diff -Nrpc base/src/bin/initdb/initdb.c sepgsql/src/bin/initdb/initdb.c *** base/src/bin/initdb/initdb.c Fri Jan 23 10:23:37 2009 --- sepgsql/src/bin/initdb/initdb.c Fri Jan 23 10:55:35 2009 *************** static bool debug = false; *** 91,96 **** --- 91,97 ---- static bool noclean = false; static bool show_setting = false; static char *xlog_dir = ""; + static char *pgace_feature = "none"; /* internal vars */ *************** setup_config(void) *** 1197,1202 **** --- 1198,1208 ---- "#default_text_search_config = 'pg_catalog.simple'", repltok); + snprintf(repltok, sizeof(repltok), + "pgace_feature = '%s'", pgace_feature); + conflines = replace_token(conflines, + "#pgace_feature = 'none'", repltok); + snprintf(path, sizeof(path), "%s/postgresql.conf", pg_data); writefile(path, conflines); *************** usage(const char *progname) *** 2436,2441 **** --- 2442,2448 ---- printf(_(" -U, --username=NAME database superuser name\n")); printf(_(" -W, --pwprompt prompt for a password for the new superuser\n")); printf(_(" --pwfile=FILE read password for the new superuser from file\n")); + printf(_(" --pgace-feature=FEATURE specify an enhanced security feature\n")); printf(_(" -?, --help show this help, then exit\n")); printf(_(" -V, --version output version information, then exit\n")); printf(_("\nLess commonly used options:\n")); *************** main(int argc, char *argv[]) *** 2470,2475 **** --- 2477,2483 ---- {"auth", required_argument, NULL, 'A'}, {"pwprompt", no_argument, NULL, 'W'}, {"pwfile", required_argument, NULL, 9}, + {"pgace-feature", required_argument, NULL, 10}, {"username", required_argument, NULL, 'U'}, {"help", no_argument, NULL, '?'}, {"version", no_argument, NULL, 'V'}, *************** main(int argc, char *argv[]) *** 2586,2591 **** --- 2594,2602 ---- case 9: pwfilename = xstrdup(optarg); break; + case 10: + pgace_feature = xstrdup(optarg); + break; case 's': show_setting = true; break; diff -Nrpc base/src/bin/pg_dump/pg_dump.c sepgsql/src/bin/pg_dump/pg_dump.c *** base/src/bin/pg_dump/pg_dump.c Fri Jan 23 10:23:37 2009 --- sepgsql/src/bin/pg_dump/pg_dump.c Fri Jan 23 10:55:35 2009 *************** static int g_numNamespaces; *** 114,119 **** --- 114,122 ---- /* flag to turn on/off dollar quoting */ static int disable_dollar_quoting = 0; + /* flag to tuen on/off dump security_acl and security_label */ + static int security_acl = 0; + static int security_label = 0; static void help(const char *progname); static void expand_schema_name_patterns(SimpleStringList *patterns, *************** main(int argc, char **argv) *** 277,282 **** --- 280,287 ---- {"no-tablespaces", no_argument, &outputNoTablespaces, 1}, {"role", required_argument, NULL, 3}, {"use-set-session-authorization", no_argument, &use_setsessauth, 1}, + {"security-acl", no_argument, &security_acl, 1}, + {"security-label", no_argument, &security_label, 1}, {NULL, 0, NULL, 0} }; *************** main(int argc, char **argv) *** 431,436 **** --- 436,445 ---- outputNoTablespaces = 1; else if (strcmp(optarg, "use-set-session-authorization") == 0) use_setsessauth = 1; + else if (strcmp(optarg, "security-acl") == 0) + security_acl = 1; + else if (strcmp(optarg, "security-label") == 0) + security_label = 1; else { fprintf(stderr, *************** main(int argc, char **argv) *** 575,580 **** --- 584,615 ---- std_strings = PQparameterStatus(g_conn, "standard_conforming_strings"); g_fout->std_strings = (std_strings && strcmp(std_strings, "on") == 0); + /* + * Check availability of security_acl and security_label attribute + */ + if (security_acl > 0) + { + if (g_fout->remoteVersion < 80400) + { + write_msg(NULL, "Row-level Database ACLs are not available.