ sepgsql_schema_drop(Oid namespaceId)
void
sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
{
ObjectAddress object;
char *audit_name;
ObjectAddress object;
char *audit_name;
object.classId = NamespaceRelationId;
object.objectId = namespaceId;
@ -149,6 +150,7 @@ sepgsql_schema_relabel(Oid namespaceId, const char *seclabel)
SEPG_DB_SCHEMA__RELABELFROM,
audit_name,
true);
/*
* check db_schema:{relabelto} permission
*/

21
contrib/sepgsql/sepgsql.h
View File

@ -248,20 +248,21 @@ extern bool sepgsql_check_perms(const char *scontext,
uint32 required,
const char *audit_name,
bool abort);
/*
* uavc.c
*/
#define SEPGSQL_AVC_NOAUDIT ((void *)(-1))
extern bool sepgsql_avc_check_perms_label(const char *tcontext,
uint16 tclass,
uint32 required,
const char *audit_name,
bool abort);
uint16 tclass,
uint32 required,
const char *audit_name,
bool abort);
extern bool sepgsql_avc_check_perms(const ObjectAddress *tobject,
uint16 tclass,
uint32 required,
const char *audit_name,
bool abort);
uint16 tclass,
uint32 required,
const char *audit_name,
bool abort);
extern char *sepgsql_avc_trusted_proc(Oid functionId);
extern void sepgsql_avc_init(void);
@ -269,7 +270,7 @@ extern void sepgsql_avc_init(void);
* label.c
*/
extern char *sepgsql_get_client_label(void);
extern void sepgsql_init_client_label(void);
extern void sepgsql_init_client_label(void);
extern char *sepgsql_get_label(Oid relOid, Oid objOid, int32 subId);
extern void sepgsql_object_relabel(const ObjectAddress *object,
@ -290,7 +291,7 @@ extern bool sepgsql_dml_privileges(List *rangeTabls, bool abort);
* database.c
*/
extern void sepgsql_database_post_create(Oid databaseId,
const char *dtemplate);
const char *dtemplate);
extern void sepgsql_database_drop(Oid databaseId);
extern void sepgsql_database_relabel(Oid databaseId, const char *seclabel);

162
contrib/sepgsql/uavc.c
View File

@ -30,22 +30,22 @@
*/
typedef struct
{
uint32 hash; /* hash value of this cache entry */
char *scontext; /* security context of the subject */
char *tcontext; /* security context of the target */
uint16 tclass; /* object class of the target */
uint32 hash; /* hash value of this cache entry */
char *scontext; /* security context of the subject */
char *tcontext; /* security context of the target */
uint16 tclass; /* object class of the target */
uint32 allowed; /* permissions to be allowed */
uint32 auditallow; /* permissions to be audited on allowed */
uint32 auditdeny; /* permissions to be audited on denied */
uint32 allowed; /* permissions to be allowed */
uint32 auditallow; /* permissions to be audited on allowed */
uint32 auditdeny; /* permissions to be audited on denied */
bool permissive; /* true, if permissive rule */
bool hot_cache; /* true, if recently referenced */
bool permissive; /* true, if permissive rule */
bool hot_cache; /* true, if recently referenced */
bool tcontext_is_valid;
/* true, if tcontext is valid */
char *ncontext; /* temporary scontext on execution of trusted
* procedure, or NULL elsewhere */
} avc_cache;
/* true, if tcontext is valid */
char *ncontext; /* temporary scontext on execution of trusted
* procedure, or NULL elsewhere */
} avc_cache;
/*
* Declaration of static variables
@ -54,12 +54,12 @@ typedef struct
#define AVC_NUM_RECLAIM 16
#define AVC_DEF_THRESHOLD 384
static MemoryContext avc_mem_cxt;
static List *avc_slots[AVC_NUM_SLOTS]; /* avc's hash buckets */
static int avc_num_caches; /* number of caches currently used */
static int avc_lru_hint; /* index of the buckets to be reclaimed next */
static int avc_threshold; /* threshold to launch cache-reclaiming */
static char *avc_unlabeled; /* system 'unlabeled' label */
static MemoryContext avc_mem_cxt;
static List *avc_slots[AVC_NUM_SLOTS]; /* avc's hash buckets */
static int avc_num_caches; /* number of caches currently used */
static int avc_lru_hint; /* index of the buckets to be reclaimed next */
static int avc_threshold; /* threshold to launch cache-reclaiming */
static char *avc_unlabeled; /* system 'unlabeled' label */
/*
* Hash function
@ -67,8 +67,8 @@ static char *avc_unlabeled; /* system 'unlabeled' label */
static uint32
sepgsql_avc_hash(const char *scontext, const char *tcontext, uint16 tclass)
{
return hash_any((const unsigned char *)scontext, strlen(scontext))
^ hash_any((const unsigned char *)tcontext, strlen(tcontext))
return hash_any((const unsigned char *) scontext, strlen(scontext))
^ hash_any((const unsigned char *) tcontext, strlen(tcontext))
^ tclass;
}
@ -88,7 +88,7 @@ sepgsql_avc_reset(void)
/*
* Reclaim caches recently unreferenced
*/
*/
static void
sepgsql_avc_reclaim(void)
{
@ -142,15 +142,15 @@ sepgsql_avc_reclaim(void)
* Access control decisions must be atomic, but multiple system calls may
* be required to make a decision; thus, when referencing the access vector
* cache, we must loop until we complete without an intervening cache flush
* event. In practice, looping even once should be very rare. Callers should
* event. In practice, looping even once should be very rare. Callers should
* do something like this:
*
* sepgsql_avc_check_valid();
* do {
* :
* <reference to uavc>
* :
* } while (!sepgsql_avc_check_valid())
* sepgsql_avc_check_valid();
* do {
* :
* <reference to uavc>
* :
* } while (!sepgsql_avc_check_valid())
*
* -------------------------------------------------------------------------
*/
@ -169,7 +169,7 @@ sepgsql_avc_check_valid(void)
/*
* sepgsql_avc_unlabeled
*
* Returns an alternative label to be applied when no label or an invalid
* Returns an alternative label to be applied when no label or an invalid
* label would otherwise be assigned.
