Skip to content

Commit 25542d7

Browse files
jconwayjconway
committed
Add partitioned table support to sepgsql
The new partitioned table capability added a new relkind, namely RELKIND_PARTITIONED_TABLE. Update sepgsql to treat this new relkind exactly the same way it does RELKIND_RELATION. In addition, add regression test coverage for partitioned tables. Issue raised by Stephen Frost and initial patch by Mike Palmiotto. Review by Tom Lane and Robert Haas, and editorializing by me. Discussion: https://postgr.es/m/flat/623bcaae-112e-ced0-8c22-a84f75ae0c53%40joeconway.com
1 parent eef8c00 commit 25542d7

File tree

13 files changed

+1154
-69
lines changed

13 files changed

+1154
-69
lines changed

contrib/sepgsql/dml.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -190,6 +190,7 @@ check_relation_privileges(Oid relOid,
190190
switch (relkind)
191191
{
192192
case RELKIND_RELATION:
193+
case RELKIND_PARTITIONED_TABLE:
193194
result = sepgsql_avc_check_perms(&object,
194195
SEPG_CLASS_DB_TABLE,
195196
required,
@@ -225,7 +226,7 @@ check_relation_privileges(Oid relOid,
225226
/*
226227
* Only columns owned by relations shall be checked
227228
*/
228-
if (relkind != RELKIND_RELATION)
229+
if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE)
229230
return true;
230231

231232
/*

contrib/sepgsql/expected/alter.out

Lines changed: 110 additions & 2 deletions
Large diffs are not rendered by default.

contrib/sepgsql/expected/ddl.out

Lines changed: 253 additions & 0 deletions
Large diffs are not rendered by default.

contrib/sepgsql/expected/dml.out

Lines changed: 194 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,23 @@ SECURITY LABEL ON TABLE t5 IS 'system_u:object_r:sepgsql_table_t:s0';
2121
SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0';
2222
SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0';
2323
SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0';
24+
---
25+
-- partitioned table parent
26+
CREATE TABLE t1p (o int, p text, q text) PARTITION BY RANGE (o);
27+
SECURITY LABEL ON TABLE t1p IS 'system_u:object_r:sepgsql_table_t:s0';
28+
SECURITY LABEL ON COLUMN t1p.o IS 'system_u:object_r:sepgsql_table_t:s0';
29+
SECURITY LABEL ON COLUMN t1p.p IS 'system_u:object_r:sepgsql_ro_table_t:s0';
30+
SECURITY LABEL ON COLUMN t1p.q IS 'system_u:object_r:sepgsql_secret_table_t:s0';
31+
-- partitioned table children
32+
CREATE TABLE t1p_ones PARTITION OF t1p FOR VALUES FROM ('0') TO ('10');
33+
SECURITY LABEL ON COLUMN t1p_ones.o IS 'system_u:object_r:sepgsql_table_t:s0';
34+
SECURITY LABEL ON COLUMN t1p_ones.p IS 'system_u:object_r:sepgsql_ro_table_t:s0';
35+
SECURITY LABEL ON COLUMN t1p_ones.q IS 'system_u:object_r:sepgsql_secret_table_t:s0';
36+
CREATE TABLE t1p_tens PARTITION OF t1p FOR VALUES FROM ('10') TO ('100');
37+
SECURITY LABEL ON COLUMN t1p_tens.o IS 'system_u:object_r:sepgsql_table_t:s0';
38+
SECURITY LABEL ON COLUMN t1p_tens.p IS 'system_u:object_r:sepgsql_ro_table_t:s0';
39+
SECURITY LABEL ON COLUMN t1p_tens.q IS 'system_u:object_r:sepgsql_secret_table_t:s0';
40+
---
2441
CREATE TABLE customer (cid int primary key, cname text, ccredit text);
2542
SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0';
2643
INSERT INTO customer VALUES (1, 'Taro', '1111-2222-3333-4444'),
@@ -33,24 +50,44 @@ SECURITY LABEL ON FUNCTION customer_credit(int)
3350
SELECT objtype, objname, label FROM pg_seclabels
3451
WHERE provider = 'selinux'
3552
AND objtype in ('table', 'column')
36-
AND objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g')
53+
AND objname in ('t1', 't2', 't3', 't4',
54+
't5', 't5.e', 't5.f', 't5.g',
55+
't1p', 't1p.o', 't1p.p', 't1p.q',
56+
't1p_ones', 't1p_ones.o', 't1p_ones.p', 't1p_ones.q',
57+
't1p_tens', 't1p_tens.o', 't1p_tens.p', 't1p_tens.q')
3758
ORDER BY objname;
38-
objtype | objname | label
39-
---------+---------+---------------------------------------------
40-
table | t1 | system_u:object_r:sepgsql_table_t:s0
41-
table | t2 | system_u:object_r:sepgsql_ro_table_t:s0
42-
table | t3 | system_u:object_r:sepgsql_fixed_table_t:s0
43-
table | t4 | system_u:object_r:sepgsql_secret_table_t:s0
44-
table | t5 | system_u:object_r:sepgsql_table_t:s0
45-
column | t5.e | system_u:object_r:sepgsql_table_t:s0
46-
column | t5.f | system_u:object_r:sepgsql_ro_table_t:s0
47-
column | t5.g | system_u:object_r:sepgsql_secret_table_t:s0
48-
(8 rows)
59+
objtype | objname | label
60+
---------+------------+---------------------------------------------
61+
table | t1 | system_u:object_r:sepgsql_table_t:s0
62+
table | t1p | system_u:object_r:sepgsql_table_t:s0
63+
column | t1p.o | system_u:object_r:sepgsql_table_t:s0
64+
table | t1p_ones | unconfined_u:object_r:sepgsql_table_t:s0
65+
column | t1p_ones.o | system_u:object_r:sepgsql_table_t:s0
66+
column | t1p_ones.p | system_u:object_r:sepgsql_ro_table_t:s0
67+
column | t1p_ones.q | system_u:object_r:sepgsql_secret_table_t:s0
68+
column | t1p.p | system_u:object_r:sepgsql_ro_table_t:s0
69+
column | t1p.q | system_u:object_r:sepgsql_secret_table_t:s0
70+
table | t1p_tens | unconfined_u:object_r:sepgsql_table_t:s0
71+
column | t1p_tens.o | system_u:object_r:sepgsql_table_t:s0
72+
column | t1p_tens.p | system_u:object_r:sepgsql_ro_table_t:s0
73+
column | t1p_tens.q | system_u:object_r:sepgsql_secret_table_t:s0
74+
table | t2 | system_u:object_r:sepgsql_ro_table_t:s0
75+
table | t3 | system_u:object_r:sepgsql_fixed_table_t:s0
76+
table | t4 | system_u:object_r:sepgsql_secret_table_t:s0
77+
table | t5 | system_u:object_r:sepgsql_table_t:s0
78+
column | t5.e | system_u:object_r:sepgsql_table_t:s0
79+
column | t5.f | system_u:object_r:sepgsql_ro_table_t:s0
80+
column | t5.g | system_u:object_r:sepgsql_secret_table_t:s0
81+
(20 rows)
4982

