Re: Adding support for SE-Linux security

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: "David P(dot) Quigley" <dpquigl(at)tycho(dot)nsa(dot)gov>, KaiGai Kohhookei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Chad Sellers <csellers(at)tresys(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, jd <jd(at)commandprompt(dot)com>, David Fetter <david(at)fetter(dot)org>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Adding support for SE-Linux security
Date: 2009-12-12 00:27:24
Message-ID: 603c8f070912111627u196744d5sc391b20dbc9bc69b@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Fri, Dec 11, 2009 at 5:36 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>> On Fri, Dec 11, 2009 at 4:26 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> > Does that help clarify my example case?
>>
>> That case doesn't seem terribly problematic to me.  It seems clear
>> that we'll want to pass some information about both x and y.  What is
>> less clear is exactly what the argument types will be, and the right
>> answer probably depends somewhat on the structure of the existing
>> code, which I have not looked at.
>
> Allow me to assist- y is never in a structure once you're out of the
> parser:

Well this is why you're writing the patch and not me. :-)

> ATExecChangeOwner(Oid relationOid, Oid newOwnerId, bool recursing)
>
> I expect you'll find this is more the rule than the exception to alot of
> the existing PG security model, because much of it's responsibility is
> in what I'll call the DDL (under commands/) aspects.  The DML pieces
> (under the executor) are a bit better about this, specifically you could
> pass in a RangeTblEntry, exactly how ExecCheckRTEPerms handles it.
>
> Actually, in a fit of barely-contained mirth, it strikes me that PG
> really has already done what you're suggesting for the 'hard' part- and
> the RangeTblEntry plus ExecCheckRTEPerms is exactly it.  It's all the
> *other* checks we do for the PG security model, under commands/, that
> are the problem here.  The parts of the code that, to be honest, I think
> all us database geeks have historically cared alot less about.

Hmm, interesting.

>> What I'm more concerned about is if
>> the access control decision in this case were based on u for PG DAC, v
>> for SE-PostgreSQL, and w for Robert Haas's Personal Defensive System.
>> If that's the case, and our function signature looks like (x,y,u,v,w),
>> the we should worry.
>
> Right, I understand that.  What I offer in reply is that we focus our
> attention on using the OID+SubOID approach, as I'm suggesting, to the
> fullest extent possible through that mechanism, and appreciate that the
> other arguments passed to the function are derived specifically from the
> parser and therefore unlikely to be changed until and unless we change
> the base syntax of the command and calling function, at which time we
> may have to add arguments to the function signature.  This would
> continue at least until we get to the point where we decide that the
> caller needs to be changed because it's got a huge function sig, and
> move it to something like the structure of the executor and the
> equivilant of ExecCheckRTEPerms() would get updated along with it, at
> that time.

What exactly do you mean by a SubOID? I'm not really following that part.

...Robert

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message KaiGai Kohei 2009-12-12 00:32:01 Re: SE-PostgreSQL/Lite Review
Previous Message Andres Freund 2009-12-12 00:19:38 Re: 8.4.1 ubuntu karmic slow createdb