Re: [v9.1] sepgsql - userspace access vector cache - Mailing list pgsql-hackers

From Robert Haas
Subject Re: [v9.1] sepgsql - userspace access vector cache
Date
Msg-id CA+Tgmob+vf6RReWpre58qU10+uoXmVUQDAXvOJ_3+HER2-h-Jg@mail.gmail.com
Whole thread Raw
In response to Re: [v9.1] sepgsql - userspace access vector cache  (Kohei KaiGai <kaigai@kaigai.gr.jp>)
Responses Re: [v9.1] sepgsql - userspace access vector cache
Re: [v9.1] sepgsql - userspace access vector cache
Re: [v9.1] sepgsql - userspace access vector cache
List pgsql-hackers
On Fri, Aug 26, 2011 at 5:32 AM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
> Yes. It also caches an expected security label when a client being
> labeled as "scontext" tries to execute a procedure being labeled as
> "tcontext", to reduce number of system call invocations on fmgr_hook
> and needs_fmgr_hook.
> If the expected security label is not same with "scontext", it means
> the procedure performs as a trusted procedure that switches security
> label of the client during its execution; like a security invoker
> function.
> A pair of security labels are the only factor to determine whether the
> procedure is a trusted-procedure, or not. Thus, it is suitable to
> cache in userspace avc.

I've committed this, but I still think it would be helpful to revise
that comment.  The turn "boosted up" is not very precise or
informative.  Could you submit a separate, comment-only patch to
improve this?

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


pgsql-hackers by date:

Previous
From: Alexander Korotkov
Date:
Subject: Re: WIP: SP-GiST, Space-Partitioned GiST
Next
From: Robert Haas
Date:
Subject: Re: dblink make fails under postgresql 8.4.4 on mac osx 10.4.11