diff options
| author | Robert Haas | 2010-09-28 00:55:27 +0000 |
|---|---|---|
| committer | Robert Haas | 2010-09-28 00:55:27 +0000 |
| commit | 4d355a8336e0f2265b31d678ffd1ee5cf9e79fae (patch) | |
| tree | 9ab7e59c81ca1a8417ea2bfe8b3c11e232f3a9ee /contrib/dummy_seclabel | |
| parent | 2ce003973db82205cec55d596d51e957293019d1 (diff) | |
Add a SECURITY LABEL command.
This is intended as infrastructure to support integration with label-based
mandatory access control systems such as SE-Linux. Further changes (mostly
hooks) will be needed, but this is a big chunk of it.
KaiGai Kohei and Robert Haas
Diffstat (limited to 'contrib/dummy_seclabel')
| -rw-r--r-- | contrib/dummy_seclabel/Makefile | 14 | ||||
| -rw-r--r-- | contrib/dummy_seclabel/dummy_seclabel.c | 49 |
2 files changed, 63 insertions, 0 deletions
diff --git a/contrib/dummy_seclabel/Makefile b/contrib/dummy_seclabel/Makefile new file mode 100644 index 00000000000..105400f5f98 --- /dev/null +++ b/contrib/dummy_seclabel/Makefile @@ -0,0 +1,14 @@ +# contrib/dummy_seclabel/Makefile + +MODULES = dummy_seclabel + +ifdef USE_PGXS +PG_CONFIG = pg_config +PGXS := $(shell $(PG_CONFIG) --pgxs) +include $(PGXS) +else +subdir = contrib/dummy_seclabel +top_builddir = ../.. +include $(top_builddir)/src/Makefile.global +include $(top_srcdir)/contrib/contrib-global.mk +endif diff --git a/contrib/dummy_seclabel/dummy_seclabel.c b/contrib/dummy_seclabel/dummy_seclabel.c new file mode 100644 index 00000000000..8bd50a34cfc --- /dev/null +++ b/contrib/dummy_seclabel/dummy_seclabel.c @@ -0,0 +1,49 @@ +/* + * dummy_seclabel.c + * + * Dummy security label provider. + * + * This module does not provide anything worthwhile from a security + * perspective, but allows regression testing independent of platform-specific + * features like SELinux. + * + * Portions Copyright (c) 1996-2010, PostgreSQL Global Development Group + * Portions Copyright (c) 1994, Regents of the University of California + */ +#include "postgres.h" + +#include "commands/seclabel.h" +#include "miscadmin.h" + +PG_MODULE_MAGIC; + +/* Entrypoint of the module */ +void _PG_init(void); + +static void +dummy_object_relabel(const ObjectAddress *object, const char *seclabel) +{ + if (seclabel == NULL || + strcmp(seclabel, "unclassified") == 0 || + strcmp(seclabel, "classified") == 0) + return; + + if (strcmp(seclabel, "secret") == 0 || + strcmp(seclabel, "top secret") == 0) + { + if (!superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("only superuser can set '%s' label", seclabel))); + return; + } + ereport(ERROR, + (errcode(ERRCODE_INVALID_NAME), + errmsg("'%s' is not a valid security label", seclabel))); +} + +void +_PG_init(void) +{ + register_label_provider("dummy", dummy_object_relabel); +} |