2010/11/12 KaiGai Kohei <kai...@kaigai.gr.jp>: > The attached patch allows the security label provider to switch > security label of the client during execution of certain functions. > I named it as "label switcher function"; also called as "trusted- > procedure" in SELinux community. > > This feature is quite similar idea toward security definer function, > or set-uid program on operating system. It allows label providers > to switch its internal state that holds security label of the > client, then restore it. > If and when a label provider said the function being invoked is > a label-switcher, fmgr_security_definer() traps this invocation > and set some states just before actual invocations. > > We added three new hooks for security label provider. > The get_client_label and set_client_label allows the PG core to > save and restore security label of the client; which is mostly > just an internal state of plugin module. > And, the get_switched_label shall return NULL or a valid label > if the supplied function is a label switcher. It also informs > the PG core whether the function is switcher or not.
I don't see why the plugin needs to expose the label stack to core PG. If the plugin needs a label stack, it can do that all on its own. I see that we need the hooks to allow the plugin to selectively disable inlining and to gain control when function execution starts and ends (or aborts) but I don't think the exact manipulations that the plugin chooses to do at that point need to be visible to core PG. For SE-Linux, how do you intend to determine whether or not the function is a trusted procedure? Will that be a function of the security label applied to it? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
