Good morning, I started to follow the discussion.
(Time difference is unconfortable for me!)
>> adding SELinux support for the existing levels of access control in PG
>
> is
>
> - table/column level access controls
> - permission checks on database login
> - permission checks on function invocation
> - they need a facility to manage security label
> - I want permission checks on loading a library,
> though existing PG checks superuser() only.
>
> and
> - removing PGACE, integrate SEPG code into core
> - permission checks on largeobjects is postponed
> - row level security is postponed (NOT REJECTED!)
> - so, writable system column is also postponed
If I postponed a part of functionalities as Stephen suggested,
how many lines can be reduced? It is a quick estimation.
Currently, the main patch has: 110 files changed, 9813 insertions(+), 16 deletions(-), 924 modifications(!)
* src/backend/commands/copy.c | 293 +++! Most of them are to support writable system column, so about
-300lines are expected.
* src/backend/executor/execMain.c | 209 +++ Most of them are to support writable system column, so about -200
linesare expected
* src/backend/security/pgaceCommon.c | 729 ++++++++++++ It will get scraped, but management of security
attributehas to SELinux specific code, so -250 lines are expected
* src/backend/security/pgaceHooks.c | 1547 ++++++++++++++++++++++++++ It will be gone, so -1550 lines are
expected
* src/backend/security/rowacl/rowacl.c | 721 ++++++++++++ It will be postponed, -700 lines are expected
* src/backend/security/sepgsql/hooks.c | 1019 +++++++++++++++++ A part of permission checks (aka row,blob) is
postponed,so -300 lines are expected.
* src/include/security/pgace.h | 181 +++
* src/include/security/rowacl.h | 41 It will be gone, so -200 lines are expected
At the total, -3,200 lines are expected.
In addition, any other small-sized stuffs can be postponed.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>