5083
CREATE SCHEMA my_schema_1;
5184
CREATE TABLE my_schema_1.ts1 (a int, b text);
85+
CREATE TABLE my_schema_1.pts1 (o int, p text) PARTITION BY RANGE (o);
86+
CREATE TABLE my_schema_1.pts1_ones PARTITION OF my_schema_1.pts1 FOR VALUES FROM ('0') to ('10');
5287
CREATE SCHEMA my_schema_2;
5388
CREATE TABLE my_schema_2.ts2 (x int, y text);
89+
CREATE TABLE my_schema_2.pts2 (o int, p text) PARTITION BY RANGE (o);
90+
CREATE TABLE my_schema_2.pts2_tens PARTITION OF my_schema_2.pts2 FOR VALUES FROM ('10') to ('100');
5491
SECURITY LABEL ON SCHEMA my_schema_2
5592
IS 'system_u:object_r:sepgsql_regtest_invisible_schema_t:s0';
5693
-- Hardwired Rules
@@ -99,7 +136,42 @@ SELECT e,f FROM t5; -- ok
99136
---+---
100137
(0 rows)
101138

102-
SELECT * FROM customer; -- failed
139+
---
140+
-- partitioned table parent
141+
SELECT * FROM t1p; -- failed
142+
ERROR: SELinux: security policy violation
143+
SELECT o,p FROM t1p; -- ok
144+
o | p
145+
---+---
146+
(0 rows)
147+
148+
--partitioned table children
149+
SELECT * FROM t1p_ones; -- failed
150+
ERROR: SELinux: security policy violation
151+
SELECT o FROM t1p_ones; -- ok
152+
o
153+
---
154+
(0 rows)
155+
156+
SELECT o,p FROM t1p_ones; -- ok
157+
o | p
158+
---+---
159+
(0 rows)
160+
161+
SELECT * FROM t1p_tens; -- failed
162+
ERROR: SELinux: security policy violation
163+
SELECT o FROM t1p_tens; -- ok
164+
o
165+
---
166+
(0 rows)
167+
168+
SELECT o,p FROM t1p_tens; -- ok
169+
o | p
170+
---+---
171+
(0 rows)
172+
173+
---
174+
SELECT * FROM customer; -- failed
103175
ERROR: SELinux: security policy violation
104176
SELECT cid, cname, customer_credit(cid) FROM customer; -- ok
105177
cid | cname | customer_credit
@@ -108,14 +180,42 @@ SELECT cid, cname, customer_credit(cid) FROM customer; -- ok
108180
2 | Hanako | 5555-6666-7777-????
109181
(2 rows)
110182

