rpms/sepostgresql/devel sepostgresql-policy-8.3.3-2.patch, 1.1, 1.2 sepostgresql-sepgsql-8.3.3-2.patch, 1.3, 1.4 sepostgresql.8, 1.1, 1.2 sepostgresql.init, 1.22, 1.23 sepostgresql.spec, 1.23, 1.24
KaiGai Kohei
kaigai at fedoraproject.org
Tue Sep 23 02:04:43 UTC 2008
Author: kaigai
Update of /cvs/pkgs/rpms/sepostgresql/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20196
Modified Files:
sepostgresql-policy-8.3.3-2.patch
sepostgresql-sepgsql-8.3.3-2.patch sepostgresql.8
sepostgresql.init sepostgresql.spec
Log Message:
bugfix: trusted procedure invokation via operators
bugfix: FK insertion with invisible PK cases
sepostgresql-policy-8.3.3-2.patch:
Index: sepostgresql-policy-8.3.3-2.patch
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/devel/sepostgresql-policy-8.3.3-2.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sepostgresql-policy-8.3.3-2.patch 11 Jul 2008 08:39:31 -0000 1.1
+++ sepostgresql-policy-8.3.3-2.patch 23 Sep 2008 02:04:13 -0000 1.2
@@ -103,9 +103,9 @@
+## There are no interface declaration
diff -rpNU3 base/src/backend/security/sepgsql/policy/sepostgresql-devel.te sepgsql/src/backend/security/sepgsql/policy/sepostgresql-devel.te
--- base/src/backend/security/sepgsql/policy/sepostgresql-devel.te 1970-01-01 09:00:00.000000000 +0900
-+++ sepgsql/src/backend/security/sepgsql/policy/sepostgresql-devel.te 2008-07-11 14:10:51.000000000 +0900
-@@ -0,0 +1,82 @@
-+policy_module(sepostgresql-devel, 3.11)
++++ sepgsql/src/backend/security/sepgsql/policy/sepostgresql-devel.te 2008-09-23 09:00:34.000000000 +0900
+@@ -0,0 +1,125 @@
++policy_module(sepostgresql-devel, 3.14)
+
+gen_require(`
+ class db_database all_db_database_perms;
@@ -125,6 +125,49 @@
+ attribute sepgsql_procedure_type;
+ attribute sepgsql_blob_type;
+ attribute sepgsql_module_type;
++
++ # for testcases
++ attribute tmpfile;
++ role unconfined_r;
++ type unconfined_t;
++ type sepgsql_trusted_proc_t;
++')
++
++#################################
++#
++# Domain for Testcases
++#
++
++type sepgsql_test_t;
++domain_type(sepgsql_test_t)
++
++allow unconfined_t sepgsql_test_t : process transition;
++role unconfined_r types sepgsql_test_t;
++role unconfined_r types sepgsql_trusted_proc_t;
++
++corecmd_exec_bin(sepgsql_test_t)
++allow sepgsql_test_t bin_t : file { entrypoint };
++
++files_read_usr_files(sepgsql_test_t)
++files_read_etc_files(sepgsql_test_t)
++libs_use_ld_so(sepgsql_test_t)
++libs_use_shared_libs(sepgsql_test_t)
++
++term_use_all_terms(sepgsql_test_t)
++
++files_search_home(sepgsql_test_t)
++allow sepgsql_test_t home_type : file rw_file_perms;
++allow sepgsql_test_t home_type : dir search_dir_perms;
++miscfiles_read_localization(sepgsql_test_t)
++
++allow sepgsql_test_t tmpfile : dir search_dir_perms;
++allow sepgsql_test_t tmpfile : file rw_file_perms;
++
++postgresql_stream_connect(sepgsql_test_t)
++postgresql_unpriv_client(sepgsql_test_t)
++
++optional_policy(`
++ nscd_shm_use(sepgsql_test_t)
+')
+
+#################################
sepostgresql-sepgsql-8.3.3-2.patch:
Index: sepostgresql-sepgsql-8.3.3-2.patch
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/devel/sepostgresql-sepgsql-8.3.3-2.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- sepostgresql-sepgsql-8.3.3-2.patch 13 Aug 2008 13:54:49 -0000 1.3
+++ sepostgresql-sepgsql-8.3.3-2.patch 23 Sep 2008 02:04:13 -0000 1.4
@@ -2503,7 +2503,7 @@
estate->es_output_cid,
diff -rpNU3 base/src/backend/executor/execQual.c sepgsql/src/backend/executor/execQual.c