*/
static char *
@ -177,12 +177,12 @@ sepgsql_avc_unlabeled(void)
{
if (!avc_unlabeled)
{
security_context_t unlabeled;
security_context_t unlabeled;
if (security_get_initial_context_raw("unlabeled", &unlabeled) < 0)
ereport(ERROR,
(errcode(ERRCODE_INTERNAL_ERROR),
errmsg("SELinux: failed to get initial security label: %m")));
(errcode(ERRCODE_INTERNAL_ERROR),
errmsg("SELinux: failed to get initial security label: %m")));
PG_TRY();
{
avc_unlabeled = MemoryContextStrdup(avc_mem_cxt, unlabeled);
@ -200,7 +200,7 @@ sepgsql_avc_unlabeled(void)
}
/*
* sepgsql_avc_compute
* sepgsql_avc_compute
*
* A fallback path, when cache mishit. It asks SELinux its access control
* decision for the supplied pair of security context and object class.
@ -208,24 +208,24 @@ sepgsql_avc_unlabeled(void)
static avc_cache *
sepgsql_avc_compute(const char *scontext, const char *tcontext, uint16 tclass)
{
char *ucontext = NULL;
char *ncontext = NULL;
MemoryContext oldctx;
avc_cache *cache;
uint32 hash;
int index;
struct av_decision avd;
char *ucontext = NULL;
char *ncontext = NULL;
MemoryContext oldctx;
avc_cache *cache;
uint32 hash;
int index;
struct av_decision avd;
hash = sepgsql_avc_hash(scontext, tcontext, tclass);
index = hash % AVC_NUM_SLOTS;
/*
* Validation check of the supplied security context.
* Because it always invoke system-call, frequent check should be avoided.
* Unless security policy is reloaded, validation status shall be kept, so
* we also cache whether the supplied security context was valid, or not.
* Validation check of the supplied security context. Because it always
* invoke system-call, frequent check should be avoided. Unless security
* policy is reloaded, validation status shall be kept, so we also cache
* whether the supplied security context was valid, or not.
*/
if (security_check_context_raw((security_context_t)tcontext) != 0)
if (security_check_context_raw((security_context_t) tcontext) != 0)
ucontext = sepgsql_avc_unlabeled();
/*
@ -237,15 +237,14 @@ sepgsql_avc_compute(const char *scontext, const char *tcontext, uint16 tclass)
sepgsql_compute_avd(scontext, ucontext, tclass, &avd);
/*
* It also caches a security label to be switched when a client
* labeled as 'scontext' executes a procedure labeled as 'tcontext',
* not only access control decision on the procedure.
* The security label to be switched shall be computed uniquely on
* a pair of 'scontext' and 'tcontext', thus, it is reasonable to
* cache the new label on avc, and enables to reduce unnecessary
* system calls.
* It shall be referenced at sepgsql_needs_fmgr_hook to check whether
* the supplied function is a trusted procedure, or not.
* It also caches a security label to be switched when a client labeled as
* 'scontext' executes a procedure labeled as 'tcontext', not only access
* control decision on the procedure. The security label to be switched
* shall be computed uniquely on a pair of 'scontext' and 'tcontext',
* thus, it is reasonable to cache the new label on avc, and enables to
* reduce unnecessary system calls. It shall be referenced at
* sepgsql_needs_fmgr_hook to check whether the supplied function is a
* trusted procedure, or not.