\n"); + exit(1); + } + } + + if (security_label > 0) + { + PGresult *res; + + res = PQexec(g_conn, "SHOW pgace_feature"); + if (PQresultStatus(res) != PGRES_TUPLES_OK || + PQntuples(res) != 1 || + strcmp(PQgetvalue(res, 0, 0), "none") == 0) + { + write_msg(NULL, "No enhanced security feature is available."); + exit(1); + } + } + /* Set the role if requested */ if (use_role && g_fout->remoteVersion >= 80100) { *************** help(const char *progname) *** 826,831 **** --- 861,868 ---- printf(_(" --use-set-session-authorization\n" " use SESSION AUTHORIZATION commands instead of\n" " ALTER OWNER commands to set ownership\n")); + printf(_(" --security-acl enables to dump Row-level ACLs\n")); + printf(_(" --security-label enabled to dump Security Labels\n")); printf(_("\nConnection options:\n")); printf(_(" -h, --host=HOSTNAME database server host or socket directory\n")); *************** dumpTableData_insert(Archive *fout, void *** 1223,1229 **** */ selectSourceSchema(tbinfo->dobj.namespace->dobj.name); ! if (fout->remoteVersion >= 70100) { appendPQExpBuffer(q, "DECLARE _pg_dump_cursor CURSOR FOR " "SELECT * FROM ONLY %s", --- 1260,1275 ---- */ selectSourceSchema(tbinfo->dobj.namespace->dobj.name); ! if (fout->remoteVersion >= 80400) ! { ! appendPQExpBuffer(q, "DECLARE _pg_dump_cursor CURSOR FOR " ! "SELECT * %s %s FROM ONLY %s", ! (security_acl && tbinfo->hasrowacl ? ",security_acl" : ""), ! (security_label ? ",security_label" : ""), ! fmtQualifiedId(tbinfo->dobj.namespace->dobj.name, ! classname)); ! } ! else if (fout->remoteVersion >= 70100) { appendPQExpBuffer(q, "DECLARE _pg_dump_cursor CURSOR FOR " "SELECT * FROM ONLY %s", *************** dumpDatabase(Archive *AH) *** 1581,1587 **** i_encoding, i_collate, i_ctype, ! i_tablespace; CatalogId dbCatId; DumpId dbDumpId; const char *datname, --- 1627,1634 ---- i_encoding, i_collate, i_ctype, ! i_tablespace, ! i_dbseclabel; CatalogId dbCatId; DumpId dbDumpId; const char *datname, *************** dumpDatabase(Archive *AH) *** 1589,1595 **** *encoding, *collate, *ctype, ! *tablespace; datname = PQdb(g_conn); --- 1636,1643 ---- *encoding, *collate, *ctype, ! *tablespace, ! *dbseclabel; datname = PQdb(g_conn); *************** dumpDatabase(Archive *AH) *** 1607,1613 **** "pg_encoding_to_char(encoding) as encoding, " "datcollate, datctype, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = dattablespace) as tablespace, " ! "shobj_description(oid, 'pg_database') as description " "FROM pg_database " "WHERE datname = ", --- 1655,1662 ---- "pg_encoding_to_char(encoding) as encoding, " "datcollate, datctype, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = dattablespace) as tablespace, " ! "shobj_description(oid, 'pg_database') as description, " ! "security_label " "FROM pg_database " "WHERE datname = ", *************** dumpDatabase(Archive *AH) *** 1621,1628 **** "pg_encoding_to_char(encoding) as encoding, " "NULL as datcollate, NULL as datctype, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = dattablespace) as tablespace, " ! "shobj_description(oid, 'pg_database') as description " ! "FROM pg_database " "WHERE datname = ", username_subquery); --- 1670,1677 ---- "pg_encoding_to_char(encoding) as encoding, " "NULL as datcollate, NULL as datctype, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = dattablespace) as tablespace, " ! "shobj_description(oid, 'pg_database') as description, " ! "NULL as security_label " "FROM pg_database " "WHERE datname = ", username_subquery); *************** dumpDatabase(Archive *AH) *** 1634,1640 **** "(%s datdba) as dba, " "pg_encoding_to_char(encoding) as encoding, " "NULL as datcollate, NULL as datctype, " ! "(SELECT spcname FROM pg_tablespace t WHERE t.oid = dattablespace) as tablespace " "FROM pg_database " "WHERE datname = ", username_subquery); --- 1683,1690 ---- "(%s datdba) as dba, " "pg_encoding_to_char(encoding) as encoding, " "NULL as datcollate, NULL as datctype, " ! "(SELECT spcname FROM pg_tablespace t WHERE t.oid = dattablespace) as tablespace, " ! "NULL as security_label " "FROM pg_database " "WHERE datname = ", username_subquery); *************** dumpDatabase(Archive *AH) *** 1646,1652 **** "(%s datdba) as dba, " "pg_encoding_to_char(encoding) as encoding, " "NULL as datcollate, NULL as datctype, " ! "NULL as tablespace " "FROM pg_database " "WHERE datname = ", username_subquery); --- 1696,1703 ---- "(%s datdba) as dba, " "pg_encoding_to_char(encoding) as encoding, " "NULL as datcollate, NULL as datctype, " ! "NULL as tablespace, " ! "NULL as security_label " "FROM pg_database " "WHERE datname = ", username_subquery); *************** dumpDatabase(Archive *AH) *** 1660,1666 **** "(%s datdba) as dba, " "pg_encoding_to_char(encoding) as encoding, " "NULL as datcollate, NULL as datctype, " ! "NULL as tablespace " "FROM pg_database " "WHERE datname = ", username_subquery); --- 1711,1718 ---- "(%s datdba) as dba, " "pg_encoding_to_char(encoding) as encoding, " "NULL as datcollate, NULL as datctype, " ! "NULL as tablespace, " ! "NULL as security_label " "FROM pg_database " "WHERE datname = ", username_subquery); *************** dumpDatabase(Archive *AH) *** 1693,1698 **** --- 1745,1751 ---- i_collate = PQfnumber(res, "datcollate"); i_ctype = PQfnumber(res, "datctype"); i_tablespace = PQfnumber(res, "tablespace"); + i_dbseclabel = PQfnumber(res, "security_label"); dbCatId.tableoid = atooid(PQgetvalue(res, 0, i_tableoid)); dbCatId.oid = atooid(PQgetvalue(res, 0, i_oid)); *************** dumpDatabase(Archive *AH) *** 1701,1706 **** --- 1754,1760 ---- collate = PQgetvalue(res, 0, i_collate); ctype = PQgetvalue(res, 0, i_ctype); tablespace = PQgetvalue(res, 0, i_tablespace); + dbseclabel = PQgetvalue(res, 0, i_dbseclabel); appendPQExpBuffer(creaQry, "CREATE DATABASE %s WITH TEMPLATE = template0", fmtId(datname)); *************** dumpDatabase(Archive *AH) *** 1722,1727 **** --- 1776,1784 ---- if (strlen(tablespace) > 0 && strcmp(tablespace, "pg_default") != 0) appendPQExpBuffer(creaQry, " TABLESPACE = %s", fmtId(tablespace)); + if (security_label > 0 && strlen(dbseclabel) > 0) + appendPQExpBuffer(creaQry, " SECURITY_LABEL = '%s'", dbseclabel); + appendPQExpBuffer(creaQry, ";\n"); appendPQExpBuffer(delQry, "DROP DATABASE %s;\n", *************** dumpBlobComments(Archive *AH, void *arg) *** 2000,2010 **** Oid blobOid; char *comment; /* ignore blobs without comments */ if (PQgetisnull(res, i, 1)) continue; - blobOid = atooid(PQgetvalue(res, i, 0)); comment = PQgetvalue(res, i, 1); printfPQExpBuffer(commentcmd, "COMMENT ON LARGE OBJECT %u IS ", --- 2057,2089 ---- Oid blobOid; char *comment; + blobOid = atooid(PQgetvalue(res, i, 0)); + + /* dump security label of blobs */ + if (security_label > 0) + { + PGresult *bres; + char query[256]; + + snprintf(query, sizeof(query), + "SELECT lo_get_security(%u)", blobOid); + bres = PQexec(g_conn, query); + if (bres != NULL) + { + if (PQresultStatus(res) == PGRES_TUPLES_OK && + PQntuples(res) == 1) + { + archprintf(AH, "SELECT lo_set_security(%u, '%s');\n", + blobOid, PQgetvalue(res, 0, 0)); + } + PQclear(bres); + } + } + /* ignore blobs without comments */ if (PQgetisnull(res, i, 1)) continue; comment = PQgetvalue(res, i, 1); printfPQExpBuffer(commentcmd, "COMMENT ON LARGE OBJECT %u IS ", *************** getTables(int *numTables) *** 3100,3105 **** --- 3179,3185 ---- int i_owning_col; int i_reltablespace; int i_reloptions; + int i_relseclabel; /* Make sure we are in proper schema */ selectSourceSchema("pg_catalog"); *************** getTables(int *numTables) *** 3139,3145 **** "d.refobjid as owning_tab, " "d.refobjsubid as owning_col, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = c.reltablespace) AS reltablespace, " ! "array_to_string(c.reloptions, ', ') as reloptions " "from pg_class c " "left join pg_depend d on " "(c.relkind = '%c' and " --- 3219,3226 ---- "d.refobjid as owning_tab, " "d.refobjsubid as owning_col, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = c.reltablespace) AS reltablespace, " ! "array_to_string(c.reloptions, ', ') as reloptions, " ! "c.security_label " "from pg_class c " "left join pg_depend d on " "(c.relkind = '%c' and " *************** getTables(int *numTables) *** 3168,3174 **** "d.refobjid as owning_tab, " "d.refobjsubid as owning_col, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = c.reltablespace) AS reltablespace, " ! "array_to_string(c.reloptions, ', ') as reloptions " "from pg_class c " "left join pg_depend d on " "(c.relkind = '%c' and " --- 3249,3256 ---- "d.refobjid as owning_tab, " "d.refobjsubid as owning_col, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = c.reltablespace) AS reltablespace, " ! "array_to_string(c.reloptions, ', ') as reloptions, " ! "NULL as security_label " "from pg_class c " "left join pg_depend d on " "(c.relkind = '%c' and " *************** getTables(int *numTables) *** 3197,3203 **** "d.refobjid as owning_tab, " "d.refobjsubid as owning_col, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = c.reltablespace) AS reltablespace, " ! "NULL as reloptions " "from pg_class c " "left