--- base/src/backend/executor/execQual.c 2008-01-07 23:51:33.000000000 +0900
-+++ sepgsql/src/backend/executor/execQual.c 2008-08-13 22:24:28.000000000 +0900
++++ sepgsql/src/backend/executor/execQual.c 2008-08-15 11:22:38.000000000 +0900
@@ -47,6 +47,7 @@
#include "nodes/makefuncs.h"
#include "optimizer/planmain.h"
@@ -2512,60 +2512,16 @@
#include "utils/acl.h"
#include "utils/builtins.h"
#include "utils/lsyscache.h"
-@@ -1494,6 +1495,8 @@ ExecMakeTableFunctionResult(ExprState *f
- FuncExpr *func = (FuncExpr *) fcache->xprstate.expr;
-
- init_fcache(func->funcid, fcache, econtext->ecxt_per_query_memory);
+@@ -1015,6 +1016,9 @@ init_fcache(Oid foid, FuncExprState *fca
+ fcache->setArgsValid = false;
+ fcache->shutdown_reg = false;
+ fcache->func.fn_expr = (Node *) fcache->xprstate.expr;
+
-+ pgaceCallFunction(&fcache->func);
- }
- returnsSet = fcache->func.fn_retset;
-
-@@ -1750,6 +1753,8 @@ ExecEvalFunc(FuncExprState *fcache,
- /* Go directly to ExecMakeFunctionResult on subsequent uses */
- fcache->xprstate.evalfunc = (ExprStateEvalFunc) ExecMakeFunctionResult;
-
++ /* Check permission to call function by security subsystem */
+ pgaceCallFunction(&fcache->func);
-+
- return ExecMakeFunctionResult(fcache, econtext, isNull, isDone);
}
-@@ -1772,6 +1777,8 @@ ExecEvalOper(FuncExprState *fcache,
- /* Go directly to ExecMakeFunctionResult on subsequent uses */
- fcache->xprstate.evalfunc = (ExprStateEvalFunc) ExecMakeFunctionResult;
-
-+ pgaceCallFunction(&fcache->func);
-+
- return ExecMakeFunctionResult(fcache, econtext, isNull, isDone);
- }
-
-@@ -1811,6 +1818,8 @@ ExecEvalDistinct(FuncExprState *fcache,
-
- init_fcache(op->opfuncid, fcache, econtext->ecxt_per_query_memory);
- Assert(!fcache->func.fn_retset);
-+
-+ pgaceCallFunction(&fcache->func);
- }
-
- /*
-@@ -1891,6 +1900,8 @@ ExecEvalScalarArrayOp(ScalarArrayOpExprS
- init_fcache(opexpr->opfuncid, &sstate->fxprstate,
- econtext->ecxt_per_query_memory);
- Assert(!sstate->fxprstate.func.fn_retset);
-+
-+ pgaceCallFunction(&sstate->fxprstate.func);
- }
-
- /* Need to prep callinfo structure */
-@@ -3084,6 +3095,8 @@ ExecEvalNullIf(FuncExprState *nullIfExpr
-
- init_fcache(op->opfuncid, nullIfExpr, econtext->ecxt_per_query_memory);
- Assert(!nullIfExpr->func.fn_retset);
-+
-+ pgaceCallFunction(&nullIfExpr->func);
- }
-
- /*
+ /*
diff -rpNU3 base/src/backend/executor/execScan.c sepgsql/src/backend/executor/execScan.c
--- base/src/backend/executor/execScan.c 2008-01-07 23:51:33.000000000 +0900
+++ sepgsql/src/backend/executor/execScan.c 2008-06-14 02:36:58.000000000 +0900
@@ -2706,7 +2662,7 @@
PG_RETURN_INT32(0);
diff -rpNU3 base/src/backend/nodes/copyfuncs.c sepgsql/src/backend/nodes/copyfuncs.c
--- base/src/backend/nodes/copyfuncs.c 2008-03-19 09:48:23.000000000 +0900
-+++ sepgsql/src/backend/nodes/copyfuncs.c 2008-06-14 02:36:58.000000000 +0900
++++ sepgsql/src/backend/nodes/copyfuncs.c 2008-09-22 15:02:01.000000000 +0900
@@ -24,6 +24,7 @@
#include "nodes/plannodes.h"
@@ -2723,7 +2679,15 @@
return newnode;
}
-@@ -1523,6 +1525,7 @@ _copyRangeTblEntry(RangeTblEntry *from)
+@@ -226,6 +228,7 @@ CopyScanFields(Scan *from, Scan *newnode
+ CopyPlanFields((Plan *) from, (Plan *) newnode);
+
+ COPY_SCALAR_FIELD(scanrelid);
++ COPY_SCALAR_FIELD(pgaceTuplePerms);
+ }
+
+ /*
+@@ -1523,6 +1526,7 @@ _copyRangeTblEntry(RangeTblEntry *from)
COPY_SCALAR_FIELD(inFromCl);
COPY_SCALAR_FIELD(requiredPerms);
