mirror of https://github.com/postgres/postgres
360 lines
9.2 KiB
C
360 lines
9.2 KiB
C
/* -------------------------------------------------------------------------
|
|
*
|
|
* contrib/sepgsql/dml.c
|
|
*
|
|
* Routines to handle DML permission checks
|
|
*
|
|
* Copyright (c) 2010-2024, PostgreSQL Global Development Group
|
|
*
|
|
* -------------------------------------------------------------------------
|
|
*/
|
|
#include "postgres.h"
|
|
|
|
#include "access/htup_details.h"
|
|
#include "access/sysattr.h"
|
|
#include "access/tupdesc.h"
|
|
#include "catalog/catalog.h"
|
|
#include "catalog/dependency.h"
|
|
#include "catalog/heap.h"
|
|
#include "catalog/pg_attribute.h"
|
|
#include "catalog/pg_class.h"
|
|
#include "catalog/pg_inherits.h"
|
|
#include "commands/seclabel.h"
|
|
#include "commands/tablecmds.h"
|
|
#include "executor/executor.h"
|
|
#include "nodes/bitmapset.h"
|
|
#include "parser/parsetree.h"
|
|
#include "sepgsql.h"
|
|
#include "utils/lsyscache.h"
|
|
#include "utils/syscache.h"
|
|
|
|
/*
|
|
* fixup_whole_row_references
|
|
*
|
|
* When user references a whole-row Var, it is equivalent to referencing
|
|
* all the user columns (not system columns). So, we need to fix up the
|
|
* given bitmapset, if it contains a whole-row reference.
|
|
*/
|
|
static Bitmapset *
|
|
fixup_whole_row_references(Oid relOid, Bitmapset *columns)
|
|
{
|
|
Bitmapset *result;
|
|
HeapTuple tuple;
|
|
AttrNumber natts;
|
|
AttrNumber attno;
|
|
int index;
|
|
|
|
/* if no whole-row references, nothing to do */
|
|
index = InvalidAttrNumber - FirstLowInvalidHeapAttributeNumber;
|
|
if (!bms_is_member(index, columns))
|
|
return columns;
|
|
|
|
/* obtain number of attributes */
|
|
tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relOid));
|
|
if (!HeapTupleIsValid(tuple))
|
|
elog(ERROR, "cache lookup failed for relation %u", relOid);
|
|
natts = ((Form_pg_class) GETSTRUCT(tuple))->relnatts;
|
|
ReleaseSysCache(tuple);
|
|
|
|
/* remove bit 0 from column set, add in all the non-dropped columns */
|
|
result = bms_copy(columns);
|
|
result = bms_del_member(result, index);
|
|
|
|
for (attno = 1; attno <= natts; attno++)
|
|
{
|
|
tuple = SearchSysCache2(ATTNUM,
|
|
ObjectIdGetDatum(relOid),
|
|
Int16GetDatum(attno));
|
|
if (!HeapTupleIsValid(tuple))
|
|
continue; /* unexpected case, should we error? */
|
|
|
|
if (!((Form_pg_attribute) GETSTRUCT(tuple))->attisdropped)
|
|
{
|
|
index = attno - FirstLowInvalidHeapAttributeNumber;
|
|
result = bms_add_member(result, index);
|
|
}
|
|
|
|
ReleaseSysCache(tuple);
|
|
}
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
* fixup_inherited_columns
|
|
*
|
|
* When user is querying on a table with children, it implicitly accesses
|
|
* child tables also. So, we also need to check security label of child
|
|
* tables and columns, but there is no guarantee attribute numbers are
|
|
* same between the parent and children.
|
|
* It returns a bitmapset which contains attribute number of the child
|
|
* table based on the given bitmapset of the parent.
