-- 2. If you change definition of tables
-- update the schema counter at the bottom!!
--- TODO: Use "USING" in joins whenever possible
-
.load librules-db-sql-udf.so
PRAGMA foreign_keys = ON;
PRAGMA auto_vacuum = NONE;
BEGIN EXCLUSIVE TRANSACTION;
--- PRAGMA cache_size = 2000;
+-- Update here on every schema change! Integer value.
+PRAGMA user_version = 2;
CREATE TABLE IF NOT EXISTS app (
app_id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
path TEXT NOT NULL,
label_id INTEGER NOT NULL,
access INTEGER NOT NULL,
+ access_reverse INTEGER NOT NULL,
app_path_type_id INTEGER NOT NULL ,
-- TODO:
FOREIGN KEY(app_path_type_id) REFERENCES app_path_type(app_path_type_id)
);
+CREATE TABLE IF NOT EXISTS label_app_path_type_rule (
+ label_id INTEGER NOT NULL,
+ app_path_type_id INTEGER NOT NULL,
+ access INTEGER NOT NULL DEFAULT 0,
+ is_reverse INTEGER NOT NULL DEFAULT 0,
+
+ PRIMARY KEY (label_id, app_path_type_id, is_reverse),
+
+ FOREIGN KEY(label_id) REFERENCES label(label_id),
+ FOREIGN KEY(app_path_type_id) REFERENCES app_path_type(app_path_type_id)
+);
CREATE TABLE IF NOT EXISTS label (
label_id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-- TEMPORARY TABLES ------------------------------------------------------------
-- Definitions are repeated in code.
-
CREATE TEMPORARY TABLE history_smack_rule(
subject TEXT NOT NULL,
object TEXT NOT NULL,
END;
+-- LABEL TO APP PATH TYPE RULE VIEW --------------------------------------------
+DROP VIEW IF EXISTS label_app_path_type_rule_view;
+CREATE VIEW label_app_path_type_rule_view AS
+SELECT
+ label_app_path_type_rule.label_id AS label_id,
+ label.name AS label_name,
+ app_path_type.name AS app_path_type_name,
+ label_app_path_type_rule.access AS access,
+ label_app_path_type_rule.is_reverse AS is_reverse
+FROM label_app_path_type_rule
+LEFT JOIN label USING(label_id)
+LEFT JOIN app_path_type USING(app_path_type_id);
+
+
+DROP TRIGGER IF EXISTS label_app_path_type_rule_view_insert_trigger;
+CREATE TRIGGER label_app_path_type_rule_view_insert_trigger
+INSTEAD OF INSERT
+ON label_app_path_type_rule_view
+BEGIN
+ INSERT OR IGNORE INTO label(name) VALUES (NEW.label_name);
+
+ INSERT INTO label_app_path_type_rule(label_id,
+ app_path_type_id,
+ access,
+ is_reverse)
+ SELECT label.label_id,
+ app_path_type.app_path_type_id,
+ str_to_access(NEW.access),
+ NEW.is_reverse
+ FROM label, app_path_type
+ WHERE label.name = NEW.label_name AND
+ app_path_type.name = NEW.app_path_type_name;
+END;
+
+
+DROP TRIGGER IF EXISTS label_app_path_type_rule_view_delete_trigger;
+CREATE TRIGGER label_app_path_type_rule_view_delete_trigger
+INSTEAD OF DELETE
+ON label_app_path_type_rule_view
+BEGIN
+ -- Delete the rules with this label
+ DELETE FROM label_app_path_type_rule
+ WHERE label_app_path_type_rule.label_id
+ IN (SELECT label.label_id
+ FROM label
+ WHERE label.name = OLD.label_name);
+
+ -- Delete the label if it's not referenced
+ DELETE FROM label_view
+ WHERE label_view.name = OLD.label_name;
+END;
+
-- PERMISSION TO PERMISSION RULE VIEW ------------------------------------------
DROP VIEW IF EXISTS permission_permission_rule_view;
CREATE VIEW permission_permission_rule_view AS
CREATE TRIGGER label_view_delete_trigger