COPY_SCALAR_FIELD(checkAsUser);
@@ -2731,7 +2695,7 @@
return newnode;
}
-@@ -1789,6 +1792,7 @@ _copyColumnDef(ColumnDef *from)
+@@ -1789,6 +1793,7 @@ _copyColumnDef(ColumnDef *from)
COPY_NODE_FIELD(raw_default);
COPY_STRING_FIELD(cooked_default);
COPY_NODE_FIELD(constraints);
@@ -2739,7 +2703,7 @@
return newnode;
}
-@@ -1869,6 +1873,7 @@ _copyQuery(Query *from)
+@@ -1869,6 +1874,7 @@ _copyQuery(Query *from)
COPY_NODE_FIELD(limitCount);
COPY_NODE_FIELD(rowMarks);
COPY_NODE_FIELD(setOperations);
@@ -2747,7 +2711,7 @@
return newnode;
}
-@@ -2105,6 +2110,7 @@ _copyCreateStmt(CreateStmt *from)
+@@ -2105,6 +2111,7 @@ _copyCreateStmt(CreateStmt *from)
COPY_NODE_FIELD(options);
COPY_SCALAR_FIELD(oncommit);
COPY_STRING_FIELD(tablespacename);
@@ -2755,7 +2719,7 @@
return newnode;
}
-@@ -2998,6 +3004,49 @@ _copyValue(Value *from)
+@@ -2998,6 +3005,49 @@ _copyValue(Value *from)
return newnode;
}
@@ -2805,7 +2769,7 @@
/*
* copyObject
*
-@@ -3600,6 +3649,15 @@ copyObject(void *from)
+@@ -3600,6 +3650,15 @@ copyObject(void *from)
case T_XmlSerialize:
retval = _copyXmlSerialize(from);
break;
@@ -2821,9 +2785,100 @@
default:
elog(ERROR, "unrecognized node type: %d", (int) nodeTag(from));
+diff -rpNU3 base/src/backend/nodes/equalfuncs.c sepgsql/src/backend/nodes/equalfuncs.c
+--- base/src/backend/nodes/equalfuncs.c 2008-03-19 09:48:23.000000000 +0900
++++ sepgsql/src/backend/nodes/equalfuncs.c 2008-09-22 16:53:15.000000000 +0900
+@@ -26,6 +26,7 @@
+ #include "postgres.h"
+
+ #include "nodes/relation.h"
++#include "nodes/security.h"
+ #include "utils/datum.h"
+
+
+@@ -768,6 +769,7 @@ _equalQuery(Query *a, Query *b)
+ COMPARE_NODE_FIELD(limitCount);
+ COMPARE_NODE_FIELD(rowMarks);
+ COMPARE_NODE_FIELD(setOperations);
++ COMPARE_NODE_FIELD(pgaceItem);
+
+ return true;
+ }
+@@ -970,6 +972,7 @@ _equalCreateStmt(CreateStmt *a, CreateSt
+ COMPARE_NODE_FIELD(options);
+ COMPARE_SCALAR_FIELD(oncommit);
+ COMPARE_STRING_FIELD(tablespacename);
++ COMPARE_NODE_FIELD(pgaceItem);
+
+ return true;
+ }
+@@ -1818,6 +1821,7 @@ _equalColumnDef(ColumnDef *a, ColumnDef
+ COMPARE_NODE_FIELD(raw_default);
+ COMPARE_STRING_FIELD(cooked_default);
+ COMPARE_NODE_FIELD(constraints);
++ COMPARE_NODE_FIELD(pgaceItem);
+
+ return true;
+ }
+@@ -1925,6 +1929,39 @@ _equalXmlSerialize(XmlSerialize *a, XmlS
+ }
+
+ /*
++ * Stuff from nodes/security.h
++ */
++static bool
++_equalSEvalItemRelation(SEvalItemRelation *a, SEvalItemRelation *b)
++{
++ COMPARE_SCALAR_FIELD(perms);
++ COMPARE_SCALAR_FIELD(relid);
++ COMPARE_SCALAR_FIELD(inh);
++
++ return true;
++}
++
++static bool
++_equalSEvalItemAttribute(SEvalItemAttribute *a, SEvalItemAttribute *b)
++{
++ COMPARE_SCALAR_FIELD(perms);
++ COMPARE_SCALAR_FIELD(relid);
++ COMPARE_SCALAR_FIELD(inh);
++ COMPARE_SCALAR_FIELD(attno);
++
++ return true;
++}
++
++static bool
++_equalSEvalItemProcedure(SEvalItemProcedure *a, SEvalItemProcedure *b)
++{
++ COMPARE_SCALAR_FIELD(perms);
++ COMPARE_SCALAR_FIELD(funcid);
++
++ return true;
++}
++
++/*
+ * Stuff from pg_list.h
+ */
+
+@@ -2527,6 +2564,15 @@ equal(void *a, void *b)
+ case T_XmlSerialize:
+ retval = _equalXmlSerialize(a, b);
+ break;
++ case T_SEvalItemRelation:
++ retval = _equalSEvalItemRelation(a, b);
++ break;
++ case T_SEvalItemAttribute:
++ retval = _equalSEvalItemAttribute(a, b);
++ break;
++ case T_SEvalItemProcedure:
++ retval = _equalSEvalItemProcedure(a, b);
++ break;
+
+ default:
+ elog(ERROR, "unrecognized node type: %d",
diff -rpNU3 base/src/backend/nodes/outfuncs.c sepgsql/src/backend/nodes/outfuncs.c
--- base/src/backend/nodes/outfuncs.c 2008-01-14 22:59:48.000000000 +0900
-+++ sepgsql/src/backend/nodes/outfuncs.c 2008-06-14 02:36:58.000000000 +0900
++++ sepgsql/src/backend/nodes/outfuncs.c 2008-09-22 16:53:15.000000000 +0900
@@ -26,6 +26,7 @@
#include "lib/stringinfo.h"
#include "nodes/plannodes.h"
@@ -2840,7 +2895,39 @@
}
/*
-@@ -1748,6 +1750,7 @@ _outQuery(StringInfo str, Query *node)
+@@ -282,6 +284,7 @@ _outScanInfo(StringInfo str, Scan *node)
+ _outPlanInfo(str, (Plan *) node);
+
+ WRITE_UINT_FIELD(scanrelid);
++ WRITE_UINT_FIELD(pgaceTuplePerms);
+ }
+
+ /*
+@@ -1376,6 +1379,7 @@ _outRelOptInfo(StringInfo str, RelOptInf
+ WRITE_BOOL_FIELD(has_eclass_joins);
+ WRITE_BITMAPSET_FIELD(index_outer_relids);
+ WRITE_NODE_FIELD(index_inner_paths);
++ WRITE_UINT_FIELD(pgaceTuplePerms);
+ }
+
+ static void
+@@ -1544,6 +1548,7 @@ _outCreateStmt(StringInfo str, CreateStm
+ WRITE_NODE_FIELD(options);
+ WRITE_ENUM_FIELD(oncommit, OnCommitAction);
+ WRITE_STRING_FIELD(tablespacename);
++ WRITE_NODE_FIELD(pgaceItem);
+ }
+
+ static void
+@@ -1659,6 +1664,7 @@ _outColumnDef(StringInfo str, ColumnDef
+ WRITE_NODE_FIELD(raw_default);
+ WRITE_STRING_FIELD(cooked_default);
+ WRITE_NODE_FIELD(constraints);
++ WRITE_NODE_FIELD(pgaceItem);
+ }
+
+ static void
+@@ -1748,6 +1754,7 @@ _outQuery(StringInfo str, Query *node)
WRITE_NODE_FIELD(limitCount);
WRITE_NODE_FIELD(rowMarks);
WRITE_NODE_FIELD(setOperations);
@@ -2848,7 +2935,7 @@
}
static void
-@@ -1833,6 +1836,7 @@ _outRangeTblEntry(StringInfo str, RangeT
+@@ -1833,6 +1840,7 @@ _outRangeTblEntry(StringInfo str, RangeT
WRITE_BOOL_FIELD(inFromCl);
WRITE_UINT_FIELD(requiredPerms);
WRITE_OID_FIELD(checkAsUser);
@@ -2856,7 +2943,7 @@
}
static void
-@@ -2045,6 +2049,43 @@ _outFkConstraint(StringInfo str, FkConst
+@@ -2045,6 +2053,43 @@ _outFkConstraint(StringInfo str, FkConst
WRITE_BOOL_FIELD(skip_validation);
}
@@ -2900,7 +2987,7 @@
/*
* _outNode -
-@@ -2438,6 +2479,15 @@ _outNode(StringInfo str, void *obj)
+@@ -2438,6 +2483,15 @@ _outNode(StringInfo str, void *obj)
case T_XmlSerialize:
_outXmlSerialize(str, obj);
break;
@@ -6077,8 +6164,8 @@
+}
diff -rpNU3 base/src/backend/security/sepgsql/hooks.c sepgsql/src/backend/security/sepgsql/hooks.c
--- base/src/backend/security/sepgsql/hooks.c 1970-01-01 09:00:00.000000000 +0900
-+++ sepgsql/src/backend/security/sepgsql/hooks.c 2008-07-11 14:10:51.000000000 +0900
-@@ -0,0 +1,882 @@
++++ sepgsql/src/backend/security/sepgsql/hooks.c 2008-09-22 17:51:21.000000000 +0900
+@@ -0,0 +1,892 @@
+/*
+ * src/backend/security/sepgsql/hooks.c
+ * implementations of PGACE framework
@@ -6674,21 +6761,31 @@
+}
+
+/* ----------------------------------------------------------
-+ * special cases in foreign key constraint
++ * special cases for Foreign Key constraint
+ * ---------------------------------------------------------- */
+void
-+sepgsqlPreparePlanCheck(Relation rel, Datum *pgace_saved)
++sepgsqlBeginPerformCheckFK(Relation rel, bool is_primary, Datum *save_pgace)
+{
-+ /* store the current status */
-+ *pgace_saved = BoolGetDatum(abort_on_violated_tuple);
++ /*
++ * NOTE: when a tuple is inserted/updated on FK side, all we should do
++ * is simply filtering violated tuples on PK size, as normal row-level
++ * access control doin.
++ * In the result, INSERT/UPDATE with invisible tuple is failed.