join pg_depend d on " "(c.relkind = '%c' and " --- 3279,3286 ---- "d.refobjid as owning_tab, " "d.refobjsubid as owning_col, " "(SELECT spcname FROM pg_tablespace t WHERE t.oid = c.reltablespace) AS reltablespace, " ! "NULL as reloptions, " ! "NULL as security_label " "from pg_class c " "left join pg_depend d on " "(c.relkind = '%c' and " *************** getTables(int *numTables) *** 3226,3232 **** "d.refobjid as owning_tab, " "d.refobjsubid as owning_col, " "NULL as reltablespace, " ! "NULL as reloptions " "from pg_class c " "left join pg_depend d on " "(c.relkind = '%c' and " --- 3309,3316 ---- "d.refobjid as owning_tab, " "d.refobjsubid as owning_col, " "NULL as reltablespace, " ! "NULL as reloptions, " ! "NULL as security_label " "from pg_class c " "left join pg_depend d on " "(c.relkind = '%c' and " *************** getTables(int *numTables) *** 3251,3257 **** "NULL::oid as owning_tab, " "NULL::int4 as owning_col, " "NULL as reltablespace, " ! "NULL as reloptions " "from pg_class " "where relkind in ('%c', '%c', '%c') " "order by oid", --- 3335,3342 ---- "NULL::oid as owning_tab, " "NULL::int4 as owning_col, " "NULL as reltablespace, " ! "NULL as reloptions, " ! "NULL as security_label " "from pg_class " "where relkind in ('%c', '%c', '%c') " "order by oid", *************** getTables(int *numTables) *** 3271,3277 **** "NULL::oid as owning_tab, " "NULL::int4 as owning_col, " "NULL as reltablespace, " ! "NULL as reloptions " "from pg_class " "where relkind in ('%c', '%c', '%c') " "order by oid", --- 3356,3363 ---- "NULL::oid as owning_tab, " "NULL::int4 as owning_col, " "NULL as reltablespace, " ! "NULL as reloptions, " ! "NULL as security_label " "from pg_class " "where relkind in ('%c', '%c', '%c') " "order by oid", *************** getTables(int *numTables) *** 3301,3307 **** "NULL::oid as owning_tab, " "NULL::int4 as owning_col, " "NULL as reltablespace, " ! "NULL as reloptions " "from pg_class c " "where relkind in ('%c', '%c') " "order by oid", --- 3387,3394 ---- "NULL::oid as owning_tab, " "NULL::int4 as owning_col, " "NULL as reltablespace, " ! "NULL as reloptions, " ! "NULL as security_label " "from pg_class c " "where relkind in ('%c', '%c') " "order by oid", *************** getTables(int *numTables) *** 3344,3349 **** --- 3431,3437 ---- i_owning_col = PQfnumber(res, "owning_col"); i_reltablespace = PQfnumber(res, "reltablespace"); i_reloptions = PQfnumber(res, "reloptions"); + i_relseclabel = PQfnumber(res, "security_label"); if (lockWaitTimeout && g_fout->remoteVersion >= 70300) { *************** getTables(int *numTables) *** 3389,3394 **** --- 3477,3503 ---- } tblinfo[i].reltablespace = strdup(PQgetvalue(res, i, i_reltablespace)); tblinfo[i].reloptions = strdup(PQgetvalue(res, i, i_reloptions)); + tblinfo[i].relseclabel = strdup(PQgetvalue(res, i, i_relseclabel)); + + /* check availability of Row-level Database ACLs */ + if (security_acl > 0) + { + char *copy, *tok; + + copy = strdup(tblinfo[i].reloptions); + for (tok = strtok(copy, ","); tok; tok = strtok(NULL, ",")) + { + if (strncmp(tok, "row_level_acl=", 14) != 0) + continue; + tok += 14; + if (strcasecmp(tok, "true") == 0 || strcasecmp(tok, "yes") == 0 + || strcasecmp(tok, "on") == 0 || strcasecmp(tok, "1") == 0) + { + tblinfo[i].hasrowacl = 1; + break; + } + } + } /* other fields were zeroed above */ *************** getTableAttrs(TableInfo *tblinfo, int nu *** 4597,4602 **** --- 4706,4712 ---- int i_atthasdef; int i_attisdropped; int i_attislocal; + int i_attseclabel; PGresult *res; int ntups; bool hasdefaults; *************** getTableAttrs(TableInfo *tblinfo, int nu *** 4634,4645 **** resetPQExpBuffer(q); ! if (g_fout->remoteVersion >= 70300) { /* need left join here to not fail on dropped columns ... */ appendPQExpBuffer(q, "SELECT a.attnum, a.attname, a.atttypmod, a.attstattarget, a.attstorage, t.typstorage, " "a.attnotnull, a.atthasdef, a.attisdropped, a.attislocal, " ! "pg_catalog.format_type(t.oid,a.atttypmod) as atttypname " "from pg_catalog.pg_attribute a left join pg_catalog.pg_type t " "on a.atttypid = t.oid " "where a.attrelid = '%u'::pg_catalog.oid " --- 4744,4770 ---- resetPQExpBuffer(q); ! if (g_fout->remoteVersion >= 80400) { /* need left join here to not fail on dropped columns ... */ appendPQExpBuffer(q, "SELECT a.attnum, a.attname, a.atttypmod, a.attstattarget, a.attstorage, t.typstorage, " "a.attnotnull, a.atthasdef, a.attisdropped, a.attislocal, " ! "pg_catalog.format_type(t.oid,a.atttypmod) as atttypname, " ! "a.security_label " ! "from pg_catalog.pg_attribute a left join pg_catalog.pg_type t " ! "on a.atttypid = t.oid " ! "where a.attrelid = '%u'::pg_catalog.oid " ! "and a.attnum > 0::pg_catalog.int2 " ! "order by a.attrelid, a.attnum", ! tbinfo->dobj.catId.oid); ! } ! else if (g_fout->remoteVersion >= 70300) ! { ! /* need left join here to not fail on dropped columns ... */ ! appendPQExpBuffer(q, "SELECT a.attnum, a.attname, a.atttypmod, a.attstattarget, a.attstorage, t.typstorage, " ! "a.attnotnull, a.atthasdef, a.attisdropped, a.attislocal, " ! "pg_catalog.format_type(t.oid,a.atttypmod) as atttypname, " ! "NULL as security_label " "from pg_catalog.pg_attribute a left join pg_catalog.pg_type t " "on a.atttypid = t.oid " "where a.attrelid = '%u'::pg_catalog.oid " *************** getTableAttrs(TableInfo *tblinfo, int nu *** 4656,4662 **** */ appendPQExpBuffer(q, "SELECT a.attnum, a.attname, a.atttypmod, -1 as attstattarget, a.attstorage, t.typstorage, " "a.attnotnull, a.atthasdef, false as attisdropped, false as attislocal, " ! "format_type(t.oid,a.atttypmod) as atttypname " "from pg_attribute a left join pg_type t " "on a.atttypid = t.oid " "where a.attrelid = '%u'::oid " --- 4781,4788 ---- */ appendPQExpBuffer(q, "SELECT a.attnum, a.attname, a.atttypmod, -1 as attstattarget, a.attstorage, t.typstorage, " "a.attnotnull, a.atthasdef, false as attisdropped, false as attislocal, " ! "format_type(t.oid,a.atttypmod) as atttypname, " ! "NULL as security_label " "from pg_attribute a left join pg_type t " "on a.atttypid = t.oid " "where a.attrelid = '%u'::oid " *************** getTableAttrs(TableInfo *tblinfo, int nu *** 4669,4675 **** /* format_type not available before 7.1 */ appendPQExpBuffer(q, "SELECT attnum, attname, atttypmod, -1 as attstattarget, attstorage, attstorage as typstorage, " "attnotnull, atthasdef, false as attisdropped, false as attislocal, " ! "(select typname from pg_type where oid = atttypid) as atttypname " "from pg_attribute a " "where attrelid = '%u'::oid " "and attnum > 0::int2 " --- 4795,4802 ---- /* format_type not available before 7.1 */ appendPQExpBuffer(q, "SELECT attnum, attname, atttypmod, -1 as attstattarget, attstorage, attstorage as typstorage, " "attnotnull, atthasdef, false as attisdropped, false as attislocal, " ! "(select typname from pg_type where oid = atttypid) as atttypname, " ! "NULL as security_label " "from pg_attribute a " "where attrelid = '%u'::oid " "and attnum > 0::int2 " *************** getTableAttrs(TableInfo *tblinfo, int nu *** 4693,4698 **** --- 4820,4826 ---- i_atthasdef = PQfnumber(res, "atthasdef"); i_attisdropped = PQfnumber(res, "attisdropped"); i_attislocal = PQfnumber(res, "attislocal"); + i_attseclabel = PQfnumber(res, "security_label"); tbinfo->numatts = ntups; tbinfo->attnames = (char **) malloc(ntups * sizeof(char *)); *************** getTableAttrs(TableInfo *tblinfo, int nu *** 4703,4708 **** --- 4831,4837 ---- tbinfo->typstorage = (char *) malloc(ntups * sizeof(char)); tbinfo->attisdropped = (bool *) malloc(ntups * sizeof(bool)); tbinfo->attislocal = (bool *) malloc(ntups * sizeof(bool)); + tbinfo->attseclabel = (char **) malloc(ntups * sizeof(char *)); tbinfo->notnull = (bool *) malloc(ntups * sizeof(bool)); tbinfo->attrdefs = (AttrDefInfo **) malloc(ntups * sizeof(AttrDefInfo *)); tbinfo->inhAttrs = (bool *) malloc(ntups * sizeof(bool)); *************** getTableAttrs(TableInfo *tblinfo, int nu *** 4726,4731 **** --- 4855,4861 ---- tbinfo->typstorage[j] = *(PQgetvalue(res, j, i_typstorage)); tbinfo->attisdropped[j] = (PQgetvalue(res, j, i_attisdropped)[0] == 't'); tbinfo->attislocal[j] = (PQgetvalue(res, j, i_attislocal)[0] == 't'); + tbinfo->attseclabel[j] = strdup(PQgetvalue(res, j, i_attseclabel)); tbinfo->notnull[j] = (PQgetvalue(res, j, i_attnotnull)[0] == 't'); tbinfo->attrdefs[j] = NULL; /* fix below */ if (PQgetvalue(res, j, i_atthasdef)[0] == 't') *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 6950,6955 **** --- 7080,7086 ---- char *proconfig; char *procost; char *prorows; + char *proseclabel; char *lanname; char *rettypename; int nallargs; *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 6986,6991 **** --- 7117,7123 ---- "pg_catalog.pg_get_function_result(oid) as funcresult, " "proiswindow, provolatile, proisstrict, prosecdef, " "proconfig, procost, prorows, " + "security_label, " "(SELECT lanname FROM pg_catalog.pg_language WHERE oid = prolang) as lanname " "FROM pg_catalog.pg_proc " "WHERE oid = '%u'::pg_catalog.oid", *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 6999,7004 **** --- 7131,7137 ---- "false as proiswindow, " "provolatile, proisstrict, prosecdef, " "proconfig, procost, prorows, " + "null as security_label, " "(SELECT lanname FROM pg_catalog.pg_language WHERE oid = prolang) as lanname " "FROM pg_catalog.pg_proc " "WHERE oid = '%u'::pg_catalog.oid", *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 7012,7017 **** --- 7145,7151 ---- "false as proiswindow, " "provolatile, proisstrict, prosecdef, " "null as proconfig, 0 as procost, 0 as prorows, " + "null as security_label, " "(SELECT lanname FROM pg_catalog.pg_language WHERE oid = prolang) as lanname " "FROM pg_catalog.pg_proc " "WHERE oid = '%u'::pg_catalog.oid", *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 7027,7032 **** --- 7161,7167 ---- "false as proiswindow, " "provolatile, proisstrict, prosecdef, " "null as proconfig, 0 as procost, 0 as prorows, " + "null as security_label, " "(SELECT lanname FROM pg_catalog.pg_language WHERE oid = prolang) as lanname " "FROM pg_catalog.pg_proc " "WHERE oid = '%u'::pg_catalog.oid", *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 7042,7047 **** --- 7177,7183 ---- "false as proiswindow, " "provolatile, proisstrict, prosecdef, " "null as proconfig, 0 as procost, 0 as prorows, " + "null as security_label, " "(SELECT lanname FROM pg_catalog.pg_language WHERE oid = prolang) as lanname " "FROM pg_catalog.pg_proc " "WHERE oid = '%u'::pg_catalog.oid", *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 7059,7064 **** --- 7195,7201 ---- "proisstrict, " "false as prosecdef, " "null as proconfig, 0 as procost, 0 as prorows, " + "null as security_label, " "(SELECT lanname FROM pg_language WHERE oid = prolang) as lanname " "FROM pg_proc " "WHERE oid = '%u'::oid", *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 7076,7081 **** --- 7213,7219 ---- "false as proisstrict, " "false as prosecdef, " "null as proconfig, 0 as procost, 0 as prorows, " + "null as security_label, " "(SELECT lanname FROM pg_language WHERE oid = prolang) as lanname " "FROM pg_proc " "WHERE oid = '%u'::oid", *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 7118,7123 **** --- 7256,7262 ---- proconfig = PQgetvalue(res, 0, PQfnumber(res, "proconfig")); procost = PQgetvalue(res, 0, PQfnumber(res, "procost")); prorows = PQgetvalue(res, 0, PQfnumber(res, "prorows")); + proseclabel = PQgetvalue(res, 0, PQfnumber(res, "security_label")); lanname = PQgetvalue(res, 0, PQfnumber(res, "lanname")); /* *************** dumpFunc(Archive *fout, FuncInfo *finfo) *** 7276,7281 **** --- 7415,7423 ---- if (prosecdef[0] == 't') appendPQExpBuffer(q, " SECURITY DEFINER"); + if (security_label > 0 && strlen(proseclabel) > 0) + appendPQExpBuffer(q, " SECURITY_LABEL = '%s'", proseclabel); + /* * COST and ROWS are emitted only if present and not default, so as not to * break backwards-compatibility of the dump without need. Keep this code *************** dumpTableSchema(Archive *fout, TableInfo *** 9666,9671 **** --- 9808,9819 ---- if (tbinfo->notnull[j] && !tbinfo->inhNotNull[j]) appendPQExpBuffer(q, " NOT NULL"); + if (security_label > 0 && + strlen(tbinfo->attseclabel[j]) > 0 && + strcmp(tbinfo->relseclabel, tbinfo->attseclabel[j]) != 0) + appendPQExpBuffer(q, " SECURITY_LABEL = '%s'", + tbinfo->attseclabel[j]); + actual_atts++; } } *************** dumpTableSchema(Archive *fout, TableInfo *** 9713,9718 **** --- 9861,9869 ---- if (tbinfo->reloptions && strlen(tbinfo->reloptions) > 0) appendPQExpBuffer(q, "\nWITH (%s)", tbinfo->reloptions); + if (security_label > 0 && strlen(tbinfo->relseclabel) > 0) + appendPQExpBuffer(q, " SECURITY_LABEL = '%s'", tbinfo->relseclabel); + appendPQExpBuffer(q, ";\n"); /* Loop dumping statistics and storage