Re: Row-security writer-side checks proposal - Mailing list pgsql-hackers

From Craig Ringer
Subject Re: Row-security writer-side checks proposal
Date
Msg-id 5279F180.20005@2ndquadrant.com
Whole thread Raw
In response to Re: Row-security writer-side checks proposal  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/05/2013 10:01 PM, Stephen Frost wrote:
> * Robert Haas (robertmhaas@gmail.com) wrote:
>> Now maybe that's fine.  But given that, I think it's pretty
>> important that we get the syntax right.  Because if you're adding
>> a feature primarily to add a more convenient syntax, then the
>> syntax had better actually be convenient.
> 
> I agree that we want to get the syntax correct, but also very clear
> as it's security related and we don't want anyone surprised by what
> happens when they use it.  The idea, as has been discussed in the
> past, is to then allow tying RLS in with SELinux and provide MAC.

That was my impression also.

To help get closer to that point, since you were involved in the work
on auto-updatable views: any hints on what might be needed to tackle
making security barrier views updatable?


There's a fun little wrinkle with MAC, by the way: functional indexes.
We can't allow the creation of a functional index, even by the table
owner, if it uses any non-LEAKPROOF operators and functions. Otherwise
the user can write a function to leak the rows, then create an index
using that function.

That's not a problem for the current phase of RLS because the table
owner is allowed to remove the RLS constraint directly. They can also
add triggers that might leak rows via CASCADEs, etc. When MAC comes
into the picture we'll need to impose limits on triggers and
functional indexes added to rows.


- -- Craig Ringer                   http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSefGAAAoJELBXNkqjr+S2W6EH+wc3fM3GGoYjnietLfGiiFmA
4ea7sIcio9kdDap3dNpgnMW2NfEHu/OLxSptFGBjl3w4RfA1KSQaKcwupjmanPGa
har7MylI4SKDRHB5LWZEgYrK1A3n/PTJUap3DFGhLJxAdCMM3AtQfcyHBoj/LXfZ
9o9KkpXfzFW2e4yuPR714rZMzfAgO+Jyij9WkcayNASw/0jnCuhCdBtg8mKU6mhz
lC4KA0WGxXqCGDdKxPwVRSJTMoT8kBeUBf4lznSEeGspxCHb4GafMCFvhHarQ9WU
+aBY1mw3ELFXqfPurLC5RZVQGYsygWfzrREJ+oHUJ3khgPR2djj0EAemK3lwO6M=
=HYU7
-----END PGP SIGNATURE-----



pgsql-hackers by date:

Previous
From: Craig Ringer
Date:
Subject: Re: Row-security writer-side checks proposal
Next
From: Heikki Linnakangas
Date:
Subject: Re: GIN improvements part 1: additional information