Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches - Mailing list pgsql-hackers
| From | KaiGai Kohei |
|---|---|
| Subject | Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches |
| Date | |
| Msg-id | 47E0AAEE.3080308@ak.jp.nec.com Whole thread Raw |
| In response to | Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches (KaiGai Kohei <kaigai@ak.jp.nec.com>) |
| List | pgsql-hackers |
For easier reviewing, the most fundamental patch to implement PGACE (PostgreSQL Access Control Extension) was separated into thress parts. I want to start discussion about PGACE security framework at first. Any comments are welcome. [1/3] PGACE core features http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-1-core.r713.patch It adds the following new files: - src/include/security/pgace.h declares all of PGACE related hooks and functions. - src/backend/security/pgaceHooks.c provides dummy functions to be invoked when no security modules are enabled. They don't affect anything in access control. - src/backend/security/pgaceCommon.c provides common featurefor every security modules, including security-attribute system column support, SQL extention, functions to managesecurity-attribute of large object. [2/3] Security attribute system column http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-2-security-attr.r713.patch Guest modules of PGACE can associate a security attribute with a tuple. The guest module can utilize this to make its decisionin access control. (Unclassified users cannot access 'Secret' tuples, for example) This attribute is stored in thepadding field of HeapTupleHeaderData, as oid doing. It requires additional "sizeof(Oid)" bytes to store it. Users can refer this attribute via system column. The name of new system column is defined as SECURITY_SYSATTR_NAME at include/pg_config.h.in,and the guest module decide its name. In SE-PostgreSQL, it is named as "security_context". EXAMPLE of security attribute) postgres=# SELECT security_context, * FROM drink; security_context | id | name | price | alcohol ------------------------------------------+----+-------+-------+--------- unconfined_u:object_r:sepgsql_table_t:s0 | 1 | water | 100 | f unconfined_u:object_r:sepgsql_table_t:s0 | 2 | coke | 120 | f unconfined_u:object_r:sepgsql_table_t:s0 | 3 | juice | 130 | f system_u:object_r:sepgsql_table_t:s0:c0 | 4 | cofee | 180 | f system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer | 240 | t system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake | 320 | t (6 rows) We can use this security attribute as a target of UPDATE or INSERT statement. It enables DBA to manage security attributewith normal SQL operation. [3/3] PGACE security hooks http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-3-security-hooks.r713.patch This patch deploys several PGACE hooks on strategic points in PostgreSQL. These hooks invoke a security module mounted onPGACE, and it can make its decision whether this action should be allowed, or not. The list of PGACE hooks at: http://code.google.com/p/sepgsql/wiki/WhatIsPGACE It shouws us more comprehensive specificationabout what kind of hooks are provided, what informations are given and what value should be returned. NOTE: I categorized patched files into three parts. However, some of them contains security attribute system columnfacilities and PGACE hooks facilities. In this case, I categorized these files into part 2. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com>
pgsql-hackers by date: