veil2.c

Go to the documentation of this file.

#include "postgres.h"
#include "funcapi.h"
#include "catalog/pg_type.h"
#include "access/xact.h"
#include "executor/spi.h"
#include "access/htup_details.h"
#include "utils/builtins.h"

#include "veil2.h"

PG_MODULE_MAGIC;


/* These definitions are here rather than immediately preceding the
 * function declarations themselves as this code seems to confuse
 * Doxygen's call graph stuff.
 */
PG_FUNCTION_INFO_V1(veil2_session_ready); 
PG_FUNCTION_INFO_V1(veil2_reset_session);
PG_FUNCTION_INFO_V1(veil2_reset_session_privs);
PG_FUNCTION_INFO_V1(veil2_session_context); 
PG_FUNCTION_INFO_V1(veil2_session_privileges); 
PG_FUNCTION_INFO_V1(veil2_add_session_privileges); 
PG_FUNCTION_INFO_V1(veil2_update_session_privileges); 
PG_FUNCTION_INFO_V1(veil2_true);
PG_FUNCTION_INFO_V1(veil2_i_have_global_priv);
PG_FUNCTION_INFO_V1(veil2_i_have_personal_priv);
PG_FUNCTION_INFO_V1(veil2_i_have_priv_in_scope);
PG_FUNCTION_INFO_V1(veil2_i_have_priv_in_scope_or_global);
PG_FUNCTION_INFO_V1(veil2_i_have_priv_in_superior_scope);
PG_FUNCTION_INFO_V1(veil2_i_have_priv_in_scope_or_superior);
PG_FUNCTION_INFO_V1(veil2_i_have_priv_in_scope_or_superior_or_global);
PG_FUNCTION_INFO_V1(veil2_result_counts);
PG_FUNCTION_INFO_V1(veil2_docpath);
PG_FUNCTION_INFO_V1(veil2_datapath);
PG_FUNCTION_INFO_V1(veil2_version);


static bool session_ready = false;


static int result_counts[] = {0, 0};


typedef struct {
    int scope_type;
    int scope;
    Bitmap *roles;
    Bitmap *privileges;
} ContextRolePrivs;

typedef struct {
    int array_len;
    int active_contexts;
    ContextRolePrivs context_roleprivs[0];
} SessionRolePrivs;


typedef struct {
    bool  loaded;
    int   accessor_id;
    int64 session_id;
    int   login_context_type_id;
    int   login_context_id;
    int   session_context_type_id;
    int   session_context_id;
    int   mapping_context_type_id;
    int   mapping_context_id;
    int64 parent_session_id;
} SessionContext;

static SessionRolePrivs *session_roleprivs = NULL;

static bool session_roleprivs_loaded = false;

static SessionContext session_context = {false, 0, 0, 0, 0,
                                         0, 0, 0, 0};


static void
findContext(int *p_idx, int scope_type, int scope)
{
    int this = *p_idx;
    int cmp;
    int lower = 0;
    int upper;
    ContextRolePrivs *this_cp;

    if (!session_roleprivs) {
        *p_idx = -1;
        return;
    }
    upper = session_roleprivs->active_contexts - 1;
    if (upper == 0) {
        *p_idx = -1;
        return;
    }
    else if ((this < 0) || (this >= upper)) {
        /* Create a new start, in the middle of the contexts. */
        this = upper >> 1;
    }
    /* Bsearch until we find a match or realise there is none. */     
    while (true) {
        this_cp = &(session_roleprivs->context_roleprivs[this]);
        cmp = this_cp->scope_type - scope_type;
        if (!cmp) {
            cmp = this_cp->scope - scope;
        }
        if (!cmp) {
            *p_idx = this;
            return;
        }
        if (cmp > 0) {
            /* We are looking for a lower value. */
            upper = this - 1;
        }
        else {
            lower = this + 1;
        }
        if (upper < lower) {
            *p_idx = -1;
            return;
        }
        this = (upper + lower) >> 1;
    }
}

