sepgsql: Check CREATE permissions for some object types.

KaiGai Kohei, reviewed by Dimitri Fontaine and me.
2025-07-28 23:42:10 +03:00 · 2011-12-21 09:12:43 -05:00
parent 7f0e4bb82e
commit e1042a3484
10 changed files with 606 additions and 83 deletions
--- a/contrib/sepgsql/database.c
+++ b/contrib/sepgsql/database.c
@ -10,33 +10,100 @@
 */
 #include "postgres.h"

+#include "access/genam.h"
+#include "access/heapam.h"
+#include "access/sysattr.h"
 #include "catalog/dependency.h"
 #include "catalog/pg_database.h"
+#include "catalog/indexing.h"
+#include "commands/dbcommands.h"
 #include "commands/seclabel.h"
+#include "utils/fmgroids.h"
+#include "utils/tqual.h"
 #include "sepgsql.h"

+/*
+ * sepgsql_database_post_create
+ *
+ * This routine assigns a default security label on a newly defined
+ * database, and check permission needed for its creation.
+ */
 void
-sepgsql_database_post_create(Oid databaseId)
+sepgsql_database_post_create(Oid databaseId, const char *dtemplate)
 {
-	char   *scontext = sepgsql_get_client_label();
-	char   *tcontext;
-	char   *ncontext;
-	ObjectAddress	object;
+	Relation	rel;
+	ScanKeyData	skey;
+	SysScanDesc	sscan;
+	HeapTuple	tuple;
+	char	   *tcontext;
+	char	   *ncontext;
+	char		audit_name[NAMEDATALEN + 20];
+	ObjectAddress		object;
+	Form_pg_database	datForm;
+
+	/*
+	 * Oid of the source database is not saved in pg_database catalog,
+	 * so we collect its identifier using contextual information.
+	 * If NULL, its default is "template1" according to createdb().
+	 */
+	if (!dtemplate)
+		dtemplate = "template1";
+
+	object.classId = DatabaseRelationId;
+	object.objectId = get_database_oid(dtemplate, false);
+	object.objectSubId = 0;
+
+	tcontext = sepgsql_get_label(object.classId,
+								 object.objectId,
+								 object.objectSubId);
+	/*
+	 * check db_database:{getattr} permission
+	 */
+	snprintf(audit_name, sizeof(audit_name), "database %s", dtemplate);
+	sepgsql_avc_check_perms_label(tcontext,
+								  SEPG_CLASS_DB_DATABASE,
+								  SEPG_DB_DATABASE__GETATTR,
+								  audit_name,
+								  true);

 	/*
 	 * Compute a default security label of the newly created database
 	 * based on a pair of security label of client and source database.
 	 *
-	 * XXX - Right now, this logic uses "template1" as its source, because
-	 * here is no way to know the Oid of source database.
+	 * XXX - uncoming version of libselinux supports to take object
+	 * name to handle special treatment on default security label.
 	 */
-	object.classId = DatabaseRelationId;
-	object.objectId = TemplateDbOid;
-	object.objectSubId = 0;
-	tcontext = GetSecurityLabel(&object, SEPGSQL_LABEL_TAG);
+	rel = heap_open(DatabaseRelationId, AccessShareLock);

-	ncontext = sepgsql_compute_create(scontext, tcontext,
+	ScanKeyInit(&skey,
+				ObjectIdAttributeNumber,
+				BTEqualStrategyNumber, F_OIDEQ,
+				ObjectIdGetDatum(databaseId));
+
+	sscan = systable_beginscan(rel, DatabaseOidIndexId, true,
+							   SnapshotSelf, 1, &skey);
+	tuple = systable_getnext(sscan);
+	if (!HeapTupleIsValid(tuple))
+		elog(ERROR, "catalog lookup failed for database %u", databaseId);
+
+	datForm = (Form_pg_database) GETSTRUCT(tuple);
+
+	ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
+									  tcontext,
 									  SEPG_CLASS_DB_DATABASE);
+	/*
+	 * check db_database:{create} permission
+	 */
+	snprintf(audit_name, sizeof(audit_name),
+			 "database %s", NameStr(datForm->datname));
+	sepgsql_avc_check_perms_label(ncontext,
+								  SEPG_CLASS_DB_DATABASE,
+								  SEPG_DB_DATABASE__CREATE,
+								  audit_name,
+								  true);
+
+	systable_endscan(sscan);
+	heap_close(rel, AccessShareLock);

 	/*
 	 * Assign the default security label on the new database