111-
SELECT count(*) FROM t5; -- ok
183+
SELECT count(*) FROM t5; -- ok
112184
count
113185
-------
114186
0
115187
(1 row)
116188

117189
SELECT count(*) FROM t5 WHERE g IS NULL; -- failed
118190
ERROR: SELinux: security policy violation
191+
---
192+
-- partitioned table parent
193+
SELECT count(*) FROM t1p; -- ok
194+
count
195+
-------
196+
0
197+
(1 row)
198+
199+
SELECT count(*) FROM t1p WHERE q IS NULL; -- failed
200+
ERROR: SELinux: security policy violation
201+
-- partitioned table children
202+
SELECT count(*) FROM t1p_ones; -- ok
203+
count
204+
-------
205+
0
206+
(1 row)
207+
208+
SELECT count(*) FROM t1p_ones WHERE q IS NULL; -- failed
209+
ERROR: SELinux: security policy violation
210+
SELECT count(*) FROM t1p_tens; -- ok
211+
count
212+
-------
213+
0
214+
(1 row)
215+
216+
SELECT count(*) FROM t1p_tens WHERE q IS NULL; -- failed
217+
ERROR: SELinux: security policy violation
218+
---
119219
INSERT INTO t1 VALUES (4, 'abc'); -- ok
120220
INSERT INTO t2 VALUES (4, 'xyz'); -- failed
121221
ERROR: SELinux: security policy violation
@@ -127,6 +227,22 @@ ERROR: SELinux: security policy violation
127227
INSERT INTO t5 (e,f) VALUES ('abc', 'def'); -- failed
128228
ERROR: SELinux: security policy violation
129229
INSERT INTO t5 (e) VALUES ('abc'); -- ok
230+
---
231+
-- partitioned table parent
232+
INSERT INTO t1p (o,p) VALUES (9, 'mno'); -- failed
233+
ERROR: SELinux: security policy violation
234+
INSERT INTO t1p (o) VALUES (9); -- ok
235+
INSERT INTO t1p (o,p) VALUES (99, 'pqr'); -- failed
236+
ERROR: SELinux: security policy violation
237+
INSERT INTO t1p (o) VALUES (99); -- ok
238+
-- partitioned table children
239+
INSERT INTO t1p_ones (o,p) VALUES (9, 'mno'); -- failed
240+
ERROR: SELinux: security policy violation
241+
INSERT INTO t1p_ones (o) VALUES (9); -- ok
242+
INSERT INTO t1p_tens (o,p) VALUES (99, 'pqr'); -- failed
243+
ERROR: SELinux: security policy violation
244+
INSERT INTO t1p_tens (o) VALUES (99); -- ok
245+
---
130246
UPDATE t1 SET b = b || '_upd'; -- ok
131247
UPDATE t2 SET y = y || '_upd'; -- failed
132248
ERROR: SELinux: security policy violation
@@ -138,6 +254,23 @@ UPDATE t5 SET e = 'xyz'; -- ok
138254
UPDATE t5 SET e = f || '_upd'; -- ok
139255
UPDATE t5 SET e = g || '_upd'; -- failed
140256
ERROR: SELinux: security policy violation
257+
---
258+
-- partitioned table parent
259+
UPDATE t1p SET o = 9 WHERE o < 10; -- ok
260+
UPDATE t1p SET o = 99 WHERE o >= 10; -- ok
261+
UPDATE t1p SET o = ascii(COALESCE(p,'upd'))%10 WHERE o < 10; -- ok
262+
UPDATE t1p SET o = ascii(COALESCE(q,'upd'))%100 WHERE o >= 10; -- failed
263+
ERROR: SELinux: security policy violation
264+
-- partitioned table children
265+
UPDATE t1p_ones SET o = 9; -- ok
266+
UPDATE t1p_ones SET o = ascii(COALESCE(p,'upd'))%10; -- ok
267+
UPDATE t1p_ones SET o = ascii(COALESCE(q,'upd'))%10; -- failed
268+
ERROR: SELinux: security policy violation
269+
UPDATE t1p_tens SET o = 99; -- ok
270+
UPDATE t1p_tens SET o = ascii(COALESCE(p,'upd'))%100; -- ok
271+
UPDATE t1p_tens SET o = ascii(COALESCE(q,'upd'))%100; -- failed
272+
ERROR: SELinux: security policy violation
273+
---
141274
DELETE FROM t1; -- ok
142275
DELETE FROM t2; -- failed
143276