++ */
++ if (is_primary)
++ return;
+
++ *save_pgace = BoolGetDatum(abort_on_violated_tuple);
+ abort_on_violated_tuple = true;
+}
+
+void
-+sepgsqlRestorePlanCheck(Relation rel, Datum pgace_saved)
++sepgsqlEndPerformCheckFK(Relation rel, bool is_primary, Datum save_pgace)
+{
-+ abort_on_violated_tuple = DatumGetBool(pgace_saved);
++ if (is_primary)
++ return;
++
++ abort_on_violated_tuple = DatumGetBool(save_pgace);
+}
+
+/*******************************************************************************
@@ -9126,7 +9223,7 @@
/*
diff -rpNU3 base/src/backend/utils/adt/ri_triggers.c sepgsql/src/backend/utils/adt/ri_triggers.c
--- base/src/backend/utils/adt/ri_triggers.c 2008-06-12 22:34:19.000000000 +0900
-+++ sepgsql/src/backend/utils/adt/ri_triggers.c 2008-06-14 02:36:58.000000000 +0900
++++ sepgsql/src/backend/utils/adt/ri_triggers.c 2008-09-22 17:51:21.000000000 +0900
@@ -37,6 +37,7 @@
#include "parser/parse_coerce.h"
#include "parser/parse_relation.h"
@@ -9135,34 +9232,42 @@
#include "utils/acl.h"
#include "utils/fmgroids.h"
#include "utils/lsyscache.h"
-@@ -3202,6 +3203,7 @@ ri_PlanCheck(const char *querystr, int n
- Relation query_rel;
+@@ -3256,6 +3257,7 @@ ri_PerformCheck(RI_QueryKey *qkey, SPIPl
+ int spi_result;
Oid save_userid;
bool save_secdefcxt;
+ Datum save_pgace;
+ Datum vals[RI_MAX_NUMKEYS * 2];
+ char nulls[RI_MAX_NUMKEYS * 2];
- /*
- * The query is always run against the FK table except when this is an
-@@ -3219,7 +3221,18 @@ ri_PlanCheck(const char *querystr, int n
+@@ -3336,11 +3338,22 @@ ri_PerformCheck(RI_QueryKey *qkey, SPIPl
+ GetUserIdAndContext(&save_userid, &save_secdefcxt);
SetUserIdAndContext(RelationGetForm(query_rel)->relowner, true);
- /* Create the plan */
-- qplan = SPI_prepare(querystr, nargs, argtypes);
-+ pgacePreparePlanCheck(query_rel, &save_pgace);
+- /* Finally we can run the query. */
+- spi_result = SPI_execute_snapshot(qplan,
+- vals, nulls,
+- test_snapshot, crosscheck_snapshot,
+- false, false, limit);
++ pgaceBeginPerformCheckFK(query_rel, query_rel == pk_rel, &save_pgace);
+ PG_TRY();
+ {
-+ qplan = SPI_prepare(querystr, nargs, argtypes);
++ /* Finally we can run the query. */
++ spi_result = SPI_execute_snapshot(qplan,
++ vals, nulls,
++ test_snapshot, crosscheck_snapshot,
++ false, false, limit);
+ }
+ PG_CATCH();
+ {
-+ pgaceRestorePlanCheck(query_rel, save_pgace);
++ pgaceEndPerformCheckFK(query_rel, query_rel == pk_rel, save_pgace);
+ PG_RE_THROW();
+ }
+ PG_END_TRY();
-+ pgaceRestorePlanCheck(query_rel, save_pgace);
++ pgaceEndPerformCheckFK(query_rel, query_rel == pk_rel, save_pgace);
- if (qplan == NULL)
- elog(ERROR, "SPI_prepare returned %d for %s", SPI_result, querystr);
+ /* Restore UID */
+ SetUserIdAndContext(save_userid, save_secdefcxt);
diff -rpNU3 base/src/backend/utils/cache/catcache.c sepgsql/src/backend/utils/cache/catcache.c
--- base/src/backend/utils/cache/catcache.c 2008-03-19 09:48:23.000000000 +0900
+++ sepgsql/src/backend/utils/cache/catcache.c 2008-06-14 02:36:58.000000000 +0900
@@ -9882,8 +9987,8 @@
diff -rpNU3 base/src/include/security/pgace.h sepgsql/src/include/security/pgace.h
--- base/src/include/security/pgace.h 1970-01-01 09:00:00.000000000 +0900
-+++ sepgsql/src/include/security/pgace.h 2008-07-11 14:10:51.000000000 +0900
-@@ -0,0 +1,1183 @@
++++ sepgsql/src/include/security/pgace.h 2008-09-22 17:51:21.000000000 +0900
+@@ -0,0 +1,1202 @@
+/*
+ * include/security/pgace.h
+ * headers for PostgreSQL Access Control Extension (PGACE)
@@ -10018,7 +10123,7 @@
+}
+
+/*
-+ * pgaceInitialize
++ * pgaceStartupWorkerProcess
+ *
+ * The guest can create a worker process in this hook, if necessary.
+ * (currently, PGACE does not support multiple worker processes.)
@@ -10621,39 +10726,40 @@
+}
+
+/*
-+ * pgacePreparePlanCheck
++ * pgaceBeginPerformCheckFK
+ *
-+ * This hook is invoked just before FK/PK constraint checks.