|
|
*/
|
|
static Bitmapset *
|
|
fixup_inherited_columns(Oid parentId, Oid childId, Bitmapset *columns)
|
|
{
|
|
Bitmapset *result = NULL;
|
|
int index;
|
|
|
|
/*
|
|
* obviously, no need to do anything here
|
|
*/
|
|
if (parentId == childId)
|
|
return columns;
|
|
|
|
index = -1;
|
|
while ((index = bms_next_member(columns, index)) >= 0)
|
|
{
|
|
/* bit numbers are offset by FirstLowInvalidHeapAttributeNumber */
|
|
AttrNumber attno = index + FirstLowInvalidHeapAttributeNumber;
|
|
char *attname;
|
|
|
|
/*
|
|
* whole-row-reference shall be fixed-up later
|
|
*/
|
|
if (attno == InvalidAttrNumber)
|
|
{
|
|
result = bms_add_member(result, index);
|
|
continue;
|
|
}
|
|
|
|
attname = get_attname(parentId, attno, false);
|
|
attno = get_attnum(childId, attname);
|
|
if (attno == InvalidAttrNumber)
|
|
elog(ERROR, "cache lookup failed for attribute %s of relation %u",
|
|
attname, childId);
|
|
|
|
result = bms_add_member(result,
|
|
attno - FirstLowInvalidHeapAttributeNumber);
|
|
|
|
pfree(attname);
|
|
}
|
|
|
|
return result;
|
|
}
|
|
|
|
/*
|
|
* check_relation_privileges
|
|
*
|
|
* It actually checks required permissions on a certain relation
|
|
* and its columns.
|
|
*/
|
|
static bool
|
|
check_relation_privileges(Oid relOid,
|
|
Bitmapset *selected,
|
|
Bitmapset *inserted,
|
|
Bitmapset *updated,
|
|
uint32 required,
|
|
bool abort_on_violation)
|
|
{
|
|
ObjectAddress object;
|
|
char *audit_name;
|
|
Bitmapset *columns;
|
|
int index;
|
|
char relkind = get_rel_relkind(relOid);
|
|
bool result = true;
|
|
|
|
/*
|
|
* Hardwired Policies: SE-PostgreSQL enforces - clients cannot modify
|
|
* system catalogs using DMLs - clients cannot reference/modify toast
|
|
* relations using DMLs
|
|
*/
|
|
if (sepgsql_getenforce() > 0)
|
|
{
|
|
if ((required & (SEPG_DB_TABLE__UPDATE |
|
|
SEPG_DB_TABLE__INSERT |
|
|
SEPG_DB_TABLE__DELETE)) != 0 &&
|
|
IsCatalogRelationOid(relOid))
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
|
errmsg("SELinux: hardwired security policy violation")));
|
|
|
|
if (relkind == RELKIND_TOASTVALUE)
|
|
ereport(ERROR,
|
|
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
|
|
errmsg("SELinux: hardwired security policy violation")));
|
|
}
|
|
|
|
/*
|
|
* Check permissions on the relation
|
|
*/
|
|
object.classId = RelationRelationId;
|
|
object.objectId = relOid;
|
|
object.objectSubId = 0;
|
|
audit_name = getObjectIdentity(&object, false);
|
|
switch (relkind)
|
|
{
|
|
case RELKIND_RELATION:
|
|
case RELKIND_PARTITIONED_TABLE:
|
|
result = sepgsql_avc_check_perms(&object,
|
|
SEPG_CLASS_DB_TABLE,
|
|
required,
|
|
audit_name,
|
|
abort_on_violation);
|
|
break;
|
|
|
|
case RELKIND_SEQUENCE:
|
|
Assert((required & ~SEPG_DB_TABLE__SELECT) == 0);
|
|
|
|
if (required & SEPG_DB_TABLE__SELECT)
|
|
result = sepgsql_avc_check_perms(&object,
|
|
SEPG_CLASS_DB_SEQUENCE,
|
|
SEPG_DB_SEQUENCE__GET_VALUE,
|
|
audit_name,
|
|
abort_on_violation);
|
|
break;
|
|
|
|
case RELKIND_VIEW:
|
|
result = sepgsql_avc_check_perms(&object,
|
|
SEPG_CLASS_DB_VIEW,
|
|
SEPG_DB_VIEW__EXPAND,
|
|
audit_name,
|
|
abort_on_violation);
|
|
break;
|
|
|
|
default:
|
|
/* nothing to be checked */
|
|
break;
|
|
}
|
|
pfree(audit_name);
|
|
|
|
/*
|
|
* Only columns owned by relations shall be checked
|
|
*/
|
|
if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
|
|
return true;
|
|
|
|
/*
|
|
* Check permissions on the columns
|
|
*/
|
|
selected = fixup_whole_row_references(relOid, selected);
