On 04/04/2017 10:02 AM, Joe Conway wrote: > On 04/04/2017 09:55 AM, Mike Palmiotto wrote: >> After some discussion off-list, I've rebased and udpated the patches. >> Please see attached for further review. > > Thanks -- will have another look and test on a machine with selinux > setup. Robert, did you want me to take responsibility to commit on this > or just provide review/feedback?
I did some editorializing on these. In particular I did not like the approach to fixing "warning: ‘tclass’ may be used uninitialized" and ended up just doing it the same as was done elsewhere in relation.c already (set tclass = 0 in the variable declaration). Along the way I also changed one instance of tclass from uint16 to uint16_t for the sake of consistency. Interestingly we figured out that the warning was present with -Og, but not present with -O0, -O2, or -O3. If you want to test, apply 0001a and 0001b before 0002. Any objections? Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c index 1a8f884..320c098 100644 *** a/contrib/sepgsql/label.c --- b/contrib/sepgsql/label.c *************** *** 10,15 **** --- 10,25 ---- */ #include "postgres.h" + #include <selinux/label.h> + /* + * selinux/label.h includes stdbool.h, which redefines bool, so + * revert to the postgres definition of bool from c.h + */ + #ifdef bool + #undef bool + typedef char bool; + #endif + #include "access/heapam.h" #include "access/htup_details.h" #include "access/genam.h" *************** *** 37,44 **** #include "sepgsql.h" - #include <selinux/label.h> - /* * Saved hook entries (if stacked) */ --- 47,52 ----
diff --git a/contrib/sepgsql/relation.c b/contrib/sepgsql/relation.c
index ab98a9b..2ea6bfb 100644
*** a/contrib/sepgsql/relation.c
--- b/contrib/sepgsql/relation.c
*************** sepgsql_relation_post_create(Oid relOid)
*** 243,249 ****
HeapTuple tuple;
Form_pg_class classForm;
ObjectAddress object;
! uint16 tclass;
char *scontext; /* subject */
char *tcontext; /* schema */
char *rcontext; /* relation */
--- 243,249 ----
HeapTuple tuple;
Form_pg_class classForm;
ObjectAddress object;
! uint16_t tclass;
char *scontext; /* subject */
char *tcontext; /* schema */
char *rcontext; /* relation */
*************** sepgsql_relation_drop(Oid relOid)
*** 413,419 ****
{
ObjectAddress object;
char *audit_name;
! uint16_t tclass;
char relkind;
relkind = get_rel_relkind(relOid);
--- 413,419 ----
{
ObjectAddress object;
char *audit_name;
! uint16_t tclass = 0;
char relkind;
relkind = get_rel_relkind(relOid);
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index 1a8f884..4dda82a 100644
*** a/contrib/sepgsql/label.c
--- b/contrib/sepgsql/label.c
*************** exec_object_restorecon(struct selabel_ha
*** 779,785 ****
case RelationRelationId:
relForm = (Form_pg_class) GETSTRUCT(tuple);
! if (relForm->relkind == RELKIND_RELATION)
objtype = SELABEL_DB_TABLE;
else if (relForm->relkind == RELKIND_SEQUENCE)
objtype = SELABEL_DB_SEQUENCE;
--- 779,786 ----
case RelationRelationId:
relForm = (Form_pg_class) GETSTRUCT(tuple);
! if (relForm->relkind == RELKIND_RELATION ||
! relForm->relkind == RELKIND_PARTITIONED_TABLE)
objtype = SELABEL_DB_TABLE;
else if (relForm->relkind == RELKIND_SEQUENCE)
objtype = SELABEL_DB_SEQUENCE;
diff --git a/contrib/sepgsql/relation.c b/contrib/sepgsql/relation.c
index ab98a9b..f8689c0 100644
*** a/contrib/sepgsql/relation.c
--- b/contrib/sepgsql/relation.c
*************** sepgsql_attribute_post_create(Oid relOid
*** 54,65 ****
ObjectAddress object;
Form_pg_attribute attForm;
StringInfoData audit_name;
/*
! * Only attributes within regular relation have individual security
! * labels.
*/
! if (get_rel_relkind(relOid) != RELKIND_RELATION)
return;
/*
--- 54,66 ----
ObjectAddress object;
Form_pg_attribute attForm;
StringInfoData audit_name;
+ char relkind = get_rel_relkind(relOid);
/*
! * Only attributes within regular relations or partition relations have
! * individual security labels.