-+ * The guest can change its state during FK/PK constraint checks,
-+ * and restore it on pgaceRestorePlanCheck().
-+ * If it needs an opaque data, pgace_saved can be used to store
-+ * an opaque data.
++ * This hook is invoked just before performing FK constraint checks.
++ * The guest can change its internal state during the checks.
++ * The major purpose of this function is to prevent violation of
++ * integrity consistentency violation due to row-level access control.
++ * If the guest requires an opaque data, save_pgace can be used
++ * to store it.
+ */
+static inline void
-+pgacePreparePlanCheck(Relation rel, Datum *pgace_saved)
++pgaceBeginPerformCheckFK(Relation rel, bool rel_is_primary, Datum *save_pgace)
+{
+#ifdef HAVE_SELINUX
+ if (sepgsqlIsEnabled())
+ {
-+ sepgsqlPreparePlanCheck(rel, pgace_saved);
++ sepgsqlBeginPerformCheckFK(rel, rel_is_primary, save_pgace);
+ return;
+ }
+#endif
+}
+
+/*
-+ * pgaceRestorePlanCheck
++ * pgaceEndPerformCheckFK
+ *
-+ * This hook is invoked just after FK/PK constraint checks.
-+ * When the guest change something, it can be restored in this hook.
++ * This hook is invoked just after performing FK constraint checks.
++ * The guest can restore its internal state using this hook.
+ */
+static inline void
-+pgaceRestorePlanCheck(Relation rel, Datum pgace_saved)
++pgaceEndPerformCheckFK(Relation rel, bool rel_is_primary, Datum save_pgace)
+{
+#ifdef HAVE_SELINUX
+ if (sepgsqlIsEnabled())
+ {
-+ sepgsqlRestorePlanCheck(rel, pgace_saved);
++ sepgsqlEndPerformCheckFK(rel, rel_is_primary, save_pgace);
+ return;
+ }
+#endif
@@ -11066,11 +11172,29 @@
+#define TextDatumGetCString(x) \
+ (DatumGetCString(DirectFunctionCall1(textout, PointerGetDatum(x))))
+
++/******************************************************************
++ * SQL function declaration related to PGACE security framework
++ ******************************************************************/
++
++/*
++ * SE-PostgreSQL SQL FUNCTIONS
++ */
++extern Datum sepgsql_getcon(PG_FUNCTION_ARGS);
++extern Datum sepgsql_getservcon(PG_FUNCTION_ARGS);
++extern Datum sepgsql_get_user(PG_FUNCTION_ARGS);
++extern Datum sepgsql_get_role(PG_FUNCTION_ARGS);
++extern Datum sepgsql_get_type(PG_FUNCTION_ARGS);
++extern Datum sepgsql_get_range(PG_FUNCTION_ARGS);
++extern Datum sepgsql_set_user(PG_FUNCTION_ARGS);
++extern Datum sepgsql_set_role(PG_FUNCTION_ARGS);
++extern Datum sepgsql_set_type(PG_FUNCTION_ARGS);
++extern Datum sepgsql_set_range(PG_FUNCTION_ARGS);
++
+#endif // PGACE_H
diff -rpNU3 base/src/include/security/sepgsql.h sepgsql/src/include/security/sepgsql.h
--- base/src/include/security/sepgsql.h 1970-01-01 09:00:00.000000000 +0900
-+++ sepgsql/src/include/security/sepgsql.h 2008-07-11 14:10:51.000000000 +0900
-@@ -0,0 +1,223 @@
++++ sepgsql/src/include/security/sepgsql.h 2008-09-22 17:51:21.000000000 +0900
+@@ -0,0 +1,208 @@
+/*
+ * src/include/security/sepgsql.h
+ * headers for Security-Enhanced PostgreSQL (SE-PostgreSQL)
@@ -11176,9 +11300,9 @@
+
+extern bool sepgsqlCallFunctionTrigger(FmgrInfo *finfo, TriggerData *tgdata);
+
-+extern void sepgsqlPreparePlanCheck(Relation rel, Datum *pgace_saved);
++extern void sepgsqlBeginPerformCheckFK(Relation rel, bool rel_is_primary, Datum *save_pgace);
+
-+extern void sepgsqlRestorePlanCheck(Relation rel, Datum pgace_saved);
++extern void sepgsqlEndPerformCheckFK(Relation rel, bool rel_is_primary, Datum save_pgace);
+
+/* TABLE related hooks */
+extern void sepgsqlLockTable(Oid relid);
@@ -11278,21 +11402,6 @@
+
+extern bool sepgsqlCheckTuplePerms(Relation rel, HeapTuple tuple,
+ HeapTuple oldtup, uint32 perms, bool abort);
-+
-+/*
-+ * SE-PostgreSQL SQL FUNCTIONS
-+ */
-+extern Datum sepgsql_getcon(PG_FUNCTION_ARGS);
-+extern Datum sepgsql_getservcon(PG_FUNCTION_ARGS);
-+extern Datum sepgsql_get_user(PG_FUNCTION_ARGS);
-+extern Datum sepgsql_get_role(PG_FUNCTION_ARGS);
-+extern Datum sepgsql_get_type(PG_FUNCTION_ARGS);
-+extern Datum sepgsql_get_range(PG_FUNCTION_ARGS);
-+extern Datum sepgsql_set_user(PG_FUNCTION_ARGS);
-+extern Datum sepgsql_set_role(PG_FUNCTION_ARGS);
-+extern Datum sepgsql_set_type(PG_FUNCTION_ARGS);
-+extern Datum sepgsql_set_range(PG_FUNCTION_ARGS);
-+
+#endif /* SEPGSQL_H */
diff -rpNU3 base/src/include/storage/fd.h sepgsql/src/include/storage/fd.h
--- base/src/include/storage/fd.h 2008-01-07 23:51:33.000000000 +0900
Index: sepostgresql.8
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/devel/sepostgresql.8,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sepostgresql.8 1 Sep 2007 13:07:32 -0000 1.1
+++ sepostgresql.8 23 Sep 2008 02:04:13 -0000 1.2
@@ -4,47 +4,67 @@
sepostgresql \- Security-Enhances PostgreSQL
.SH "DESCRIPTION"
-Security-Enhanced PostgreSQL (SE-PostgreSQL) is an enhancement of PostgreSQL, to apply fine grained mandatory access control for database objects based on the security policy of SELinux.
