Re: [PATCH] SE-PgSQL/tiny rev.2193

Updated SE-PgSQL patch is here:

http://sepgsql.googlecode.com/files/sepgsql-01-tiny-8.5devel-r2196.patch.gz

Unused definitions of SELinux's permissions are ripped out from
the permission table.

KaiGai Kohei wrote:
> The following patch is the tiny version of SE-PostgreSQL:
>
> http://sepgsql.googlecode.com/files/sepgsql-01-tiny-8.5devel-r2193.patch.gz
>
> In this version, all the security hooks (to make decision) invoked from
> outside of the pg_xxx_aclcheck() and superuser_arg() were separated.
> So, SE-PgSQL/tiny only checks the following only four permissions:
> - db_database:{connect} ... equivalent to ACL_CONNECT on the database
> - db_database:{superuser} ... equivalent to the superuser privilege
> - db_schema:{usage} ... equivalent to ACL_USAGE on the namespace
> - db_procedure:{execute} ... equivalent to ACL_EXECUTE on the procedure
>
> All the database objects to be labeled are databases, namespaces and
> procedures, so I modified system column definitions.
> - db_database.datseclabel (text)
> - db_namespace.nspseclabel (text)
> - db_procedure.proseclabel (text)
> When we create a new one, a default security label shall be assigned
> as far as we don't give any explicit security label.
> (In the current version, it only checks sanity check of security label,
> no any permission checks.)
>
> The following features were separated.
> - Facility to cache access control decisions
> - Table/column level access controls
> - Trusted procedures
>
> FYI, It is the scale of patch.
>
> It may seem you the "tiny" is larger than the "lite".
> But, 50% of changeset is at include/catalog/pg_proc.h, because we separate
> the pg_security facility, so it was necessary to add a new regular attribute
> into pg_proc system catalog. The pg_proc.h has 2000 of definitions for built
> in functions, using DATA(...) macro. I updates them by sed secript.
> It is the reason for the big changeset.
>
> This patch also contains 570L of documentation changes, and 442L of testcases.
> So, actual code changeset is about 2700L.
>
> [kaigai(at)saba]$ diffstat /home/kaigai/RPMS/SOURCES/sepgsql-01-tiny-8.5devel-r2193.patch.gz
> configure | 112
> configure.in | 13
> doc/src/sgml/catalogs.sgml | 21
> doc/src/sgml/config.sgml | 42
> doc/src/sgml/errcodes.sgml | 21
> doc/src/sgml/filelist.sgml | 1
> doc/src/sgml/postgres.sgml | 1
> doc/src/sgml/ref/alter_database.sgml | 12
> doc/src/sgml/ref/alter_function.sgml | 13
> doc/src/sgml/ref/alter_schema.sgml | 11
> doc/src/sgml/ref/create_database.sgml | 14
> doc/src/sgml/ref/create_function.sgml | 12
> doc/src/sgml/ref/create_schema.sgml | 16
> doc/src/sgml/ref/initdb.sgml | 11
> doc/src/sgml/sepgsql.sgml | 395
> src/Makefile.global.in | 1
> src/backend/Makefile | 7
> src/backend/bootstrap/bootstrap.c | 4
> src/backend/catalog/aclchk.c | 22
> src/backend/catalog/namespace.c | 17
> src/backend/catalog/pg_aggregate.c | 3
> src/backend/catalog/pg_namespace.c | 6
> src/backend/catalog/pg_proc.c | 29
> src/backend/commands/alter.c | 31
> src/backend/commands/dbcommands.c | 86
> src/backend/commands/functioncmds.c | 82
> src/backend/commands/proclang.c | 6
> src/backend/commands/schemacmds.c | 69
> src/backend/nodes/copyfuncs.c | 19
> src/backend/nodes/equalfuncs.c | 17
> src/backend/parser/gram.y | 68
> src/backend/security/Makefile | 11
> src/backend/security/sepgsql/Makefile | 16
> src/backend/security/sepgsql/avc.c | 331
> src/backend/security/sepgsql/dummy.c | 31
> src/backend/security/sepgsql/hooks.c | 167
> src/backend/security/sepgsql/label.c | 523 +
> src/backend/security/sepgsql/misc.c | 152
> src/backend/security/sepgsql/perms.c | 353
> src/backend/security/sepgsql/policy/Makefile | 28
> src/backend/security/sepgsql/policy/sepostgresql-devel.fc.template | 12
> src/backend/security/sepgsql/policy/sepostgresql-devel.te | 119
> src/backend/tcop/utility.c | 27
> src/backend/utils/init/postinit.c | 11
> src/backend/utils/misc/guc.c | 19
> src/backend/utils/misc/postgresql.conf.sample | 4
> src/backend/utils/misc/superuser.c | 16
> src/bin/initdb/initdb.c | 13
> src/include/catalog/pg_attribute.h | 4
> src/include/catalog/pg_class.h | 2
> src/include/catalog/pg_database.h | 6
> src/include/catalog/pg_namespace.h | 12
> src/include/catalog/pg_proc.h | 4242 !!!!!!!!!!
> src/include/catalog/pg_proc_fn.h | 3
> src/include/commands/alter.h | 1
> src/include/commands/dbcommands.h | 1
> src/include/commands/defrem.h | 1
> src/include/commands/schemacmds.h | 1
> src/include/nodes/nodes.h | 1
> src/include/nodes/parsenodes.h | 15
> src/include/parser/kwlist.h | 1
> src/include/pg_config.h.in | 3
> src/include/security/sepgsql.h | 295
> src/include/utils/errcodes.h | 5
> src/test/sepgsql/Makefile | 74
> src/test/sepgsql/expected/functions.out | 54
> src/test/sepgsql/expected/seclabel.out | 129
> src/test/sepgsql/launch_psql.c | 86
> src/test/sepgsql/sql/functions.sql | 27
> src/test/sepgsql/sql/seclabel.sql | 72
> 70 files changed, 3695 insertions(+), 4335 modifications(!)
>

--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>