>>> How about an idea to add a new flag in RangeTblEntry which shows where >>> the RangeTblEntry came from, instead of clearing requiredPerms? >>> If the flag is true, I think ExecCheckRTEPerms() can simply skip checks >>> on the child tables. >> >> How about the external module just checks if the current object being >> queried has parents, and if so, goes and checks the >> labels/permissions/etc on those children? That way the query either >> always fails or never fails for a given caller, rather than sometimes >> working and sometimes not depending on the query. >> > Hmm, this idea may be feasible. The RangeTblEntry->inh flag of the parent > will give us a hint whether we also should check labels on its children. >
http://code.google.com/p/sepgsql/source/browse/trunk/sepgsql/relation.c#293 At least, it seems to me this logic works as expected. postgres=# CREATE TABLE tbl_p (a int, b text); CREATE TABLE postgres=# CREATE TABLE tbl_1 (check (a < 100)) inherits (tbl_p); CREATE TABLE postgres=# CREATE TABLE tbl_2 (check (a >= 100 and a < 200)) inherits (tbl_p); CREATE TABLE postgres=# CREATE TABLE tbl_3 (check (a >= 300)) inherits (tbl_p); CREATE TABLE postgres=# SECURITY LABEL on TABLE tbl_p IS 'system_u:object_r:sepgsql_table_t:s0'; SECURITY LABEL postgres=# SECURITY LABEL on COLUMN tbl_p.a IS 'system_u:object_r:sepgsql_table_t:s0'; SECURITY LABEL postgres=# SECURITY LABEL on COLUMN tbl_p.b IS 'system_u:object_r:sepgsql_table_t:s0'; SECURITY LABEL postgres=# set sepgsql_debug_audit = on; SET postgres=# SELECT a FROM ONLY tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_p STATEMENT: SELECT a FROM ONLY tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_p.a STATEMENT: SELECT a FROM ONLY tbl_p WHERE a = 150; a --- (0 rows) -> ONLY tbl_p was not expanded postgres=# SELECT a FROM tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_p STATEMENT: SELECT a FROM tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_p.a STATEMENT: SELECT a FROM tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_1 STATEMENT: SELECT a FROM tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_1.a STATEMENT: SELECT a FROM tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_2 STATEMENT: SELECT a FROM tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_2.a STATEMENT: SELECT a FROM tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_3 STATEMENT: SELECT a FROM tbl_p WHERE a = 150; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_3.a STATEMENT: SELECT a FROM tbl_p WHERE a = 150; a --- (0 rows) -> tbl_p was expanded to tbl_1, tbl_2 and tbl_3 postgres=# set sepgsql_debug_audit = off; SET postgres=# EXPLAIN SELECT a FROM tbl_p WHERE a = 150; QUERY PLAN ------------------------------------------------------------------------ Result (cost=0.00..50.75 rows=12 width=4) -> Append (cost=0.00..50.75 rows=12 width=4) -> Seq Scan on tbl_p (cost=0.00..25.38 rows=6 width=4) Filter: (a = 150) -> Seq Scan on tbl_2 tbl_p (cost=0.00..25.38 rows=6 width=4) Filter: (a = 150) (6 rows) -> Actually, it does not scan tbl_1 and tbl_3 due to the a = 150. -- KaiGai Kohei <kai...@ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
