Add a SECURITY LABEL command.

This is intended as infrastructure to support integration with label-based mandatory access control systems such as SE-Linux. Further changes (mostly hooks) will be needed, but this is a big chunk of it. KaiGai Kohei and Robert Haas
author: Robert Haas <rhaas@postgresql.org> 2010-09-27 20:55:27 -0400
committer: Robert Haas <rhaas@postgresql.org> 2010-09-27 20:55:27 -0400
commit: 4d355a8336e0f2265b31d678ffd1ee5cf9e79fae (patch)
tree: 9ab7e59c81ca1a8417ea2bfe8b3c11e232f3a9ee /src/include
parent: 2ce003973db82205cec55d596d51e957293019d1 (diff)
8 files changed, 99 insertions, 1 deletions
diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h
index f88730e2d24..74f1e2418fa 100644
--- a/src/include/catalog/catversion.h
+++ b/src/include/catalog/catversion.h
@@ -53,6 +53,6 @@
  */
 
 /*							yyyymmddN */
-#define CATALOG_VERSION_NO	201009021
+#define CATALOG_VERSION_NO	201009271
 
 #endif
diff --git a/src/include/catalog/indexing.h b/src/include/catalog/indexing.h
index 38c48b95633..9fa11c5da05 100644
--- a/src/include/catalog/indexing.h
+++ b/src/include/catalog/indexing.h
@@ -281,6 +281,9 @@ DECLARE_UNIQUE_INDEX(pg_default_acl_oid_index, 828, on pg_default_acl using btre
 DECLARE_UNIQUE_INDEX(pg_db_role_setting_databaseid_rol_index, 2965, on pg_db_role_setting using btree(setdatabase oid_ops, setrole oid_ops));
 #define DbRoleSettingDatidRolidIndexId	2965
 
+DECLARE_UNIQUE_INDEX(pg_seclabel_object_index, 3038, on pg_seclabel using btree(objoid oid_ops, classoid oid_ops, objsubid int4_ops, provider text_ops));
+#define SecLabelObjectIndexId				3038
+
 /* last step of initialization script: build the indexes declared above */
 BUILD_INDICES
 
diff --git a/src/include/catalog/pg_seclabel.h b/src/include/catalog/pg_seclabel.h
new file mode 100644
index 00000000000..1fd7451ad00
--- /dev/null
+++ b/src/include/catalog/pg_seclabel.h
@@ -0,0 +1,43 @@
+/* -------------------------------------------------------------------------
+ *
+ * pg_seclabel.h
+ *    definition of the system "security label" relation (pg_seclabel)
+ *
+ * Portions Copyright (c) 1996-2010, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * -------------------------------------------------------------------------
+ */
+#ifndef PG_SECLABEL_H
+#define PG_SECLABEL_H
+
+#include "catalog/genbki.h"
+
+/* ----------------
+ *		pg_seclabel definition.  cpp turns this into
+ *		typedef struct FormData_pg_seclabel
+ * ----------------
+ */
+#define SecLabelRelationId		3037
+
+CATALOG(pg_seclabel,3037) BKI_WITHOUT_OIDS
+{
+	Oid			objoid;		/* OID of the object itself */
+	Oid			classoid;	/* OID of table containing the object */
+	int4		objsubid;	/* column number, or 0 if not used */
+	text		provider;	/* name of label provider */
+	text		label;		/* security label of the object */
+} FormData_pg_seclabel;
+
+/* ----------------
+ *		compiler constants for pg_seclabel
+ * ----------------
+ */
+#define Natts_pg_seclabel			5
+#define Anum_pg_seclabel_objoid		1
+#define Anum_pg_seclabel_classoid	2
+#define Anum_pg_seclabel_objsubid	3
+#define Anum_pg_seclabel_provider	4
+#define Anum_pg_seclabel_label		5
+
+#endif	/* PG_SECLABEL_H */
diff --git a/src/include/catalog/toasting.h b/src/include/catalog/toasting.h
index 560d837d744..1e59cd21d24 100644
--- a/src/include/catalog/toasting.h
+++ b/src/include/catalog/toasting.h
@@ -45,6 +45,7 @@ DECLARE_TOAST(pg_constraint, 2832, 2833);
 DECLARE_TOAST(pg_description, 2834, 2835);
 DECLARE_TOAST(pg_proc, 2836, 2837);
 DECLARE_TOAST(pg_rewrite, 2838, 2839);
+DECLARE_TOAST(pg_seclabel, 3039, 3040);
 DECLARE_TOAST(pg_statistic, 2840, 2841);
 DECLARE_TOAST(pg_trigger, 2336, 2337);
 