static bool
checkContext(int *p_idx, int scope_type, int scope, int priv)
{
    findContext(p_idx, scope_type, scope);
    if (*p_idx == -1) {
        return false;
    }
    return bitmapTestbit(
        session_roleprivs->context_roleprivs[*p_idx].privileges, priv);
}


static void
freeContextRolePrivs(ContextRolePrivs *cp)
{
    pfree((void *) cp->roles);
    pfree((void *) cp->privileges);
    cp->roles = NULL;
    cp->privileges = NULL;
}


static void
clear_session_roleprivs()
{
    int i;
    MemoryContext old_context;
    old_context = MemoryContextSwitchTo(TopMemoryContext);

    if (session_roleprivs) {
        for (i = session_roleprivs->active_contexts - 1; i >= 0; i--) {
            freeContextRolePrivs(&session_roleprivs->context_roleprivs[i]);
        }
        session_roleprivs->active_contexts = 0;
        session_roleprivs_loaded = false;
    }
    MemoryContextSwitchTo(old_context);
}

#define CONTEXT_ROLEPRIVS_INCREMENT 16

#define CONTEXT_ROLEPRIVS_SIZE(elems) (                 \
    sizeof(SessionRolePrivs) +                          \
    (sizeof(ContextRolePrivs) *                         \
     (elems + CONTEXT_ROLEPRIVS_INCREMENT)))

/*
 * Create or extend our SessionRolePrivs structure.
 *
 * @param session_roleprivs, the current version of the struct, or
 * NULL, if it has not yet been created.
 * @result The newly allocated or extended SessionRolePrivs struct.
 */
static SessionRolePrivs *
extendSessionRolePrivs(SessionRolePrivs *session_roleprivs)
{
    size_t size;
    int i;
    if (session_roleprivs) {
        size = CONTEXT_ROLEPRIVS_SIZE(session_roleprivs->array_len);
        session_roleprivs = (SessionRolePrivs *)
            realloc((void *) session_roleprivs, size);
        session_roleprivs->array_len += CONTEXT_ROLEPRIVS_INCREMENT;
        for (i = session_roleprivs->array_len - CONTEXT_ROLEPRIVS_INCREMENT;
             i < session_roleprivs->array_len; i++)
        {
            session_roleprivs->context_roleprivs[i].privileges = NULL;
        }
    }
    else {
        session_roleprivs = (SessionRolePrivs *)
            calloc(1, CONTEXT_ROLEPRIVS_SIZE(0));
        session_roleprivs->array_len = CONTEXT_ROLEPRIVS_INCREMENT;
    }
    if (!session_roleprivs) {
        ereport(ERROR,
                (errcode(ERRCODE_INTERNAL_ERROR),
                 errmsg("Unable to create session memory in "
                        "extendSessionPrivs()")));
    }
    return session_roleprivs;
}


static void
add_scope_roleprivs(int scope_type, int scope, Bitmap *roles, Bitmap *privs)
{
    MemoryContext old_context;
    int idx;
    
    if (!session_roleprivs) {
        session_roleprivs = extendSessionRolePrivs(NULL);
    }
    else if (session_roleprivs->active_contexts >=
             session_roleprivs->array_len) {
        session_roleprivs = extendSessionRolePrivs(session_roleprivs);
    }
    idx = session_roleprivs->active_contexts;
    session_roleprivs->active_contexts++;
    session_roleprivs->context_roleprivs[idx].scope_type = scope_type;
    session_roleprivs->context_roleprivs[idx].scope = scope;

