Re: security label support, revised

(2010/09/13 21:57), Robert Haas wrote:
> On Mon, Sep 13, 2010 at 8:38 AM, KaiGai Kohei<kaigai(at)kaigai(dot)gr(dot)jp> wrote:
>> Yes, if and when MAC-X and MAC-Y are installed, it is significant event
>> for MAC-X to change X's label, so MAC-X may need to check special
>> permissions. But it is a common event for MAC-Y and DAC, so they checks
>> an appropriate permission to change one of the properties. Hoever, it
>> does not mean we should not give any chance MAC-Y and DAC to check
>> something.
>>
>> I'll revise my patch within a couple of days.
>
> I have a feeling we are talking past each other.
>
Perhaps, we might discuss about this topic before, but it's unclear for me.

The attached patch is a revised version, but a bit difference from what
I introduced yesterday.

The commands/seclabel.c still keeps the list of a pair of esp tag and
its security hook on relabeling, but it was modified to invoke all the
registered hooks with/without the supplied security label.

The guest of the hook has the following prototype:

void check_object_relabel(const ObjectAddress *object,
const char *seclabel);

When user tries to change the security label owned by other ESP,
the hook shall be invoked with NULL as the 'seclabel' argument,
because it does not need to know the new label itself.
(Perhaps, a flag as 3rd argument is more preferable.)

If we would implement it as a simple hook chain, like other existing
hooks, it is not easy to put the logic that allows to omit FOR clause
when only one ESP is install, on the core PG routine, because here is
no way to count number of installed ESPs. :-(

Code example of ESP module at:
http://code.google.com/p/sepgsql/source/browse/trunk/sepgsql/label.c#214

Thanks,
--
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>