*/
! if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
return;
/*
*************** sepgsql_attribute_drop(Oid relOid, AttrN
*** 135,142 ****
{
ObjectAddress object;
char *audit_name;
! if (get_rel_relkind(relOid) != RELKIND_RELATION)
return;
/*
--- 136,144 ----
{
ObjectAddress object;
char *audit_name;
+ char relkind = get_rel_relkind(relOid);
! if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
return;
/*
*************** sepgsql_attribute_relabel(Oid relOid, At
*** 167,174 ****
{
ObjectAddress object;
char *audit_name;
! if (get_rel_relkind(relOid) != RELKIND_RELATION)
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
errmsg("cannot set security label on non-regular columns")));
--- 169,177 ----
{
ObjectAddress object;
char *audit_name;
+ char relkind = get_rel_relkind(relOid);
! if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
ereport(ERROR,
(errcode(ERRCODE_WRONG_OBJECT_TYPE),
errmsg("cannot set security label on non-regular columns")));
*************** sepgsql_attribute_setattr(Oid relOid, At
*** 209,216 ****
{
ObjectAddress object;
char *audit_name;
! if (get_rel_relkind(relOid) != RELKIND_RELATION)
return;
/*
--- 212,220 ----
{
ObjectAddress object;
char *audit_name;
+ char relkind = get_rel_relkind(relOid);
! if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
return;
/*
*************** sepgsql_relation_post_create(Oid relOid)
*** 291,296 ****
--- 295,301 ----
switch (classForm->relkind)
{
case RELKIND_RELATION:
+ case RELKIND_PARTITIONED_TABLE:
tclass = SEPG_CLASS_DB_TABLE;
break;
case RELKIND_SEQUENCE:
*************** sepgsql_relation_post_create(Oid relOid)
*** 333,339 ****
true);
/*
! * Assign the default security label on the new relation
*/
object.classId = RelationRelationId;
object.objectId = relOid;
--- 338,345 ----
true);
/*
! * Assign the default security label on the new relation or partitioned
! * table.
*/
object.classId = RelationRelationId;
object.objectId = relOid;
*************** sepgsql_relation_post_create(Oid relOid)
*** 341,350 ****
SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, rcontext);
/*
! * We also assigns a default security label on columns of the new regular
! * tables.
*/
! if (classForm->relkind == RELKIND_RELATION)
{
Relation arel;
ScanKeyData akey;
--- 347,356 ----
SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, rcontext);
/*
! * We also assign a default security label on columns of a new table.
*/
! if (classForm->relkind == RELKIND_RELATION ||
! classForm->relkind == RELKIND_PARTITIONED_TABLE)
{
Relation arel;
ScanKeyData akey;
*************** sepgsql_relation_drop(Oid relOid)
*** 414,425 ****
ObjectAddress object;
char *audit_name;
uint16_t tclass = 0;
! char relkind;
- relkind = get_rel_relkind(relOid);
switch (relkind)
{
case RELKIND_RELATION:
tclass = SEPG_CLASS_DB_TABLE;
break;
case RELKIND_SEQUENCE:
--- 420,431 ----
ObjectAddress object;
char *audit_name;
uint16_t tclass;
! char relkind = get_rel_relkind(relOid);
switch (relkind)
{
case RELKIND_RELATION:
+ case RELKIND_PARTITIONED_TABLE:
tclass = SEPG_CLASS_DB_TABLE;
break;
case RELKIND_SEQUENCE:
*************** sepgsql_relation_drop(Oid relOid)
*** 479,485 ****
/*
* check db_column:{drop} permission
*/
! if (relkind == RELKIND_RELATION)
{
Form_pg_attribute attForm;
CatCList *attrList;
--- 485,491 ----
/*
* check db_column:{drop} permission
*/
! if (relkind == RELKIND_RELATION || relkind == RELKIND_PARTITIONED_TABLE)
{
Form_pg_attribute attForm;
CatCList *attrList;
*************** sepgsql_relation_relabel(Oid relOid, con
*** 521,531 ****
{
ObjectAddress object;
char *audit_name;
! char relkind;
uint16_t tclass = 0;
! relkind = get_rel_relkind(relOid);
! if (relkind == RELKIND_RELATION)
tclass = SEPG_CLASS_DB_TABLE;
else if (relkind == RELKIND_SEQUENCE)
tclass = SEPG_CLASS_DB_SEQUENCE;
--- 527,536 ----
{
ObjectAddress object;
char *audit_name;
! char relkind = get_rel_relkind(relOid);
uint16_t tclass = 0;
! if (relkind == RELKIND_RELATION || relkind == RELKIND_PARTITIONED_TABLE)
tclass = SEPG_CLASS_DB_TABLE;
else if (relkind == RELKIND_SEQUENCE)
tclass = SEPG_CLASS_DB_SEQUENCE;
signature.asc
Description: OpenPGP digital signature