-These features enable to apply flexible integrated access control policy between operating system and database management system, during all stages of the life of the information.
+Security-Enhanced PostgreSQL (SE-PostgreSQL) is an enhancement of PostgreSQL,
+to apply fine grained mandatory access control for database objects based on
+the security policy of SELinux.
+These features enable to apply flexible integrated access control policy
+on both of operating system and database management system, during all
+stages of the life of the information.
.PP
-This document describes the way to customize SE-PostgreSQL on the default security policy.
+This document describes the way to customize SE-PostgreSQL on the default
+security policy.
.SH "BOOLEANS"
-The SELinux policy is customizable via BOOLEAN variable. This variable has two states, 1 (on) or 0 (off). A part of the policy is enabled or disabled depending on related boolean variables.
-
-\fBsepgsql_enable_unconfined\fP toggles whether \fIunconfined_t\fP and \fIsysadm_t\fP domains are allowed to access database objects without any restruction on type enforcement, or not.
-When \fIsepgsql_enable_unconfined\fP is off, those domains are also restricted its operation as other domains begin applied. In the default, it is set to on.
-You can set it as follows:
+The SELinux policy is customizable via BOOLEAN variable. This variable has
+two states, 1 (on) or 0 (off). We can validate or invalidate a part of the
+security policy depending on the state of boolean variables.
+
+\fBsepgsql_enable_users_ddl\fP enables to toggle permissions of confined
+users/applications to invoke DDL statement, like CREATE TABLE. It is set to
+\fBon\fP in the default.
+In most cases, DDL statements are used to set up initial database structure,
+and permissions to invoke them are not necessary on operation phase.
+You can turn off this boolean as follows:
.EX
-setsebool -P sepgsql_enable_unconfined ( \fBon\fP | off )
+setsebool -P sepgsql_enable_users_ddl ( \fBon\fP | off )
.EE
-\fBsepgsql_enable_users_ddl\fP toggles whether non-administrative domain is allowed to use DDL statement like CREATE TABLE and so on.
-In the default, it is set to on. You can set it as follows:
+Rest of booleans are provided by \fBselinux-devel.pp\fP policy module.
+It provides developments/debugs related permissions.
+You can install it as follows:
.EX
-setsebool -P sepgsql_enable_users_ddl ( \fBon\fP | off )
+semodule -i /usr/share/selinux/targeted/sepostgresql-devel.pp
.EE
-\fBsepgsql_enable_auditallow\fP toggles output of audit messages in the case when required permission checks are allowed. In the default, it is set to off. You can set it as follows:
+\fBsepgsql_enable_auditallow\fP toggles output of audit messages in the case
+when required permission checks are allowed, except for tuples because it
+easily make a flood of audit logs.
+In the default, it is set to off. You can set it as follows:
.EX
setsebool -P sepgsql_enable_auditallow ( on | \fBoff\fP )
.EE
-\fBsepgsql_enable_auditdeny\fP toggles output of audit messages in the case when required permission checks are denied. In the default, it is set to on. You can set it as follows:
+\fBsepgsql_enable_auditdeny\fP toggles output of audit messages in the case
+when required permission checks are denied, except for tuples because it
+easily make a flood of audit logs.
+In the default, it is set to on. You can set it as follows:
.EX
setsebool -P sepgsql_enable_auditdeny ( \fBon\fP | off )
.EE
-\fBsepgsql_enable_audittuple\fP toggles output of audit messages for any tuple. Because audit messages for tuples in a large size table can cause flood of messages, we can set \fIsepgsql_enable_audittuple\fP independently from any other object classes.
-Audit messages for tuples are generated in the only case when \fIsepgsql_enable_audittuple\fP and either \fIsepgsql_enable_auditallow\fP or \fIsepgsql_enable_auditdeny\fP are enabled.
