Re: Label switcher function

2010/11/12 KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>:
> The attached patch allows the security label provider to switch
> security label of the client during execution of certain functions.
> I named it as "label switcher function"; also called as "trusted-
> procedure" in SELinux community.
>
> This feature is quite similar idea toward security definer function,
> or set-uid program on operating system. It allows label providers
> to switch its internal state that holds security label of the
> client, then restore it.
> If and when a label provider said the function being invoked is
> a label-switcher, fmgr_security_definer() traps this invocation
> and set some states just before actual invocations.
>
> We added three new hooks for security label provider.
> The get_client_label and set_client_label allows the PG core to
> save and restore security label of the client; which is mostly
> just an internal state of plugin module.
> And, the get_switched_label shall return NULL or a valid label
> if the supplied function is a label switcher. It also informs
> the PG core whether the function is switcher or not.

I don't see why the plugin needs to expose the label stack to core PG.
If the plugin needs a label stack, it can do that all on its own. I
see that we need the hooks to allow the plugin to selectively disable
inlining and to gain control when function execution starts and ends
(or aborts) but I don't think the exact manipulations that the plugin
chooses to do at that point need to be visible to core PG.

For SE-Linux, how do you intend to determine whether or not the
function is a trusted procedure? Will that be a function of the
security label applied to it?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company