    /* We copy the bitmaps in TopMemoryContext so they won't be
     * cleaned-up as transactions come and go. */
    
    old_context = MemoryContextSwitchTo(TopMemoryContext);
    session_roleprivs->context_roleprivs[idx].roles = bitmapCopy(roles);
    session_roleprivs->context_roleprivs[idx].privileges = bitmapCopy(privs);
    MemoryContextSwitchTo(old_context);
}

static void
update_scope_roleprivs(int scope_type, int scope, Bitmap *roles, Bitmap *privs)
{
    int idx;
    MemoryContext old_context;

    findContext(&idx, scope_type, scope);
    if (idx == -1) {
        /* PK fields do not match an existing record, so the update
         * does nothing. */
        return;
    }
    old_context = MemoryContextSwitchTo(TopMemoryContext);
    freeContextRolePrivs(&session_roleprivs->context_roleprivs[idx]);
    session_roleprivs->context_roleprivs[idx].roles = bitmapCopy(roles);
    session_roleprivs->context_roleprivs[idx].privileges = bitmapCopy(privs);
    MemoryContextSwitchTo(old_context);
}


static bool
error_if_no_session()
{
    static bool init_done = false;
    static bool error = true;
    bool pushed;
    if (!init_done) {
        veil2_spi_connect(&pushed, "error_if_no_session() (1)");
        (void) veil2_bool_from_query(
            "select parameter_value::boolean"
            "  from veil2.system_parameters"
            " where parameter_name = 'error on uninitialized session'",
            0, NULL, NULL, NULL, &error);
        veil2_spi_finish(pushed, "error_if_no_session (2)");
        init_done = true;
    }
    return error;
}

static bool
fetch_2ints(HeapTuple tuple, TupleDesc tupdesc, void *p_result)
{
    bool isnull;
    tuple_2ints *my_tup = (tuple_2ints *) p_result;
    my_tup->f1 = DatumGetInt32(SPI_getbinval(tuple, tupdesc, 1, &isnull));
    my_tup->f2 = DatumGetInt32(SPI_getbinval(tuple, tupdesc, 2, &isnull));

    return false;  // No need to continue processing after this
}


static void
create_temp_tables()
{
    (void) veil2_query(
        "create temporary table veil2_ancestor_privileges"
        "    of veil2.session_privileges_t",
        0, NULL, NULL,
        false, NULL,
        NULL, NULL);
}


static void
do_reset_session(bool clear_context)
{
    tuple_2ints my_tup;
    int processed;

    processed = veil2_query(
        "select count(*)::integer,"
        "       sum(case when c.relacl is null then 1 else 0 end)"
        "  from pg_catalog.pg_class c"
        " where c.relname = 'veil2_ancestor_privileges'"
        "   and c.relkind = 'r'"
        "   and c.relpersistence = 't'"
        "   and pg_catalog.pg_table_is_visible(c.oid)",
        0, NULL, NULL,
        false,  NULL,
        fetch_2ints, (void *) &my_tup);

    if (processed == 0) {
        /* Unexpected error in query. */
        ereport(ERROR,
                (errcode(ERRCODE_INTERNAL_ERROR),
                 errmsg("Temp tables query fails in veil2_reset_session()")));
    }
    else {
        if (processed != 1) {
            /* This should be impossible. */
            ereport(ERROR,
                    (errcode(ERRCODE_INTERNAL_ERROR),
                     errmsg("Unexpected processing error in "
                            "veil2_reset_session: %d", processed)));
        }
        if (my_tup.f1 == 0) {
            /* We have no temp table, so let's create it. */
            create_temp_tables();
            session_ready = true;
        }
        else if (my_tup.f1 == 1) {
            /* We have the expected temp tables - check that access
             * is properly limited. */
            if (my_tup.f2 != 1) {
                ereport(ERROR,
                        (errcode(ERRCODE_INTERNAL_ERROR),
                         errmsg("Unexpected access to temp table in "
                                "veil2_reset_session"),
                         errdetail("This indicates an attempt to bypass "
                                   "VPD security!")));
            }
            /* Access to temp tables looks kosher.  Truncate the
             * tables. */
            if (clear_context) {
                session_context.loaded = false;
            }
            clear_session_roleprivs();
            session_ready = true;
        }
        else {
            ereport(ERROR,
                    (errcode(ERRCODE_INTERNAL_ERROR),
                     errmsg("Unexpected count of temp tables in "
                            "veil2_reset_session: %d", my_tup.f1),
                     errdetail("This indicates an attempt to bypass "
                               "VPD security!")));
        }
    }
}


