Quick Links

Re: security label support, part.2

From:	KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To:	Stephen Frost <sfrost(at)snowman(dot)net>
Cc:	Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org
Subject:	Re: security label support, part.2
Date:	2010-08-19 03:36:30
Message-ID:	4C6CA6BE.8000503@ak.jp.nec.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

>>> How about an idea to add a new flag in RangeTblEntry which shows where
>>> the RangeTblEntry came from, instead of clearing requiredPerms?
>>> If the flag is true, I think ExecCheckRTEPerms() can simply skip checks
>>> on the child tables.
>>
>> How about the external module just checks if the current object being
>> queried has parents, and if so, goes and checks the
>> labels/permissions/etc on those children? That way the query either
>> always fails or never fails for a given caller, rather than sometimes
>> working and sometimes not depending on the query.
>>
> Hmm, this idea may be feasible. The RangeTblEntry->inh flag of the parent
> will give us a hint whether we also should check labels on its children.
>

http://code.google.com/p/sepgsql/source/browse/trunk/sepgsql/relation.c#293

At least, it seems to me this logic works as expected.

postgres=# CREATE TABLE tbl_p (a int, b text);
CREATE TABLE
postgres=# CREATE TABLE tbl_1 (check (a < 100)) inherits (tbl_p);
CREATE TABLE
postgres=# CREATE TABLE tbl_2 (check (a >= 100 and a < 200)) inherits (tbl_p);
CREATE TABLE
postgres=# CREATE TABLE tbl_3 (check (a >= 300)) inherits (tbl_p);
CREATE TABLE
postgres=# SECURITY LABEL on TABLE tbl_p IS 'system_u:object_r:sepgsql_table_t:s0';
SECURITY LABEL
postgres=# SECURITY LABEL on COLUMN tbl_p.a IS 'system_u:object_r:sepgsql_table_t:s0';
SECURITY LABEL
postgres=# SECURITY LABEL on COLUMN tbl_p.b IS 'system_u:object_r:sepgsql_table_t:s0';
SECURITY LABEL

postgres=# set sepgsql_debug_audit = on;
SET

postgres=# SELECT a FROM ONLY tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_p
STATEMENT: SELECT a FROM ONLY tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_p.a
STATEMENT: SELECT a FROM ONLY tbl_p WHERE a = 150;
a
---
(0 rows)

-> ONLY tbl_p was not expanded

postgres=# SELECT a FROM tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_p
STATEMENT: SELECT a FROM tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_p.a
STATEMENT: SELECT a FROM tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_1
STATEMENT: SELECT a FROM tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_1.a
STATEMENT: SELECT a FROM tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_2
STATEMENT: SELECT a FROM tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_2.a
STATEMENT: SELECT a FROM tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_table name=tbl_3
STATEMENT: SELECT a FROM tbl_p WHERE a = 150;
LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sepgsql_table_t:s0 tclass=db_column name=tbl_3.a
STATEMENT: SELECT a FROM tbl_p WHERE a = 150;
a
---
(0 rows)

-> tbl_p was expanded to tbl_1, tbl_2 and tbl_3

postgres=# set sepgsql_debug_audit = off;
SET
postgres=# EXPLAIN SELECT a FROM tbl_p WHERE a = 150;
QUERY PLAN
------------------------------------------------------------------------
Result (cost=0.00..50.75 rows=12 width=4)
-> Append (cost=0.00..50.75 rows=12 width=4)
-> Seq Scan on tbl_p (cost=0.00..25.38 rows=6 width=4)
Filter: (a = 150)
-> Seq Scan on tbl_2 tbl_p (cost=0.00..25.38 rows=6 width=4)
Filter: (a = 150)
(6 rows)

-> Actually, it does not scan tbl_1 and tbl_3 due to the a = 150.

--
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Re: security label support, part.2 at 2010-08-19 00:33:20 from KaiGai Kohei

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Michael Haggerty	2010-08-19 03:44:07	Re: git: uh-oh
Previous Message	Robert Haas	2010-08-19 01:46:45	Re: CommitFest 2009-07: Yay, Kevin! Thanks, reviewers!