ERROR: SELinux: security policy violation
@@ -149,6 +282,20 @@ DELETE FROM t5; -- ok
149282
DELETE FROM t5 WHERE f IS NULL; -- ok
150283
DELETE FROM t5 WHERE g IS NULL; -- failed
151284
ERROR: SELinux: security policy violation
285+
---
286+
-- partitioned table parent
287+
DELETE FROM t1p; -- ok
288+
DELETE FROM t1p WHERE p IS NULL; -- ok
289+
DELETE FROM t1p WHERE q IS NULL; -- failed
290+
ERROR: SELinux: security policy violation
291+
-- partitioned table children
292+
DELETE FROM t1p_ones WHERE p IS NULL; -- ok
293+
DELETE FROM t1p_ones WHERE q IS NULL; -- failed;
294+
ERROR: SELinux: security policy violation
295+
DELETE FROM t1p_tens WHERE p IS NULL; -- ok
296+
DELETE FROM t1p_tens WHERE q IS NULL; -- failed
297+
ERROR: SELinux: security policy violation
298+
---
152299
--
153300
-- COPY TO/FROM statements
154301
--
@@ -160,6 +307,19 @@ ERROR: SELinux: security policy violation
160307
COPY t5 TO '/dev/null'; -- failed
161308
ERROR: SELinux: security policy violation
162309
COPY t5(e,f) TO '/dev/null'; -- ok
310+
---
311+
-- partitioned table parent
312+
COPY (SELECT * FROM t1p) TO '/dev/null'; -- failed
313+
ERROR: SELinux: security policy violation
314+
COPY (SELECT (o,p) FROM t1p) TO '/dev/null'; -- ok
315+
-- partitioned table children
316+
COPY t1p_ones TO '/dev/null'; -- failed
317+
ERROR: SELinux: security policy violation
318+
COPY t1p_ones(o,p) TO '/dev/null'; -- ok
319+
COPY t1p_tens TO '/dev/null'; -- failed
320+
ERROR: SELinux: security policy violation
321+
COPY t1p_tens(o,p) TO '/dev/null'; -- ok
322+
---
163323
COPY t1 FROM '/dev/null'; -- ok
164324
COPY t2 FROM '/dev/null'; -- failed
165325
ERROR: SELinux: security policy violation
@@ -171,6 +331,19 @@ ERROR: SELinux: security policy violation
171331
COPY t5 (e,f) FROM '/dev/null'; -- failed
172332
ERROR: SELinux: security policy violation
173333
COPY t5 (e) FROM '/dev/null'; -- ok
334+
---
335+
-- partitioned table parent
336+
COPY t1p FROM '/dev/null'; -- failed
337+
ERROR: SELinux: security policy violation
338+
COPY t1p (o) FROM '/dev/null'; -- ok
339+
-- partitioned table children
340+
COPY t1p_ones FROM '/dev/null'; -- failed
341+
ERROR: SELinux: security policy violation
342+
COPY t1p_ones (o) FROM '/dev/null'; -- ok
343+
COPY t1p_tens FROM '/dev/null'; -- failed
344+
ERROR: SELinux: security policy violation
345+
COPY t1p_tens (o) FROM '/dev/null'; -- ok
346+
---
174347
--
175348
-- Schema search path
176349
--
@@ -202,8 +375,13 @@ DROP TABLE IF EXISTS t2 CASCADE;
202375
DROP TABLE IF EXISTS t3 CASCADE;
203376
DROP TABLE IF EXISTS t4 CASCADE;
204377
DROP TABLE IF EXISTS t5 CASCADE;
378+
DROP TABLE IF EXISTS t1p CASCADE;
205379
DROP TABLE IF EXISTS customer CASCADE;
206380
DROP SCHEMA IF EXISTS my_schema_1 CASCADE;
207-
NOTICE: drop cascades to table my_schema_1.ts1
381+
NOTICE: drop cascades to 2 other objects
382+
DETAIL: drop cascades to table my_schema_1.ts1
383+
drop cascades to table my_schema_1.pts1
208384
DROP SCHEMA IF EXISTS my_schema_2 CASCADE;
209-
NOTICE: drop cascades to table my_schema_2.ts2
385+
NOTICE: drop cascades to 2 other objects
386+
DETAIL: drop cascades to table my_schema_2.ts2
387+
drop cascades to table my_schema_2.pts2

0 commit comments

Comments
 (0)