Datum
veil2_session_ready(PG_FUNCTION_ARGS)
{
    PG_RETURN_BOOL(session_ready);
}


Datum
veil2_reset_session(PG_FUNCTION_ARGS)
{
    bool pushed;
    
    session_ready = false;
    veil2_spi_connect(&pushed, "failed to reset session (1)");
    do_reset_session(true);
    veil2_spi_finish(pushed, "failed to reset session (2)");
    PG_RETURN_VOID();
}

Datum
veil2_reset_session_privs(PG_FUNCTION_ARGS)
{
    bool pushed;

    veil2_spi_connect(&pushed, "failed to reset session privs (1)");
    do_reset_session(false);
    veil2_spi_finish(pushed, "failed to reset session privs (2)");
    PG_RETURN_VOID();
}

Datum
veil2_session_context(PG_FUNCTION_ARGS)
{
    Datum results[9];
    static bool allnulls[9] = {true, true, true, true,
                               true, true, true, true, true};
    static bool nonulls[9] = {false, false, false, false,
                              false, false, false, false, false};
    bool *nulls;
    TupleDesc tuple_desc;
    HeapTuple tuple;
    if (get_call_result_type(fcinfo, NULL,
                             &tuple_desc) != TYPEFUNC_COMPOSITE) {
        ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("function returning record called in context "
                            "that cannot accept type record")));
    }
    tuple_desc = BlessTupleDesc(tuple_desc);
    
    if (!PG_ARGISNULL(0)) {
        session_context.accessor_id = PG_GETARG_INT32(0);
        session_context.session_id = PG_GETARG_INT64(1);
        session_context.login_context_type_id = PG_GETARG_INT32(2);
        session_context.login_context_id = PG_GETARG_INT32(3);
        session_context.session_context_type_id = PG_GETARG_INT32(4);
        session_context.session_context_id = PG_GETARG_INT32(5);
        session_context.mapping_context_type_id = PG_GETARG_INT32(6);
        session_context.mapping_context_id = PG_GETARG_INT32(7);
        if (PG_ARGISNULL(8)) {
            session_context.parent_session_id = session_context.session_id;
        }
        else {
            session_context.parent_session_id = PG_GETARG_INT64(8);
        }
        session_context.loaded = true;
    }
    if (session_context.loaded) {
        results[0] = Int32GetDatum(session_context.accessor_id);
        results[1] = Int64GetDatum(session_context.session_id);
        results[2] = Int32GetDatum(session_context.login_context_type_id);
        results[3] = Int32GetDatum(session_context.login_context_id);
        results[4] = Int32GetDatum(session_context.session_context_type_id);
        results[5] = Int32GetDatum(session_context.session_context_id);
        results[6] = Int32GetDatum(session_context.mapping_context_type_id);
        results[7] = Int32GetDatum(session_context.mapping_context_id);
        nulls = nonulls;
        if (session_context.parent_session_id ==
            session_context.session_id)
        {
            nulls[8] = true;
        }
        else {
            results[8] = Int64GetDatum(session_context.parent_session_id);
            nulls[8] = false;
        }
    }
    else {
        nulls = allnulls;
    }
    tuple = heap_form_tuple(tuple_desc, results, nulls);
    tuple_desc = BlessTupleDesc(tuple_desc);
    return HeapTupleGetDatum(tuple);
}