*/
if (tclass == SEPG_CLASS_DB_PROCEDURE)
{
@ -269,7 +268,7 @@ sepgsql_avc_compute(const char *scontext, const char *tcontext, uint16 tclass)
cache = palloc0(sizeof(avc_cache));
cache->hash = hash;
cache->hash = hash;
cache->scontext = pstrdup(scontext);
cache->tcontext = pstrdup(tcontext);
cache->tclass = tclass;
@ -314,7 +313,7 @@ sepgsql_avc_lookup(const char *scontext, const char *tcontext, uint16 tclass)
hash = sepgsql_avc_hash(scontext, tcontext, tclass);
index = hash % AVC_NUM_SLOTS;
foreach (cell, avc_slots[index])
foreach(cell, avc_slots[index])
{
cache = lfirst(cell);
@ -348,14 +347,15 @@ sepgsql_avc_check_perms_label(const char *tcontext,
uint16 tclass, uint32 required,
const char *audit_name, bool abort)
{
char *scontext = sepgsql_get_client_label();
char *scontext = sepgsql_get_client_label();
avc_cache *cache;
uint32 denied;
uint32 audited;
bool result;
sepgsql_avc_check_valid();
do {
do
{
result = true;
/*
@ -377,16 +377,16 @@ sepgsql_avc_check_perms_label(const char *tcontext,
audited = (denied ? (denied & ~0) : (required & ~0));
else
audited = denied ? (denied & cache->auditdeny)
: (required & cache->auditallow);
: (required & cache->auditallow);
if (denied)
{
/*
* In permissive mode or permissive domain, violated permissions
* shall be audited to the log files at once, and then implicitly
* allowed to avoid a flood of access denied logs, because
* the purpose of permissive mode/domain is to collect a violation
* log that will make it possible to fix up the security policy.
* allowed to avoid a flood of access denied logs, because the
* purpose of permissive mode/domain is to collect a violation log
* that will make it possible to fix up the security policy.
*/
if (!sepgsql_getenforce() || cache->permissive)
cache->allowed |= required;
@ -397,10 +397,10 @@ sepgsql_avc_check_perms_label(const char *tcontext,
/*
* In the case when we have something auditable actions here,
* sepgsql_audit_log shall be called with text representation of
* security labels for both of subject and object.
* It records this access violation, so DBA will be able to find
* out unexpected security problems later.
* sepgsql_audit_log shall be called with text representation of security
* labels for both of subject and object. It records this access
* violation, so DBA will be able to find out unexpected security problems
* later.
*/
if (audited != 0 &&
audit_name != SEPGSQL_AVC_NOAUDIT &&
@ -428,8 +428,8 @@ sepgsql_avc_check_perms(const ObjectAddress *tobject,
uint16 tclass, uint32 required,
const char *audit_name, bool abort)
{
char *tcontext = GetSecurityLabel(tobject, SEPGSQL_LABEL_TAG);
bool rc;
char *tcontext = GetSecurityLabel(tobject, SEPGSQL_LABEL_TAG);
bool rc;
rc = sepgsql_avc_check_perms_label(tcontext,
tclass, required,
@ -450,10 +450,10 @@ sepgsql_avc_check_perms(const ObjectAddress *tobject,
char *
sepgsql_avc_trusted_proc(Oid functionId)
{
char *scontext = sepgsql_get_client_label();
char *tcontext;
ObjectAddress tobject;
avc_cache *cache;
char *scontext = sepgsql_get_client_label();
char *tcontext;
ObjectAddress tobject;
avc_cache *cache;
tobject.classId = ProcedureRelationId;
tobject.objectId = functionId;
@ -461,7 +461,8 @@ sepgsql_avc_trusted_proc(Oid functionId)
tcontext = GetSecurityLabel(&tobject, SEPGSQL_LABEL_TAG);
sepgsql_avc_check_valid();
do {
do
{
if (tcontext)
cache = sepgsql_avc_lookup(scontext, tcontext,
SEPG_CLASS_DB_PROCEDURE);
@ -492,7 +493,7 @@ sepgsql_avc_exit(int code, Datum arg)
void
sepgsql_avc_init(void)
{
int rc;
int rc;
/*
* All the avc stuff shall be allocated on avc_mem_cxt
@ -508,12 +509,11 @@ sepgsql_avc_init(void)
avc_threshold = AVC_DEF_THRESHOLD;
/*
* SELinux allows to mmap(2) its kernel status page in read-only mode
* to inform userspace applications its status updating (such as
* policy reloading) without system-call invocations.
* This feature is only supported in Linux-2.6.38 or later, however,
* libselinux provides a fallback mode to know its status using
* netlink sockets.
* SELinux allows to mmap(2) its kernel status page in read-only mode to
* inform userspace applications its status updating (such as policy
* reloading) without system-call invocations. This feature is only
* supported in Linux-2.6.38 or later, however, libselinux provides a
* fallback mode to know its status using netlink sockets.
*/
rc = selinux_status_open(1);
if (rc < 0)