| From: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | revamp row-security tracking |
| Date: | 2024-11-21 18:00:37 |
| Message-ID: | Zz91RagtQg2s9497@nathan |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
In light of CVE-2024-10976, which was fixed by commit cd7ab57, I'd like to
propose a bigger change to this area of the code that aims to future-proof
it a bit. Instead of requiring hackers to carefully cart around whether a
query references a table with RLS enabled, I think we should instead
accumulate such information globally and require higher-level routines like
fireRIRrules() and inline_set_returning_function() to inspect it as needed.
The attached patch accomplishes this by establishing a global queue of
row-security "nest levels" that the aforementioned higher-level callers can
use. Essentially, they will first call PushRowSecurityNestLevel(), then
any calls to get_row_security_policies() that encounter a table with
row-security enabled will mark the current nest level (and its parents).
Finally, PopRowSecurity() is used to retrieve whether row-security might
apply, and the query can be marked correctly. I've also attempted to
handle resetting this queue after an ERROR or failed SRF inlining, but I'm
not yet positive that I've got all the details right.
With this patch applied, we should be able to revert some of the
row-security tracking code, especially the stuff added by commit cd7ab57.
Thoughts?
--
nathan
| Attachment | Content-Type | Size |
|---|---|---|
| v1-0001-revamp-row-security-tracking.patch | text/plain | 16.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marcos Pegoraro | 2024-11-21 18:08:27 | Re: Document NULL |
| Previous Message | Yogesh Sharma | 2024-11-21 17:57:18 | Re: Add a write_to_file member to PgStat_KindInfo |