On Mon, Mar 27, 2017 at 12:09 PM, Mike Palmiotto
<mike.palmio...@crunchydata.com> wrote:
> On Mon, Mar 27, 2017 at 11:46 AM, Robert Haas <robertmh...@gmail.com> wrote:
>> <snip>
>> Note that sepgsql hasn't been updated to work with RLS yet, either,
>> but we didn't regard that as an open item for RLS, or if we did the
>> resolution was just to document it. I am not opposed to giving a
>> little more time to get this straightened out, but if a patch doesn't
>> show up fairly soon then I think we should just document that sepgsql
>> doesn't support partitioned tables in v10. sepgsql has a fairly
>> lengthy list of implementation restrictions already, so one more is
>> not going to kill anybody -- or if it will then that person should
>> produce a patch soon.
>
> Okay, I'll make sure I get something fleshed out today or tomorrow.
Apologies for the delay. I was waffling over whether to reference
PartitionedRelationId in sepgsql, but ended up deciding to just handle
RELKIND_PARTITIONED_TABLE and treat the classOid as
RelationRelationId. Seeing as there is a relid in pg_class which
corresponds to the partitioned table, this chosen route seemed
acceptable.
Here is a demonstration of the partitioned table working with sepgsql hooks:
https://gist.github.com/anonymous/b10f476a95ae9cdd39b83ef872d4b1e6
Attached you will find two patches, which were rebased on master as of
156d388 (applied with `git am --revert [patch file]`). The first gets
rid of some pesky compiler warnings and the second implements the
sepgsql handling of partitioned tables.
Thanks,
--
Mike Palmiotto
Software Engineer
Crunchy Data Solutions
https://crunchydata.com
From 06463a4545c1cd0a2740e201d06a36b78dc2da8c Mon Sep 17 00:00:00 2001
From: Mike Palmiotto <mike.palmio...@crunchydata.com>
Date: Wed, 29 Mar 2017 14:59:37 +0000
Subject: [PATCH 2/2] Add partitioned table support to sepgsql
Account for RELKIND_PARTITIONED_RELATIONS in sepgsql and treat the objects like
regular relations. This allows for proper create/alter/drop hook behavior for
partitioned tables.
---
contrib/sepgsql/hooks.c | 1 +
contrib/sepgsql/label.c | 4 +++-
contrib/sepgsql/relation.c | 34 ++++++++++++++++++++++++----------
3 files changed, 28 insertions(+), 11 deletions(-)
diff --git a/contrib/sepgsql/hooks.c b/contrib/sepgsql/hooks.c
index 93cc8de..89e71e3 100644
--- a/contrib/sepgsql/hooks.c
+++ b/contrib/sepgsql/hooks.c
@@ -15,6 +15,7 @@
#include "catalog/pg_class.h"
#include "catalog/pg_database.h"
#include "catalog/pg_namespace.h"
+#include "catalog/pg_partitioned_table.h"
#include "catalog/pg_proc.h"
#include "commands/seclabel.h"
#include "executor/executor.h"
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index a404cd7..5111146 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -23,6 +23,7 @@
#include "catalog/pg_class.h"
#include "catalog/pg_database.h"
#include "catalog/pg_namespace.h"
+#include "catalog/pg_partitioned_table.h"
#include "catalog/pg_proc.h"
#include "commands/dbcommands.h"
#include "commands/seclabel.h"
@@ -779,7 +780,8 @@ exec_object_restorecon(struct selabel_handle * sehnd, Oid catalogId)
case RelationRelationId:
relForm = (Form_pg_class) GETSTRUCT(tuple);
- if (relForm->relkind == RELKIND_RELATION)
+ if (relForm->relkind == RELKIND_RELATION ||
+ relForm->relkind == RELKIND_PARTITIONED_TABLE)
objtype = SELABEL_DB_TABLE;
else if (relForm->relkind == RELKIND_SEQUENCE)
objtype = SELABEL_DB_SEQUENCE;
diff --git a/contrib/sepgsql/relation.c b/contrib/sepgsql/relation.c
index fd6fe8b..93022d4 100644
--- a/contrib/sepgsql/relation.c
+++ b/contrib/sepgsql/relation.c
@@ -19,6 +19,7 @@
#include "catalog/pg_attribute.h"
#include "catalog/pg_class.h"
#include "catalog/pg_namespace.h"
+#include "catalog/pg_partitioned_table.h"
#include "commands/seclabel.h"
#include "lib/stringinfo.h"
#include "utils/builtins.h"
@@ -54,12 +55,14 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)
ObjectAddress object;
Form_pg_attribute attForm;
StringInfoData audit_name;
+ char relkind;
/*
* Only attributes within regular relation have individual security
* labels.