INSTEAD OF DELETE ON label_view
WHEN OLD.label_id NOT IN (SELECT app.label_id
- FROM app) AND
+ FROM app) AND
OLD.label_id NOT IN (SELECT permission_label_rule.label_id
- FROM permission_label_rule) AND
+ FROM permission_label_rule) AND
OLD.label_id NOT IN (SELECT app_path.label_id
- FROM app_path)
+ FROM app_path) AND
+ OLD.label_id NOT IN (SELECT label_app_path_type_rule.label_id
+ FROM label_app_path_type_rule)
BEGIN
DELETE FROM label WHERE label.name = OLD.name;
END;
app_path.path AS path,
label.name AS path_label_name,
app_path.access AS access,
+ app_path.access_reverse AS access_reverse,
app_path_type.name AS path_type_name
FROM app_path
INSERT OR IGNORE INTO label(name) VALUES (NEW.path_label_name);
-- Add the path
- INSERT INTO app_path(app_id, path, label_id, access, app_path_type_id)
+ INSERT OR IGNORE INTO app_path(app_id, path, label_id, access, access_reverse, app_path_type_id)
SELECT application_view.app_id,
NEW.path,
label.label_id,
str_to_access(NEW.access),
+ str_to_access(NEW.access_reverse),
app_path_type.app_path_type_id
FROM application_view, app_path_type, label
WHERE application_view.name = NEW.owner_app_label_name AND
WHERE app.name != label.name;
+-- LABEL TO PATH TYPE RULE VIEW -------------------------------------------
+-- ltl = label to label
+DROP VIEW IF EXISTS ltl_label_app_path_type_rule_view;
+CREATE VIEW ltl_label_app_path_type_rule_view AS
+SELECT (CASE WHEN is_reverse = 0 THEN label.name ELSE path_label.name END) AS subject,
+ (CASE WHEN is_reverse = 1 THEN label.name ELSE path_label.name END) AS object,
+ l.access AS access,
+ 0 AS is_volatile
+FROM label_app_path_type_rule AS l
+INNER JOIN label USING(label_id)
+INNER JOIN app_path USING(app_path_type_id)
+INNER JOIN label AS path_label ON app_path.label_id = path_label.label_id
+WHERE path_label.name != label.name;
+
+
-- PERMISSION TO APPLICATION'S OWN PATHS ---------------------------------------
-- ltl = label to label
DROP VIEW IF EXISTS ltl_app_path_view;
INNER JOIN label USING(label_id);
+-- PERMISSION FROM PATHS TO APPLICATIONS ---------------------------------------
+-- ltl = label to label
+DROP VIEW IF EXISTS ltl_app_path_reverse_view;
+CREATE VIEW ltl_app_path_reverse_view AS
+SELECT label.name AS subject,
+ application_view.name AS object,
+ app_path.access_reverse AS access
+FROM app_path
+INNER JOIN application_view USING(app_id)
+INNER JOIN label USING(label_id)
+WHERE app_path.access_reverse != 0 ;
+
+
-- SMACK RULES VIEWS -----------------------------------------------------------
DROP VIEW IF EXISTS all_smack_binary_rules_view;
CREATE VIEW all_smack_binary_rules_view AS
SELECT subject, object, access, is_volatile
FROM ltl_permission_app_path_type_rule_view
UNION ALL
+ SELECT subject, object, access, is_volatile
+ FROM ltl_label_app_path_type_rule_view
+ UNION ALL
SELECT subject, object, access, 0
FROM ltl_app_path_view
+ UNION ALL
+ SELECT subject, object, access, 0
+ FROM ltl_app_path_reverse_view
)
GROUP BY subject, object
ORDER BY subject, object ASC;
)
ORDER BY subject, object ASC;
-
--- Update here!
-PRAGMA schema_version = 1;
-
-COMMIT TRANSACTION;
+COMMIT TRANSACTION;
\ No newline at end of file
projects / platform / core / security / libprivilege-control.git / blobdiff