statements */ *************** fmtCopyColumnList(const TableInfo *ti) *** 11170,11175 **** --- 11321,11341 ---- appendPQExpBuffer(q, "("); needComma = false; + + if (security_acl > 0 && ti->hasrowacl) + { + appendPQExpBuffer(q, "security_acl"); + needComma = true; + } + + if (security_label > 0) + { + if (needComma) + appendPQExpBuffer(q, ", "); + appendPQExpBuffer(q, "security_label"); + needComma = true; + } + for (i = 0; i < numatts; i++) { if (attisdropped[i]) diff -Nrpc base/src/bin/pg_dump/pg_dump.h sepgsql/src/bin/pg_dump/pg_dump.h *** base/src/bin/pg_dump/pg_dump.h Fri Jan 23 10:23:37 2009 --- sepgsql/src/bin/pg_dump/pg_dump.h Fri Jan 23 10:55:35 2009 *************** typedef struct _tableInfo *** 221,226 **** --- 221,228 ---- char relkind; char *reltablespace; /* relation tablespace */ char *reloptions; /* options specified by WITH (...) */ + char *relseclabel; /* security label of the relation (table) */ + bool hasrowacl; /* does it have Row-level ACLs? */ bool hasindex; /* does it have any indexes? */ bool hasrules; /* does it have any rules? */ bool hastriggers; /* does it have any triggers? */ *************** typedef struct _tableInfo *** 245,250 **** --- 247,253 ---- char *typstorage; /* type storage scheme */ bool *attisdropped; /* true if attr is dropped; don't dump it */ bool *attislocal; /* true if attr has local definition */ + char **attseclabel; /* security label of attribute (column) */ /* * Note: we need to store per-attribute notnull, default, and constraint diff -Nrpc base/src/bin/pg_dump/pg_dumpall.c sepgsql/src/bin/pg_dump/pg_dumpall.c *** base/src/bin/pg_dump/pg_dumpall.c Fri Jan 23 10:23:37 2009 --- sepgsql/src/bin/pg_dump/pg_dumpall.c Fri Jan 23 10:55:35 2009 *************** static int no_tablespaces = 0; *** 68,73 **** --- 68,76 ---- static int use_setsessauth = 0; static int server_version; + static int security_acl = 0; + static int security_label = 0; + static FILE *OPF; static char *filename = NULL; *************** main(int argc, char *argv[]) *** 124,129 **** --- 127,134 ---- {"no-tablespaces", no_argument, &no_tablespaces, 1}, {"role", required_argument, NULL, 3}, {"use-set-session-authorization", no_argument, &use_setsessauth, 1}, + {"security-acl", no_argument, &security_acl, 1}, + {"security-label", no_argument, &security_label, 1}, {NULL, 0, NULL, 0} }; *************** main(int argc, char *argv[]) *** 279,284 **** --- 284,293 ---- no_tablespaces = 1; else if (strcmp(optarg, "use-set-session-authorization") == 0) use_setsessauth = 1; + else if (strcmp(optarg, "security-acl") == 0) + security_acl = 1; + else if (strcmp(optarg, "security-label") == 0) + security_label = 1; else { fprintf(stderr, *************** main(int argc, char *argv[]) *** 318,323 **** --- 327,336 ---- appendPQExpBuffer(pgdumpopts, " --no-tablespaces"); if (use_setsessauth) appendPQExpBuffer(pgdumpopts, " --use-set-session-authorization"); + if (security_acl) + appendPQExpBuffer(pgdumpopts, " --security-acl"); + if (security_label) + appendPQExpBuffer(pgdumpopts, " --security-label"); if (optind < argc) { *************** main(int argc, char *argv[]) *** 393,398 **** --- 406,434 ---- } } + if (security_acl > 0) + { + if (server_version < 80400) + { + fprintf(stderr, "Row-level Database ACLs are not available.\n"); + exit(1); + } + } + + if (security_label > 0) + { + PGresult *res; + + res = PQexec(conn, "SHOW pgace_feature"); + if (PQresultStatus(res) != PGRES_TUPLES_OK || + PQntuples(res) != 1 || + strcmp(PQgetvalue(res, 0, 0), "none") == 0) + { + fprintf(stderr, "No enhanced security feature is available."); + exit(1); + } + } + /* * Open the output file if required, otherwise use stdout */ *************** dumpCreateDB(PGconn *conn) *** 935,941 **** "pg_encoding_to_char(d.encoding), " "datcollate, datctype, " "datistemplate, datacl, datconnlimit, " ! "(SELECT spcname FROM pg_tablespace t WHERE t.oid = d.dattablespace) AS dattablespace " "FROM pg_database d LEFT JOIN pg_authid u ON (datdba = u.oid) " "WHERE datallowconn ORDER BY 1"); else if (server_version >= 80100) --- 971,978 ---- "pg_encoding_to_char(d.encoding), " "datcollate, datctype, " "datistemplate, datacl, datconnlimit, " ! "(SELECT spcname FROM pg_tablespace t WHERE t.oid = d.dattablespace) AS