sepgsql: Enforce db_procedure:{execute} permission.

To do this, we add an additional object access hook type, OAT_FUNCTION_EXECUTE. KaiGai Kohei
2025-07-27 12:41:57 +03:00 · 2013-04-12 08:55:56 -04:00
parent d017bf41a3
commit f8a54e936b
16 changed files with 220 additions and 21 deletions
--- a/contrib/sepgsql/sql/label.sql
+++ b/contrib/sepgsql/sql/label.sql
@ -97,6 +97,8 @@ SECURITY LABEL ON COLUMN t2.b
 -- Tests for Trusted Procedures
 --
 -- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
+SET sepgsql.debug_audit = true;
+SET client_min_messages = log;
 SELECT f1();			-- normal procedure
 SELECT f2();			-- trusted procedure
 SELECT f3();			-- trusted procedure that raises an error
--- a/contrib/sepgsql/sql/misc.sql
+++ b/contrib/sepgsql/sql/misc.sql
@ -3,3 +3,28 @@
 --

 LOAD '$libdir/sepgsql';		-- failed
+
+--
+-- Permissions to execute functions
+--
+CREATE TABLE t1 (x int, y text);
+INSERT INTO t1 (SELECT x, md5(x::text) FROM generate_series(1,100) x);
+
+SET sepgsql.debug_audit = on;
+SET client_min_messages = log;
+
+-- regular function and operators
+SELECT * FROM t1 WHERE x > 50 AND y like '%64%';
+
+-- aggregate function
+SELECT MIN(x), AVG(x) FROM t1;
+
+-- window function
+SELECT row_number() OVER (order by x), * FROM t1 WHERE y like '%86%';
+
+RESET sepgsql.debug_audit;
+RESET client_min_messages;
+--
+-- Cleanup
+--
+DROP TABLE IF EXISTS t1 CASCADE;