On 04/06/2017 12:35 PM, Tom Lane wrote: > Joe Conway <m...@joeconway.com> writes: >> Any thoughts on whether 0001a and 0001b ought to be backpatched? I'm >> thinking not given the lack of past complaints but it might make sense >> to do. > > I think 0001a absolutely needs to be, because it is fixing what is really > an ABI violation: sepgsql_needs_fmgr_hook is supposed to return our notion > of bool, but as things stand it's returning _Bool (which is why the > compiler is complaining). Now we might get away with that on most > hardware, but on platforms where those are different widths, it's possible > to imagine function-return conventions that would make it fail. > > 0001b seems to only be needed for compilers that aren't smart enough > to see that tclass won't be referenced for RELKIND_INDEX, so it's > just cosmetic.
Ok, committed/pushed that way. I found some missing bits in the 0002 patch -- new version attached. Will wait on new regression tests before committing, but I expect we'll have those by end of today and be able to commit the rest tomorrow. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Add partitioned table support to sepgsql The new partitioned table capability added a new relkind, namely RELKIND_PARTITIONED_TABLE. Update sepgsql to treat this new relkind exactly the same way it does RELKIND_RELATION. Issue raised by Stephen Frost and initial patch by Mike Palmiotto. Review by Tom Lane and Robert Haas, and editorializing by me. Discussion: https://postgr.es/m/flat/623bcaae-112e-ced0-8c22-a84f75ae0c53%40joeconway.com diff --git a/contrib/sepgsql/dml.c b/contrib/sepgsql/dml.c index bc17089..b643720 100644 *** a/contrib/sepgsql/dml.c --- b/contrib/sepgsql/dml.c *************** check_relation_privileges(Oid relOid, *** 190,195 **** --- 190,196 ---- switch (relkind) { case RELKIND_RELATION: + case RELKIND_PARTITIONED_TABLE: result = sepgsql_avc_check_perms(&object, SEPG_CLASS_DB_TABLE, required, *************** check_relation_privileges(Oid relOid, *** 225,231 **** /* * Only columns owned by relations shall be checked */ ! if (relkind != RELKIND_RELATION) return true; /* --- 226,232 ---- /* * Only columns owned by relations shall be checked */ ! if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) return true; /* diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c index 1a8f884..6239800 100644 *** a/contrib/sepgsql/label.c --- b/contrib/sepgsql/label.c *************** exec_object_restorecon(struct selabel_ha *** 779,785 **** case RelationRelationId: relForm = (Form_pg_class) GETSTRUCT(tuple); ! if (relForm->relkind == RELKIND_RELATION) objtype = SELABEL_DB_TABLE; else if (relForm->relkind == RELKIND_SEQUENCE) objtype = SELABEL_DB_SEQUENCE; --- 787,794 ---- case RelationRelationId: relForm = (Form_pg_class) GETSTRUCT(tuple); ! if (relForm->relkind == RELKIND_RELATION || ! relForm->relkind == RELKIND_PARTITIONED_TABLE) objtype = SELABEL_DB_TABLE; else if (relForm->relkind == RELKIND_SEQUENCE) objtype = SELABEL_DB_SEQUENCE; *************** exec_object_restorecon(struct selabel_ha *** 803,809 **** case AttributeRelationId: attForm = (Form_pg_attribute) GETSTRUCT(tuple); ! if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION) continue; /* no need to assign security label */ objtype = SELABEL_DB_COLUMN; --- 812,819 ---- case AttributeRelationId: attForm = (Form_pg_attribute) GETSTRUCT(tuple); ! if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION && ! get_rel_relkind(attForm->attrelid) != RELKIND_PARTITIONED_TABLE) continue; /* no need to assign security label */ objtype = SELABEL_DB_COLUMN; diff --git a/contrib/sepgsql/relation.c b/contrib/sepgsql/relation.c index ab98a9b..59a6d9b 100644 *** a/contrib/sepgsql/relation.c --- b/contrib/sepgsql/relation.c *************** sepgsql_attribute_post_create(Oid relOid *** 54,65 **** ObjectAddress object; Form_pg_attribute attForm; StringInfoData audit_name; /* ! * Only attributes within regular relation have individual security ! * labels. */ ! if (get_rel_relkind(relOid) != RELKIND_RELATION) return; /* --- 54,66 ---- ObjectAddress object; Form_pg_attribute attForm; StringInfoData audit_name; + char relkind = get_rel_relkind(relOid); /* ! * Only attributes within regular relations or partition relations have ! * individual security labels. */ ! if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) return; /* *************** sepgsql_attribute_drop(Oid relOid, AttrN *** 135,142 **** { ObjectAddress object; char *audit_name; ! if (get_rel_relkind(relOid) != RELKIND_RELATION) return; /* --- 136,144 ---- { ObjectAddress object; char *audit_name; + char relkind = get_rel_relkind(relOid); ! if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) return; /* *************** sepgsql_attribute_relabel(Oid relOid, At *** 167,174 **** { ObjectAddress object; char *audit_name; ! if (get_rel_relkind(relOid) != RELKIND_RELATION) ereport(ERROR, (errcode(ERRCODE_WRONG_OBJECT_TYPE), errmsg("cannot set security label on non-regular columns"))); --- 169,177 ---- { ObjectAddress object; char *audit_name; + char relkind = get_rel_relkind(relOid); ! if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) ereport(ERROR, (errcode(ERRCODE_WRONG_OBJECT_TYPE), errmsg("cannot set security label on non-regular columns"))); *************** sepgsql_attribute_setattr(Oid relOid, At *** 209,216 **** { ObjectAddress object; char *audit_name; ! if (get_rel_relkind(relOid) != RELKIND_RELATION) return; /* --- 212,220 ---- { ObjectAddress object; char *audit_name; + char relkind = get_rel_relkind(relOid); ! if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) return; /* *************** sepgsql_relation_post_create(Oid relOid) *** 291,296 **** --- 295,301 ---- switch (classForm->relkind) { case RELKIND_RELATION: + case RELKIND_PARTITIONED_TABLE: tclass = SEPG_CLASS_DB_TABLE; break; case RELKIND_SEQUENCE: *************** sepgsql_relation_post_create(Oid relOid) *** 333,339 **** true); /* ! * Assign the default security label on the new relation */ object.classId = RelationRelationId; object.objectId = relOid; --- 338,345 ---- true); /* ! * Assign the default security label on the new regular or partitioned ! * relation. */ object.classId = RelationRelationId; object.objectId = relOid; *************** sepgsql_relation_post_create(Oid relOid) *** 341,350 **** SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, rcontext); /* ! * We also assigns a default security label on columns of the new regular ! * tables. */ ! if (classForm->relkind == RELKIND_RELATION) { Relation arel; ScanKeyData akey; --- 347,356 ---- SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, rcontext); /* ! * We also assign a default security label on columns of a new table. */ ! if (classForm->relkind == RELKIND_RELATION || ! classForm->relkind == RELKIND_PARTITIONED_TABLE) { Relation arel; ScanKeyData akey; *************** sepgsql_relation_drop(Oid relOid) *** 413,425 **** { ObjectAddress object; char *audit_name; ! uint16_t tclass = 0; ! char relkind; - relkind = get_rel_relkind(relOid); switch (relkind) { case RELKIND_RELATION: tclass = SEPG_CLASS_DB_TABLE; break; case RELKIND_SEQUENCE: --- 419,431 ---- { ObjectAddress object; char *audit_name; ! uint16_t tclass = 0; ! char relkind = get_rel_relkind(relOid); switch (relkind) { case RELKIND_RELATION: + case RELKIND_PARTITIONED_TABLE: tclass = SEPG_CLASS_DB_TABLE; break; case RELKIND_SEQUENCE: *************** sepgsql_relation_drop(Oid relOid) *** 479,485 **** /* * check db_column:{drop} permission */ ! if (relkind == RELKIND_RELATION) { Form_pg_attribute attForm; CatCList *attrList; --- 485,491 ---- /* * check db_column:{drop} permission */ ! if (relkind == RELKIND_RELATION || relkind == RELKIND_PARTITIONED_TABLE) { Form_pg_attribute attForm; CatCList *attrList; *************** sepgsql_relation_relabel(Oid relOid, con *** 521,531 **** { ObjectAddress object; char *audit_name; ! char relkind; uint16_t tclass = 0; ! relkind = get_rel_relkind(relOid); ! if (relkind == RELKIND_RELATION) tclass = SEPG_CLASS_DB_TABLE; else if (relkind == RELKIND_SEQUENCE) tclass = SEPG_CLASS_DB_SEQUENCE; --- 527,536 ---- { ObjectAddress object; char *audit_name; ! char relkind = get_rel_relkind(relOid); uint16_t tclass = 0; ! if (relkind == RELKIND_RELATION || relkind == RELKIND_PARTITIONED_TABLE) tclass = SEPG_CLASS_DB_TABLE; else if (relkind == RELKIND_SEQUENCE) tclass = SEPG_CLASS_DB_SEQUENCE; *************** sepgsql_relation_setattr(Oid relOid) *** 585,590 **** --- 590,596 ---- switch (get_rel_relkind(relOid)) { case RELKIND_RELATION: + case RELKIND_PARTITIONED_TABLE: tclass = SEPG_CLASS_DB_TABLE; break; case RELKIND_SEQUENCE:
signature.asc
Description: OpenPGP digital signature