dattablespace, " ! "d.security_label " "FROM pg_database d LEFT JOIN pg_authid u ON (datdba = u.oid) " "WHERE datallowconn ORDER BY 1"); else if (server_version >= 80100) *************** dumpCreateDB(PGconn *conn) *** 945,951 **** "pg_encoding_to_char(d.encoding), " "null::text AS datcollate, null::text AS datctype, " "datistemplate, datacl, datconnlimit, " ! "(SELECT spcname FROM pg_tablespace t WHERE t.oid = d.dattablespace) AS dattablespace " "FROM pg_database d LEFT JOIN pg_authid u ON (datdba = u.oid) " "WHERE datallowconn ORDER BY 1"); else if (server_version >= 80000) --- 982,989 ---- "pg_encoding_to_char(d.encoding), " "null::text AS datcollate, null::text AS datctype, " "datistemplate, datacl, datconnlimit, " ! "(SELECT spcname FROM pg_tablespace t WHERE t.oid = d.dattablespace) AS dattablespace, " ! "null::text AS security_label " "FROM pg_database d LEFT JOIN pg_authid u ON (datdba = u.oid) " "WHERE datallowconn ORDER BY 1"); else if (server_version >= 80000) *************** dumpCreateDB(PGconn *conn) *** 955,961 **** "pg_encoding_to_char(d.encoding), " "null::text AS datcollate, null::text AS datctype, " "datistemplate, datacl, -1 as datconnlimit, " ! "(SELECT spcname FROM pg_tablespace t WHERE t.oid = d.dattablespace) AS dattablespace " "FROM pg_database d LEFT JOIN pg_shadow u ON (datdba = usesysid) " "WHERE datallowconn ORDER BY 1"); else if (server_version >= 70300) --- 993,1000 ---- "pg_encoding_to_char(d.encoding), " "null::text AS datcollate, null::text AS datctype, " "datistemplate, datacl, -1 as datconnlimit, " ! "(SELECT spcname FROM pg_tablespace t WHERE t.oid = d.dattablespace) AS dattablespace, " ! "null::text AS security_label " "FROM pg_database d LEFT JOIN pg_shadow u ON (datdba = usesysid) " "WHERE datallowconn ORDER BY 1"); else if (server_version >= 70300) *************** dumpCreateDB(PGconn *conn) *** 965,971 **** "pg_encoding_to_char(d.encoding), " "null::text AS datcollate, null::text AS datctype, " "datistemplate, datacl, -1 as datconnlimit, " ! "'pg_default' AS dattablespace " "FROM pg_database d LEFT JOIN pg_shadow u ON (datdba = usesysid) " "WHERE datallowconn ORDER BY 1"); else if (server_version >= 70100) --- 1004,1011 ---- "pg_encoding_to_char(d.encoding), " "null::text AS datcollate, null::text AS datctype, " "datistemplate, datacl, -1 as datconnlimit, " ! "'pg_default' AS dattablespace, " ! "null::text AS security_label " "FROM pg_database d LEFT JOIN pg_shadow u ON (datdba = usesysid) " "WHERE datallowconn ORDER BY 1"); else if (server_version >= 70100) *************** dumpCreateDB(PGconn *conn) *** 977,983 **** "pg_encoding_to_char(d.encoding), " "null::text AS datcollate, null::text AS datctype, " "datistemplate, '' as datacl, -1 as datconnlimit, " ! "'pg_default' AS dattablespace " "FROM pg_database d " "WHERE datallowconn ORDER BY 1"); else --- 1017,1024 ---- "pg_encoding_to_char(d.encoding), " "null::text AS datcollate, null::text AS datctype, " "datistemplate, '' as datacl, -1 as datconnlimit, " ! "'pg_default' AS dattablespace, " ! "null::text AS security_label " "FROM pg_database d " "WHERE datallowconn ORDER BY 1"); else *************** dumpCreateDB(PGconn *conn) *** 993,999 **** "null::text AS datcollate, null::text AS datctype, " "'f' as datistemplate, " "'' as datacl, -1 as datconnlimit, " ! "'pg_default' AS dattablespace " "FROM pg_database d " "ORDER BY 1"); } --- 1034,1041 ---- "null::text AS datcollate, null::text AS datctype, " "'f' as datistemplate, " "'' as datacl, -1 as datconnlimit, " ! "'pg_default' AS dattablespace, " ! "null::text AS security_label " "FROM pg_database d " "ORDER BY 1"); } *************** dumpCreateDB(PGconn *conn) *** 1009,1014 **** --- 1051,1057 ---- char *dbacl = PQgetvalue(res, i, 6); char *dbconnlimit = PQgetvalue(res, i, 7); char *dbtablespace = PQgetvalue(res, i, 8); + char *dbseclabel = PQgetvalue(res, i, 9); char *fdbname; fdbname = strdup(fmtId(dbname)); *************** dumpCreateDB(PGconn *conn) *** 1064,1069 **** --- 1107,1115 ---- appendPQExpBuffer(buf, " CONNECTION LIMIT = %s", dbconnlimit); + if (security_label > 0 && strlen(dbseclabel) > 0) + appendPQExpBuffer(buf, " SECURITY_LABEL = '%s'", dbseclabel); + appendPQExpBuffer(buf, ";\n"); if (strcmp(dbistemplate, "t") == 0)