I updated my patch set of SE-PostgreSQL and related stuff (r1425).
[1/5] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1425.patch [2/5] http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1425.patch [3/5] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1425.patch [4/5] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1425.patch [5/5] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1425.patch I tried to check my patches again, as if I am a reviewer in my mind. Then, I could find some points to be fixed. Please change reviewing base, if you saw the previous version partway. (No changes here except for the following parts.) List of updates: - It rebased to the latest CVS HEAD. - pgaceProxyQuery() is renamed to pgacePostRewriteQuery(). In the legacy version, SE-PostgreSQL modified WHERE clause here, so it has name of "Proxy", but it become a nonsense name now. - triggerIsForeignKeyConstraint() is replaced by RI_FKey_trigger_type() due to code duplication. - bugfix: avc_datum_count was not incremented on avc_make_entry() correctly. - Hook is reverted from fmgr_info_cxt() because it applies access control on purely internal function usage. Now we follow the manner of pg_proc_aclcheck(), and add checks on system catalog updates related to function usage. - bugfix: When we update security_label, sepgsqlHeapTupleUpdate() checked *:{relabelfrom} permission twice. It was redundant. - Security policy was updated to fit latest selinux-policy package. Folks in pgsql-hackers, My patch set has grew up a bit large for this two and half years, indeed, but most of them are deployments of security hooks, and well modulared. Don't hesitate code reviewing and comment anything, please. We need any volunteers so much, even if you cannot provide comprehensive reviewing. If necessary, I shall pay my efforts to update them with highest priority, to get it merged at v8.4. $ diffstat sepostgresql-sepgsql-8.4devel-3-r1425.patch configure | 113 + configure.in | 13 src/Makefile.global.in | 1 src/backend/Makefile | 7 src/backend/access/common/heaptuple.c | 35 src/backend/access/common/reloptions.c | 22 src/backend/access/common/tupdesc.c | 12 src/backend/access/heap/heapam.c | 19 src/backend/access/heap/tuptoaster.c | 19 src/backend/bootstrap/bootparse.y | 13 src/backend/bootstrap/bootstrap.c | 8 src/backend/catalog/Makefile | 1 src/backend/catalog/aclchk.c | 2 src/backend/catalog/catalog.c | 4 src/backend/catalog/heap.c | 91 ! src/backend/catalog/index.c | 16 src/backend/catalog/pg_aggregate.c | 3 src/backend/catalog/pg_largeobject.c | 5 src/backend/catalog/pg_proc.c | 6 src/backend/catalog/toasting.c | 3 src/backend/commands/cluster.c | 11 src/backend/commands/copy.c | 293 +++! src/backend/commands/dbcommands.c | 20 src/backend/commands/functioncmds.c | 29 src/backend/commands/lockcmds.c | 3 src/backend/commands/proclang.c | 6 src/backend/commands/tablecmds.c | 23 src/backend/commands/trigger.c | 25 src/backend/executor/execJunk.c | 6 src/backend/executor/execMain.c | 210 +++ src/backend/executor/execQual.c | 4 src/backend/executor/execScan.c | 40 src/backend/executor/execTuples.c | 19 src/backend/executor/execUtils.c | 10 src/backend/executor/functions.c | 6 src/backend/executor/nodeAgg.c | 5 src/backend/executor/nodeMergejoin.c | 2 src/backend/executor/nodeSubplan.c | 4 src/backend/executor/nodeWindowAgg.c | 4 src/backend/executor/spi.c | 4 src/backend/libpq/be-fsstubs.c | 16 src/backend/nodes/copyfuncs.c | 44 src/backend/nodes/equalfuncs.c | 34 src/backend/nodes/outfuncs.c | 41 src/backend/nodes/readfuncs.c | 36 src/backend/optimizer/plan/createplan.c | 6 src/backend/optimizer/plan/planner.c | 1 src/backend/optimizer/util/clauses.c | 5 src/backend/optimizer/util/relnode.c | 1 src/backend/parser/analyze.c | 49 src/backend/parser/gram.y | 64 ! src/backend/parser/parse_target.c | 64 ! src/backend/postmaster/postmaster.c | 43 src/backend/rewrite/rewriteHandler.c | 3 src/backend/security/Makefile | 23 src/backend/security/pgaceCommon.c | 729 ++++++++++++ src/backend/security/pgaceHooks.c | 1524 ++++++++++++++++++++++++++ src/backend/security/rowacl/rowacl.c | 721 ++++++++++++ src/backend/security/sepgsql/avc.c | 1118 +++++++++++++++++++ src/backend/security/sepgsql/core.c | 623 ++++++++++ src/backend/security/sepgsql/hooks.c | 952 ++++++++++++++++ src/backend/security/sepgsql/permissions.c | 785 +++++++++++++ src/backend/security/sepgsql/proxy.c | 1134 +++++++++++++++++++ src/backend/storage/file/fd.c | 7 src/backend/storage/ipc/ipci.c | 2 src/backend/tcop/fastpath.c | 2 src/backend/tcop/pquery.c | 2 src/backend/tcop/utility.c | 3 src/backend/utils/adt/acl.c | 6 src/backend/utils/adt/ri_triggers.c | 25 src/backend/utils/adt/trigfuncs.c | 11 src/backend/utils/cache/catcache.c | 32 src/backend/utils/cache/plancache.c | 12 src/backend/utils/cache/relcache.c | 38 src/backend/utils/cache/syscache.c | 40 src/backend/utils/fmgr/dfmgr.c | 10 src/backend/utils/init/postinit.c | 4 src/backend/utils/misc/guc.c | 58 src/backend/utils/misc/postgresql.conf.sample | 6 src/include/access/htup.h | 68 + src/include/access/sysattr.h | 9 src/include/access/tupdesc.h | 2 src/include/catalog/heap.h | 11 src/include/catalog/indexing.h | 5 src/include/catalog/pg_attribute.h | 495 !!!!!!!! src/include/catalog/pg_class.h | 2 src/include/catalog/pg_proc.h | 21 src/include/catalog/pg_proc_fn.h | 3 src/include/catalog/pg_security.h | 31 src/include/catalog/pg_type.h | 1 src/include/executor/executor.h | 11 src/include/executor/tuptable.h | 4 src/include/fmgr.h | 3 src/include/libpq/be-fsstubs.h | 3 src/include/nodes/nodes.h | 4 src/include/nodes/parsenodes.h | 17 src/include/nodes/plannodes.h | 10 src/include/nodes/relation.h | 2 src/include/nodes/security.h | 45 src/include/pg_config.h.in | 3 src/include/security/pgace.h | 180 +++ src/include/security/rowacl.h | 41 src/include/security/sepgsql.h | 230 +++ src/include/storage/fd.h | 1 src/include/storage/lwlock.h | 1 src/include/utils/acl.h | 7 src/include/utils/catcache.h | 1 src/include/utils/errcodes.h | 7 src/include/utils/rel.h | 18 src/include/utils/syscache.h | 4 110 files changed, 9697 insertions(+), 16 deletions(-), 918 modifications(!) Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kai...@ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