+\fBsepgsql_regression_test_mode\fP allows to load shared libraries deployed
+on user's home directory. We recommend you to keep \fBoff\fP in operation
+phase to prevent to load malicious libraries.
+However, typical PostgreSQL regression test requires to load it, so we
+have to reduce several restriction during the test.
In the default, it is set to off. You can set it as follows:
.EX
-setsebool -P sepgsql_enable_audittuple ( on | \fBoff\fP )
+setsebool -P sepgsql_regression_test_mode ( on | \fBoff\fP )
.EE
.SH "TYPES"
@@ -53,29 +73,46 @@
It is attched for newly created databases in the default.
\fBsepgsql_table_t\fP is a type for tables, columns and tuples.
-It is attached for newly created the objects in the default.
-Non-administrative clients can do any kinds of operations except for relabeling.
+It is the default type of newly created tables by unconfined or
+non-roled domain. It allows confined clietns to access with any
+kind of operations except for relabeling, so we can use this type
+for compatible purpose.
\fBsepgsql_secret_table_t\fP is a type for tables, columns and tuples.
-Non-administrative clients cannot access the objects with this type.
+It never allows confined clients to access, so we can use this type
+to store sensitive information. We reccomend to apply trusted procedures
+to access tables/columns/tuples with this type under safe operation.
\fBsepgsql_ro_table_t\fP is a type for read-only tables, columns and tuples.
-Non-administrative clients cannot modify the objects with this type.
+It does not allow confined clients to modify any objects with this type.
-\fBsepgsql_fixed_table_t\fP is a type for non-manupulatable tables, columns and tuples.
-Non-administrative clients cannot update or delete the objects with this type.
+\fBsepgsql_fixed_table_t\fP is a type for non-manupulatable tables, columns
+and tuples. It does not allow confined clients to update or delete any
+objects with this type.
+
+\fBsepgsql_ROLE_table_t\fP is a type for a role specific tables, columns
+and tuples. It allows confined clients with its role to access with any
+kind of operations except for relabeling.
+It is the default type of newly created tables by confined clients with
+its role, and we can use this type to describe role level separation.
\fBsepgsql_proc_t\fP is a type for procedures.
-It is attached for newly created procedures by adminictrative domain.
-Any client can call these procedures with this type.
-
-\fBsepgsql_userproc_t\fP is a type for procedures.
-It is attached for newly created procedures by non-administrative domain.
-Administrative domains cannot call the procedure for safety. He have to relabel it into \fIsepgsql_proc_t\fP at first. It is a policy to avoid to execute doubtful code under administrative domain.
-
-\fBsepgsql_trusted_proc_t\fP is a type for trusted procedures.
-Calling procedures with this type invokes domain transition.
-Then the function works as an administrative domain, so database administrator can provide limited path to access protected object.
+It is attached for newly created procedures by unconfined clients.
+It allows any clients to invoke procedures with this type.
+All of PostgreSQL built-in functions are labeled as this type in the default.
+
+\fBsepgsql_ROLE_proc_t\fP is a type for a role specific procedure.
+It is attached for newly created procedures by confined clients with its role.
+It allows clients with same role to invoke procedure with this type.
+Note that unconfined clients cannot invoke this type to avoid to execute
+dangerous functions with unconfined authorities. They have to confirm its
+contains and relabel to \fBsepgsql_proc_t\fP for its invocation.
+
+\fBsepgsql_trusted_proc_exec_t\fP is a type for trusted procedures.
+To call procedures with this type invokes domain transition to
+unconfined domain, so it can access any kind of database objects.
+We can use this type to provide a secure method to access sensitive
+information.
\fBsepgsql_blob_t\fP is a type for binary large objects (blob).
It is attached for newly created blob in the default.
Index: sepostgresql.init
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/devel/sepostgresql.init,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- sepostgresql.init 13 Aug 2008 13:54:49 -0000 1.22
+++ sepostgresql.init 23 Sep 2008 02:04:13 -0000 1.23
@@ -9,7 +9,7 @@
PGVERSION="8.3.3"
PGMAJORVERSION=`echo "$PGVERSION" | sed 's/^\([0-9]*\.[0-9a-z]*\).*$/\1/'`
-SEPGVERSION="2.964"
+SEPGVERSION="2.1042"
# source function library
. /etc/rc.d/init.d/functions
Index: sepostgresql.spec
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/devel/sepostgresql.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- sepostgresql.spec 13 Aug 2008 13:54:49 -0000 1.23
+++ sepostgresql.spec 23 Sep 2008 02:04:13 -0000 1.24
@@ -24,7 +24,7 @@
Summary: Security Enhanced PostgreSQL
Name: sepostgresql
Version: 8.3.3
-Release: 2.964%{?sepgsql_extension}%{?dist}
+Release: 2.1042%{?sepgsql_extension}%{?dist}
License: BSD
Group: Applications/Databases
Url: http://code.google.com/p/sepgsql/
More information about the fedora-extras-commits
mailing list