| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: sepgsql contrib module |
| Date: | 2011-01-21 16:10:53 |
| Message-ID: | AANLkTi=pLZ1hu8WQX1PAx8tjxnfC_U6Y_A07S49=1cB-@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Jan 21, 2011 at 11:00 AM, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
> 2011/1/22 Robert Haas <robertmhaas(at)gmail(dot)com>:
>> On Fri, Jan 21, 2011 at 10:46 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>>>> On Fri, Jan 21, 2011 at 9:55 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>>>> ALTER FUNCTION is supposed to cause plan invalidation in such a case.
>>>>> Not sure if GRANT plays nice with that though.
>>>
>>>> And in the case of SE-Linux, this could get changed from outside the
>>>> database. Not sure how to handle that. I guess we could just never
>>>> inline anything, but that might be an overreaction.
>>>
>>> I think SELinux is just out of luck in that case. If it didn't refuse
>>> execution permission at the time we checked before inlining (which we
>>> do), it doesn't get to change its mind later.
>>
>> Seems reasonable to me, if it works for KaiGai.
>>
> I assume users of SE-PostgreSQL put their first priority on security,
> not best-performance. So, I also think it is reasonable to kill a part of
> optimization for the strict security checks.
>
> Here is one request for the hook.
> needs_fmgr_hook() is called by fmgr_info_cxt_security() and routines
> to inline. I need a flag to distinct these cases, because we don't need
> to invoke all the functions via fmgr_security_definer(), even if it never
> allows to inline.
I don't want to go there, and it's not what Tom was proposing anyway.
The idea is - if the user creates a function which is NOT a trusted
procedure and executes it, and then subsequently changes the system
security policy so that it becomes a trusted procedure, the user will
be responsible for flushing the cached plans before the new value will
take effect. That doesn't require nearly as much de-optimization, and
I don't believe it is a serious issue from a security perspective,
either. (Note that the reverse case, where a trusted procedure is
demoted to a non-trusted procedure, isn't an issue, because we will
have suppressed inlining and the new execution will follow the right
rules, just with reduced performance.)
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2011-01-21 16:16:21 | Re: SSI and Hot Standby |
| Previous Message | Heikki Linnakangas | 2011-01-21 16:05:44 | Re: review: FDW API |