|
|
inserted = fixup_whole_row_references(relOid, inserted);
|
|
updated = fixup_whole_row_references(relOid, updated);
|
|
columns = bms_union(selected, bms_union(inserted, updated));
|
|
|
|
index = -1;
|
|
while ((index = bms_next_member(columns, index)) >= 0)
|
|
{
|
|
AttrNumber attnum;
|
|
uint32 column_perms = 0;
|
|
|
|
if (bms_is_member(index, selected))
|
|
column_perms |= SEPG_DB_COLUMN__SELECT;
|
|
if (bms_is_member(index, inserted))
|
|
{
|
|
if (required & SEPG_DB_TABLE__INSERT)
|
|
column_perms |= SEPG_DB_COLUMN__INSERT;
|
|
}
|
|
if (bms_is_member(index, updated))
|
|
{
|
|
if (required & SEPG_DB_TABLE__UPDATE)
|
|
column_perms |= SEPG_DB_COLUMN__UPDATE;
|
|
}
|
|
if (column_perms == 0)
|
|
continue;
|
|
|
|
/* obtain column's permission */
|
|
attnum = index + FirstLowInvalidHeapAttributeNumber;
|
|
|
|
object.classId = RelationRelationId;
|
|
object.objectId = relOid;
|
|
object.objectSubId = attnum;
|
|
audit_name = getObjectDescription(&object, false);
|
|
|
|
result = sepgsql_avc_check_perms(&object,
|
|
SEPG_CLASS_DB_COLUMN,
|
|
column_perms,
|
|
audit_name,
|
|
abort_on_violation);
|
|
pfree(audit_name);
|
|
|
|
if (!result)
|
|
return result;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* sepgsql_dml_privileges
|
|
*
|
|
* Entrypoint of the DML permission checks
|
|
*/
|
|
bool
|
|
sepgsql_dml_privileges(List *rangeTbls, List *rteperminfos,
|
|
bool abort_on_violation)
|
|
{
|
|
ListCell *lr;
|
|
|
|
foreach(lr, rteperminfos)
|
|
{
|
|
RTEPermissionInfo *perminfo = lfirst_node(RTEPermissionInfo, lr);
|
|
uint32 required = 0;
|
|
List *tableIds;
|
|
ListCell *li;
|
|
|
|
/*
|
|
* Find out required permissions
|
|
*/
|
|
if (perminfo->requiredPerms & ACL_SELECT)
|
|
required |= SEPG_DB_TABLE__SELECT;
|
|
if (perminfo->requiredPerms & ACL_INSERT)
|
|
required |= SEPG_DB_TABLE__INSERT;
|
|
if (perminfo->requiredPerms & ACL_UPDATE)
|
|
{
|
|
if (!bms_is_empty(perminfo->updatedCols))
|
|
required |= SEPG_DB_TABLE__UPDATE;
|
|
else
|
|
required |= SEPG_DB_TABLE__LOCK;
|
|
}
|
|
if (perminfo->requiredPerms & ACL_DELETE)
|
|
required |= SEPG_DB_TABLE__DELETE;
|
|
|
|
/*
|
|
* Skip, if nothing to be checked
|
|
*/
|
|
if (required == 0)
|
|
continue;
|
|
|
|
/*
|
|
* If this RangeTblEntry is also supposed to reference inherited
|
|
* tables, we need to check security label of the child tables. So, we
|
|
* expand rte->relid into list of OIDs of inheritance hierarchy, then
|
|
* checker routine will be invoked for each relations.
|
|
*/
|
|
if (!perminfo->inh)
|
|
tableIds = list_make1_oid(perminfo->relid);
|
|
else
|
|
tableIds = find_all_inheritors(perminfo->relid, NoLock, NULL);
|
|
|
|
foreach(li, tableIds)
|
|
{
|
|
Oid tableOid = lfirst_oid(li);
|
|
Bitmapset *selectedCols;
|
|
Bitmapset *insertedCols;
|
|
Bitmapset *updatedCols;
|
|
|
|
/*
|
|
* child table has different attribute numbers, so we need to fix
|
|
* up them.
|
|
*/
|
|
selectedCols = fixup_inherited_columns(perminfo->relid, tableOid,
|
|
perminfo->selectedCols);
|
|
insertedCols = fixup_inherited_columns(perminfo->relid, tableOid,
|
|
perminfo->insertedCols);
|
|
updatedCols = fixup_inherited_columns(perminfo->relid, tableOid,
|
|
perminfo->updatedCols);
|
|
|
|
/*
|
|
* check permissions on individual tables
|
|
*/
|
|
if (!check_relation_privileges(tableOid,
|
|
selectedCols,
|
|
insertedCols,
|
|
updatedCols,
|
|
required, abort_on_violation))
|
|
return false;
|
|
}
|
|
list_free(tableIds);
|
|
}
|
|
return true;
|
|
}
|