Re: security hook on authorization

On Aug 20, 2010, at 8:27 PM, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
> (2010/08/20 23:34), Robert Haas wrote:
>> 2010/8/19 KaiGai Kohei<kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>> I think our standard criteria for the inclusion of hooks is that you
>> must demonstrate that the hook can be used to do something interesting
>> that couldn't be done without the hook. So far I'm unconvinced.
>>
> We cannot handle an error of labeled networking (getpeercon(3)),
> if we don't have any hook during client authorization stage.
>
> If and when a connection came from a host but we don't accept the
> delivered security label, or labeled networking is misconfigured,
> getpeercon(3) returns NULL. In this case, server cannot identify
> what label should be applied on the client, then, we should
> disconnect this connection due to the error on database login,
> not any access control decision.
>
> In similar case, psm_selinux.so disconnect the connection when
> it cannot identify what security label shall be assigned on the
> session, due to some reasons such as misconfigurations.
>
> Without any hooks at authorization stage (but it might be different
> place from this patch, of course), we need to delay the error
> handling by the time when SE-PostgreSQL module is invoked at first.
> But it is already connection established and user sends a query.
> It seems to me quite strange behavior.

You mentioned that before. I'm not totally sure I buy it, and I think there are other applications that might benefit from a hook in this area. We need to think about trying to do this in a way that is as general as possible. So I'd like to see some analysis of other possible applications.

...Robert