database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

sepgsql: Enforce db_schema:search permission.

Browse Source 
KaiGai Kohei, with comment and doc wordsmithing by me
This commit is contained in:
Robert Haas
2013-04-05 08:51:31 -04:00
parent 52f436b807
commit e965e6344c
13 changed files with 258 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
contrib/sepgsql/sql/dml.sql
View File

@ -43,6 +43,14 @@ SELECT objtype, objname, label FROM pg_seclabels
AND objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g')
ORDER BY objname;
CREATE SCHEMA my_schema_1;
CREATE TABLE my_schema_1.ts1 (a int, b text);
CREATE SCHEMA my_schema_2;
CREATE TABLE my_schema_2.ts2 (x int, y text);
SECURITY LABEL ON SCHEMA my_schema_2
IS 'system_u:object_r:sepgsql_regtest_invisible_schema_t:s0';
-- Hardwired Rules
UPDATE pg_attribute SET attisdropped = true
WHERE attrelid = 't5'::regclass AND attname = 'f'; -- failed
@ -107,6 +115,14 @@ COPY t5 FROM '/dev/null'; -- failed
COPY t5 (e,f) FROM '/dev/null'; -- failed
COPY t5 (e) FROM '/dev/null'; -- ok
--
-- Schema search path
--
SET search_path = my_schema_1, my_schema_2, public;
SELECT * FROM ts1; -- ok
SELECT * FROM ts2; -- failed (relation not found)
SELECT * FROM my_schema_2.ts2; -- failed (policy violation)
--
-- Clean up
--
@ -117,3 +133,5 @@ DROP TABLE IF EXISTS t3 CASCADE;
DROP TABLE IF EXISTS t4 CASCADE;
DROP TABLE IF EXISTS t5 CASCADE;
DROP TABLE IF EXISTS customer CASCADE;
DROP SCHEMA IF EXISTS my_schema_1 CASCADE;
DROP SCHEMA IF EXISTS my_schema_2 CASCADE;