Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches - Mailing list pgsql-hackers

From KaiGai Kohei
Subject Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches
Date
Msg-id 47E0AAEE.3080308@ak.jp.nec.com
Whole thread Raw
In response to Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches  (KaiGai Kohei <kaigai@ak.jp.nec.com>)
List pgsql-hackers
For easier reviewing, the most fundamental patch to implement PGACE (PostgreSQL
Access Control Extension) was separated into thress parts.

I want to start discussion about PGACE security framework at first.
Any comments are welcome.

[1/3] PGACE core features http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-1-core.r713.patch
 It adds the following new files:  - src/include/security/pgace.h      declares all of PGACE related hooks and
functions. - src/backend/security/pgaceHooks.c      provides dummy functions to be invoked when no security modules are
enabled.     They don't affect anything in access control.  - src/backend/security/pgaceCommon.c      provides common
featurefor every security modules, including security-attribute      system column support, SQL extention, functions to
managesecurity-attribute of      large object.
 


[2/3] Security attribute system column
http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-2-security-attr.r713.patch
 Guest modules of PGACE can associate a security attribute with a tuple. The guest module can utilize this to make its
decisionin access control. (Unclassified users cannot access 'Secret' tuples, for example) This attribute is stored in
thepadding field of HeapTupleHeaderData, as oid doing. It requires additional "sizeof(Oid)" bytes to store it.
 
 Users can refer this attribute via system column. The name of new system column is defined as SECURITY_SYSATTR_NAME at
include/pg_config.h.in,and the guest module decide its name. In SE-PostgreSQL, it is named as "security_context".
 
 EXAMPLE of security attribute)    postgres=# SELECT security_context, * FROM drink;                 security_context
         | id | name  | price | alcohol    ------------------------------------------+----+-------+-------+---------
unconfined_u:object_r:sepgsql_table_t:s0 |  1 | water |   100 | f     unconfined_u:object_r:sepgsql_table_t:s0 |  2 |
coke |   120 | f     unconfined_u:object_r:sepgsql_table_t:s0 |  3 | juice |   130 | f
system_u:object_r:sepgsql_table_t:s0:c0 |  4 | cofee |   180 | f     system_u:object_r:sepgsql_table_t:s0:c0  |  5 |
beer |   240 | t     system_u:object_r:sepgsql_table_t:s0:c0  |  6 | sake  |   320 | t    (6 rows)
 
 We can use this security attribute as a target of UPDATE or INSERT statement. It enables DBA to manage security
attributewith normal SQL operation.
 


[3/3] PGACE security hooks http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-3-security-hooks.r713.patch
 This patch deploys several PGACE hooks on strategic points in PostgreSQL. These hooks invoke a security module mounted
onPGACE, and it can make its decision whether this action should be allowed, or not.
 
 The list of PGACE hooks at:   http://code.google.com/p/sepgsql/wiki/WhatIsPGACE It shouws us more comprehensive
specificationabout what kind of hooks are provided, what informations are given and what value should be returned.
 
  NOTE: I categorized patched files into three parts. However, some of them        contains security attribute system
columnfacilities and PGACE hooks        facilities.        In this case, I categorized these files into part 2.
 

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>


pgsql-hackers by date:

Previous
From: Mark Mielke
Date:
Subject: Re: count(*) performance improvement ideas
Next
From: Manolo
Date:
Subject: Re: CVS problems