Datum
veil2_session_privileges(PG_FUNCTION_ARGS)
{
    FuncCallContext *funcctx;
    AttInMetadata *attinmeta;
    MemoryContext oldcontext;
    TupleDesc tupdesc;
    long idx;
    bool nulls[4] = {false, false, false, false};
    
    if (SRF_IS_FIRSTCALL()) {
        funcctx = SRF_FIRSTCALL_INIT();
        oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);

        tupdesc = RelationNameGetTupleDesc("veil2.session_privileges_t");
        funcctx->tuple_desc = tupdesc;
        attinmeta = TupleDescGetAttInMetadata(tupdesc);
        funcctx->attinmeta = attinmeta;

        MemoryContextSwitchTo(oldcontext);
        /* We use the user function context to store an index into
         * session_roleprivs. */
        funcctx->user_fctx = (void *) 0;
    }
    
    funcctx = SRF_PERCALL_SETUP();
    idx = (long) funcctx->user_fctx;

    if (session_roleprivs &&
        (idx < session_roleprivs->active_contexts)) {
        Datum results[4];
        HeapTuple tuple;
        Datum datum;
        Bitmap *bitmap;
        results[0] = Int32GetDatum(session_roleprivs->
                                   context_roleprivs[idx].scope_type);
        results[1] = Int32GetDatum(session_roleprivs->
                                   context_roleprivs[idx].scope);
        bitmap = session_roleprivs->context_roleprivs[idx].roles;
        oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);
        if (bitmap) {
            results[2] = (Datum) bitmapCopy(bitmap);
        }
        else {
            nulls[2] = true;
        }
        bitmap = session_roleprivs->context_roleprivs[idx].privileges;
        if (bitmap) {
            results[3] = (Datum) bitmapCopy(bitmap);
        }
        else {
            nulls[3] = true;
        }
        MemoryContextSwitchTo(oldcontext);
        tupdesc = funcctx->tuple_desc;
        tuple = heap_form_tuple(tupdesc, results, nulls);
        tupdesc = BlessTupleDesc(tupdesc);
        datum = TupleGetDatum(tupdesc, tuple);
        funcctx->user_fctx = (void *) (idx + 1);
        SRF_RETURN_NEXT(funcctx, datum);
    }
    else {
        SRF_RETURN_DONE(funcctx);
    }
}

Datum veil2_add_session_privileges(PG_FUNCTION_ARGS)
{
    int scope_type_id = PG_GETARG_INT32(0);
    int scope_id = PG_GETARG_INT32(1);
    Bitmap *roles = PG_GETARG_BITMAP(2);
    Bitmap *privs = PG_GETARG_BITMAP(3);

    add_scope_roleprivs(scope_type_id, scope_id, roles, privs);
    PG_RETURN_VOID();
}


Datum veil2_update_session_privileges(PG_FUNCTION_ARGS)
{
    int scope_type_id = PG_GETARG_INT32(0);
    int scope_id = PG_GETARG_INT32(1);
    Bitmap *roles = PG_GETARG_BITMAP(2);
    Bitmap *privs = PG_GETARG_BITMAP(3);

    update_scope_roleprivs(scope_type_id, scope_id, roles, privs);
    PG_RETURN_VOID();
}

Datum
veil2_true(PG_FUNCTION_ARGS)
{
    return true;
}

static bool
checkSessionReady()
{
    if (session_ready) {
        return true;
    }
    if (error_if_no_session()) {
        ereport(ERROR,
                (errcode(ERRCODE_INTERNAL_ERROR),
                 errmsg("Attempt to check privileges before call to "
                        "veil2_reset_session.")));
    }
    return false;
}

Datum
veil2_i_have_global_priv(PG_FUNCTION_ARGS)
{
    static int context_idx = -1;
    int priv = PG_GETARG_INT32(0);
    bool result;
    
    if ((result = checkSessionReady())) {
        result = checkContext(&context_idx, 1, 0, priv);
    }
    result_counts[result]++;
    return result;
}


