From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, PgSQL-Hackers <pgsql-hackers(at)postgresql(dot)org>, Joshua Brindle <method(at)manicmethod(dot)com>, David P(dot) Quigley <dpquigl(at)tycho(dot)nsa(dot)gov> |
Subject: | Re: security hook on table creation |
Date: | 2010-10-06 21:21:06 |
Message-ID: | 1286399929-sup-4921@alvh.no-ip.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Excerpts from Robert Haas's message of mié oct 06 17:02:22 -0400 2010:
> 2010/10/5 KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>:
> > However, we also have a few headache cases.
> > DefineType() creates a new type object and its array type, but it does not
> > call CommandCounterIncrement() by the end of this function, so the new type
> > entries are not visible from the plugin modules, even if we put a security
> > hook at tail of the DefineType().
> > DefineFunction() also has same matter. It create a new procedure object,
> > but it also does not call CommandCounterIncrement() by the end of this
> > function, except for the case when ProcedureCreate() invokes language
> > validator function.
>
> So I guess the first question here is why it's important to be able to
> see the new entry. I am thinking that you want it so that, for
> example, you can fetch the namespace OID to perform an SE-Linux type
> transition. Is that right?
I'm not sure that there's any point trying to optimize these to the
point of avoiding CommandCounterIncrement. Surely DefineType et al are
not performance-sensitive operations.
> Maybe we need a variant of InvokeObjectAccessHook that does a CCI only
> if a hook is present.
The problem I see with this idea is that it becomes a lot harder to
track down whether it ocurred or not for any given operation.
--
Álvaro Herrera <alvherre(at)commandprompt(dot)com>
The PostgreSQL Company - Command Prompt, Inc.
PostgreSQL Replication, Consulting, Custom Development, 24x7 support
From | Date | Subject | |
---|---|---|---|
Next Message | Ivan Voras | 2010-10-06 22:31:19 | Re: [HACKERS] MIT benchmarks pgsql multicore (up to 48)performance |
Previous Message | Robert Haas | 2010-10-06 21:02:22 | Re: security hook on table creation |