diff --git a/src/include/commands/seclabel.h b/src/include/commands/seclabel.h
new file mode 100644
index 00000000000..4c3854e60c3
--- /dev/null
+++ b/src/include/commands/seclabel.h
@@ -0,0 +1,35 @@
+/*
+ * seclabel.h
+ *
+ * Prototypes for functions in commands/seclabel.c
+ *
+ * Portions Copyright (c) 1996-2010, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ */
+#ifndef SECLABEL_H
+#define SECLABEL_H
+
+#include "catalog/objectaddress.h"
+#include "nodes/primnodes.h"
+#include "nodes/parsenodes.h"
+
+/*
+ * Internal APIs
+ */
+extern char *GetSecurityLabel(const ObjectAddress *object,
+				 const char *provider);
+extern void SetSecurityLabel(const ObjectAddress *object,
+			     const char *provider, const char *label);
+extern void DeleteSecurityLabel(const ObjectAddress *object);
+
+/*
+ * Statement and ESP hook support
+ */
+extern void ExecSecLabelStmt(SecLabelStmt *stmt);
+
+typedef void (*check_object_relabel_type)(const ObjectAddress *object,
+										  const char *seclabel);
+extern void register_label_provider(const char *provider,
+								    check_object_relabel_type hook);
+
+#endif	/* SECLABEL_H */
diff --git a/src/include/nodes/nodes.h b/src/include/nodes/nodes.h
index 35def5eed03..0d33a2ed5ff 100644
--- a/src/include/nodes/nodes.h
+++ b/src/include/nodes/nodes.h
@@ -347,6 +347,7 @@ typedef enum NodeTag
 	T_AlterUserMappingStmt,
 	T_DropUserMappingStmt,
 	T_AlterTableSpaceOptionsStmt,
+	T_SecLabelStmt,
 
 	/*
 	 * TAGS FOR PARSE TREE NODES (parsenodes.h)
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 68de95e49fd..b2f0fef5139 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -1851,6 +1851,20 @@ typedef struct CommentStmt
 } CommentStmt;
 
 /* ----------------------
+ *				SECURITY LABEL Statement
+ * ----------------------
+ */
+typedef struct SecLabelStmt
+{
+	NodeTag		type;
+	ObjectType	objtype;		/* Object's type */
+	List	   *objname;		/* Qualified name of the object */
+	List	   *objargs;		/* Arguments if needed (eg, for functions) */
+	char	   *provider;		/* Label provider (or NULL) */
+	char	   *label;			/* New security label to be assigned */
+} SecLabelStmt;
+
+/* ----------------------
  *		Declare Cursor Statement
  *
  * Note: the "query" field of DeclareCursorStmt is only used in the raw grammar
diff --git a/src/include/parser/kwlist.h b/src/include/parser/kwlist.h
index 01005d83c2c..d3ea04b7f4a 100644
--- a/src/include/parser/kwlist.h
+++ b/src/include/parser/kwlist.h
@@ -209,6 +209,7 @@ PG_KEYWORD("isnull", ISNULL, TYPE_FUNC_NAME_KEYWORD)
 PG_KEYWORD("isolation", ISOLATION, UNRESERVED_KEYWORD)
 PG_KEYWORD("join", JOIN, TYPE_FUNC_NAME_KEYWORD)
 PG_KEYWORD("key", KEY, UNRESERVED_KEYWORD)
+PG_KEYWORD("label", LABEL, UNRESERVED_KEYWORD)
 PG_KEYWORD("language", LANGUAGE, UNRESERVED_KEYWORD)
 PG_KEYWORD("large", LARGE_P, UNRESERVED_KEYWORD)
 PG_KEYWORD("last", LAST_P, UNRESERVED_KEYWORD)
author	Robert Haas <rhaas@postgresql.org>	2010-09-27 20:55:27 -0400
committer	Robert Haas <rhaas@postgresql.org>	2010-09-27 20:55:27 -0400
commit	4d355a8336e0f2265b31d678ffd1ee5cf9e79fae (patch)
tree	9ab7e59c81ca1a8417ea2bfe8b3c11e232f3a9ee /src/include
parent	2ce003973db82205cec55d596d51e957293019d1 (diff)