Datum
veil2_i_have_personal_priv(PG_FUNCTION_ARGS)
{
    static int context_idx = -1;
    bool result;
    int priv = PG_GETARG_INT32(0);
    int accessor_id = PG_GETARG_INT32(1);
    
    if ((result = checkSessionReady())) {
        result = checkContext(&context_idx, 2, accessor_id, priv);
    }
    result_counts[result]++;
    return result;
}


Datum
veil2_i_have_priv_in_scope(PG_FUNCTION_ARGS)
{
    static int context_idx = -1;
    bool result;
    int priv = PG_GETARG_INT32(0);
    int scope_type_id = PG_GETARG_INT32(1);
    int scope_id = PG_GETARG_INT32(2);
    
    if ((result = checkSessionReady())) {
        result = checkContext(&context_idx, scope_type_id, scope_id, priv);
    }
    result_counts[result]++;
    return result;
}


Datum
veil2_i_have_priv_in_scope_or_global(PG_FUNCTION_ARGS)
{
    static int global_context_idx = -1;
    static int given_context_idx = -1;
    bool result;
    int priv = PG_GETARG_INT32(0);
    int scope_type_id = PG_GETARG_INT32(1);
    int scope_id = PG_GETARG_INT32(2);
    
    if ((result = checkSessionReady())) {
        result =
            (checkContext(&global_context_idx, 1, 0, priv) ||
             checkContext(&given_context_idx, scope_type_id,
                          scope_id, priv));
    }
    result_counts[result]++;
    return result;
}


Datum
veil2_i_have_priv_in_superior_scope(PG_FUNCTION_ARGS)
{
    static void *saved_plan = NULL;
    bool result;
    bool found;
    bool pushed;
    int priv = PG_GETARG_INT32(0);
    int scope_type_id = PG_GETARG_INT32(1);
    int scope_id = PG_GETARG_INT32(2);
    Oid argtypes[] = {INT4OID, INT4OID, INT4OID};
    Datum args[] = {Int32GetDatum(priv),
                    Int32GetDatum(scope_type_id),
                    Int32GetDatum(scope_id)};
    
    if ((result = checkSessionReady())) {
        veil2_spi_connect(&pushed,
                          "SPI connect failed in "
                          "veil2_i_have_priv_in_superior_scope()");
        found = veil2_bool_from_query(
            "select true"
            "  from veil2.all_superior_scopes asp"
            " inner join veil2.session_privileges() sp"
            "    on sp.scope_type_id = asp.superior_scope_type_id"
            "   and sp.scope_id = asp.superior_scope_id"
            " where asp.scope_type_id = $2"
            "   and asp.scope_id = $3"
            "   and sp.privs ? $1",
            3, argtypes, args,
            &saved_plan, &result);

        veil2_spi_finish(pushed,
                         "SPI finish failed in "
                         "veil2_i_have_priv_in_superior_scope()");
        result = found && result;
    }
    result_counts[result]++;
    return result;
}


Datum
veil2_i_have_priv_in_scope_or_superior(PG_FUNCTION_ARGS)
{
    static int context_idx = -1;
    static void *saved_plan = NULL;
    bool result;
    bool found;
    bool pushed;
    int priv = PG_GETARG_INT32(0);
    int scope_type_id = PG_GETARG_INT32(1);
    int scope_id = PG_GETARG_INT32(2);
    Oid argtypes[] = {INT4OID, INT4OID, INT4OID};
    Datum args[] = {Int32GetDatum(priv),
                    Int32GetDatum(scope_type_id),
                    Int32GetDatum(scope_id)};

    if ((result = checkSessionReady())) {
        /* Start by checking priv in scope - this can maybe save us a
         * query. */

        result = checkContext(&context_idx, scope_type_id, scope_id, priv);