*/
- if (get_rel_relkind(relOid) != RELKIND_RELATION)
+ relkind = get_rel_relkind(relOid);
+ if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
return;
/*
@@ -135,8 +138,10 @@ sepgsql_attribute_drop(Oid relOid, AttrNumber attnum)
{
ObjectAddress object;
char *audit_name;
+ char relkind;
- if (get_rel_relkind(relOid) != RELKIND_RELATION)
+ relkind = get_rel_relkind(relOid);
+ if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
return;
/*
@@ -167,8 +172,11 @@ sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum,
{
ObjectAddress object;
char *audit_name;
+ char relkind;
- if (get_rel_relkind(relOid) != RELKIND_RELATION)
+ relkind = get_rel_relkind(relOid);
+
+ if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
errmsg("cannot set security label on non-regular columns")));
@@ -209,8 +217,11 @@ sepgsql_attribute_setattr(Oid relOid, AttrNumber attnum)
{
ObjectAddress object;
char *audit_name;
+ char relkind;
+
+ relkind = get_rel_relkind(relOid);
- if (get_rel_relkind(relOid) != RELKIND_RELATION)
+ if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
return;
/*
@@ -290,6 +301,7 @@ sepgsql_relation_post_create(Oid relOid)
switch (classForm->relkind)
{
+ case RELKIND_PARTITIONED_TABLE:
case RELKIND_RELATION:
tclass = SEPG_CLASS_DB_TABLE;
break;
@@ -335,7 +347,8 @@ sepgsql_relation_post_create(Oid relOid)
true);
/*
- * Assign the default security label on the new relation
+ * Assign the default security label on the new relation or partitioned
+ * table.
*/
object.classId = RelationRelationId;
object.objectId = relOid;
@@ -343,10 +356,10 @@ sepgsql_relation_post_create(Oid relOid)
SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, rcontext);
/*
- * We also assigns a default security label on columns of the new regular
- * tables.
+ * We also assign a default security label on columns of a new table.
*/
- if (classForm->relkind == RELKIND_RELATION)
+ if (classForm->relkind == RELKIND_RELATION ||
+ classForm->relkind == RELKIND_PARTITIONED_TABLE)
{
Relation arel;
ScanKeyData akey;
@@ -421,6 +434,7 @@ sepgsql_relation_drop(Oid relOid)
relkind = get_rel_relkind(relOid);
switch (relkind)
{
+ case RELKIND_PARTITIONED_TABLE:
case RELKIND_RELATION:
tclass = SEPG_CLASS_DB_TABLE;
break;
@@ -483,7 +497,7 @@ sepgsql_relation_drop(Oid relOid)
/*
* check db_column:{drop} permission
*/
- if (relkind == RELKIND_RELATION)
+ if (relkind == RELKIND_RELATION || relkind == RELKIND_PARTITIONED_TABLE)
{
Form_pg_attribute attForm;
CatCList *attrList;
@@ -529,7 +543,7 @@ sepgsql_relation_relabel(Oid relOid, const char *seclabel)
uint16_t tclass = 0;
relkind = get_rel_relkind(relOid);
- if (relkind == RELKIND_RELATION)
+ if (relkind == RELKIND_RELATION || relkind == RELKIND_PARTITIONED_TABLE)
tclass = SEPG_CLASS_DB_TABLE;
else if (relkind == RELKIND_SEQUENCE)
tclass = SEPG_CLASS_DB_SEQUENCE;
--
2.7.4
From 62d92d74d857c10ff47862b7fd7f1ac7d1561156 Mon Sep 17 00:00:00 2001
From: Mike Palmiotto <mike.palmio...@crunchydata.com>
Date: Tue, 28 Mar 2017 16:44:54 +0000
Subject: [PATCH 1/2] Silence some sepgsql compiler warnings
selinux/label.h includes stdbool.h, which redefines the bool type and results in
a warning: assignment from incompatible pointer type for sepgsql_fmgr_hook. Move
selinux/label.h above postgres.h, so the bool type is properly defined.
Additionally, sepgsql throws compiler warnings due to possibly uninitialized
tclass in code paths for indexes. Set tclass to a bogus -1 to silence these
warnings.
---
contrib/sepgsql/label.c | 4 ++--
contrib/sepgsql/relation.c | 8 ++++++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index 1a8f884..a404cd7 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -8,6 +8,8 @@
*
* -------------------------------------------------------------------------
*/
+#include <selinux/label.h>
+
#include "postgres.h"
#include "access/heapam.h"
@@ -37,8 +39,6 @@
#include "sepgsql.h"
-#include <selinux/label.h>
-
/*
* Saved hook entries (if stacked)
*/
diff --git a/contrib/sepgsql/relation.c b/contrib/sepgsql/relation.c
index ab98a9b..fd6fe8b 100644
--- a/contrib/sepgsql/relation.c
+++ b/contrib/sepgsql/relation.c
@@ -300,8 +300,10 @@ sepgsql_relation_post_create(Oid relOid)
tclass = SEPG_CLASS_DB_VIEW;
break;
case RELKIND_INDEX:
- /* deal with indexes specially; no need for tclass */
+ /* other indexes are handled specially below; set tclass to -1 to
+ * silence compiler warning */
sepgsql_index_modify(relOid);
+ tclass = -1;
goto out;
default:
/* ignore other relkinds */
@@ -432,7 +434,9 @@ sepgsql_relation_drop(Oid relOid)
/* ignore indexes on toast tables */
if (get_rel_namespace(relOid) == PG_TOAST_NAMESPACE)
return;
- /* other indexes are handled specially below; no need for tclass */
+ /* other indexes are handled specially below; set tclass to -1 to
+ * silence compiler warning */
+ tclass = -1;
break;
default:
/* ignore other relkinds */
--
2.7.4
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