        if (!result) {
            veil2_spi_connect(&pushed,
                              "SPI connect failed in "
                              "veil2_i_have_priv_in_scope_or_superior()");
            found = veil2_bool_from_query(
                "select true"
                "  from veil2.all_superior_scopes asp"
                " inner join veil2.session_privileges() sp"
                "    on sp.scope_type_id = asp.superior_scope_type_id"
                "   and sp.scope_id = asp.superior_scope_id"
                " where asp.scope_type_id = $2"
                "   and asp.scope_id = $3"
                "   and sp.privs ? $1",
                3, argtypes, args,
                &saved_plan, &result);
            
            veil2_spi_finish(pushed,
                             "SPI finish failed in "
                             "veil2_i_have_priv_in_scope_or_superior()");
            result = found && result;
        }
    }
    result_counts[result]++;
    return result;
}


Datum
veil2_i_have_priv_in_scope_or_superior_or_global(PG_FUNCTION_ARGS)
{
    static int global_context_idx = -1;
    static int given_context_idx = -1;
    static void *saved_plan = NULL;
    bool result;
    bool found;
    bool pushed;
    int priv = PG_GETARG_INT32(0);
    int scope_type_id = PG_GETARG_INT32(1);
    int scope_id = PG_GETARG_INT32(2);
    Oid argtypes[] = {INT4OID, INT4OID, INT4OID};
    Datum args[] = {Int32GetDatum(priv),
                    Int32GetDatum(scope_type_id),
                    Int32GetDatum(scope_id)};
    
    if ((result = checkSessionReady())) {
        result =
            (checkContext(&global_context_idx, 1, 0, priv) ||
             checkContext(&given_context_idx, scope_type_id,
                          scope_id, priv));
        if (!result) {
            veil2_spi_connect(&pushed,
                              "SPI connect failed in "
                              "veil2_i_have_priv_in_scope_or_superior()");
            found = veil2_bool_from_query(
                "select true"
                "  from veil2.all_superior_scopes asp"
                " inner join veil2.session_privileges() sp"
                "    on sp.scope_type_id = asp.superior_scope_type_id"
                "   and sp.scope_id = asp.superior_scope_id"
                " where asp.scope_type_id = $2"
                "   and asp.scope_id = $3"
                "   and sp.privs ? $1",
                3, argtypes, args,
                &saved_plan, &result);

            veil2_spi_finish(pushed,
                             "SPI finish failed in "
                             "veil2_i_have_priv_in_scope_or_superior()");
            result = found && result;
        }
    }
    result_counts[result]++;
    return result;
}


Datum
veil2_result_counts(PG_FUNCTION_ARGS)
{
    /* We only return positive integers.  That's just the way it
     * is. */ 
    Datum results[2] = {Int32GetDatum(result_counts[0] & INT_MAX),
                        Int32GetDatum(result_counts[1] & INT_MAX)};
    bool nulls[2] = {false, false};
    TupleDesc tuple_desc;
    HeapTuple tuple;
    if (get_call_result_type(fcinfo, NULL,
                             &tuple_desc) != TYPEFUNC_COMPOSITE) {
        ereport(ERROR,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("function returning record called in context "
                            "that cannot accept type record")));
    }
    tuple_desc = BlessTupleDesc(tuple_desc);
    tuple = heap_form_tuple(tuple_desc, results, nulls);
    return HeapTupleGetDatum(tuple);
}
    
static text *
textfromstr(char *in)
{
    int   len = strlen(in);
    text *out = palloc(len + VARHDRSZ);
    memcpy(VARDATA(out), in, len);
    SET_VARSIZE(out, (len + VARHDRSZ));

    return out;
}

Datum
veil2_docpath(PG_FUNCTION_ARGS)
{
    PG_RETURN_TEXT_P(textfromstr(DOCS_PATH));
}

Datum
veil2_datapath(PG_FUNCTION_ARGS)
{
    PG_RETURN_TEXT_P(textfromstr(DATA_PATH));
}


Datum
veil2_version(PG_FUNCTION_ARGS)
{
    PG_RETURN_TEXT_P(textfromstr(VEIL2_VERSION));
}