Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches

For easier reviewing, the most fundamental patch to implement PGACE (PostgreSQL
Access Control Extension) was separated into thress parts.

I want to start discussion about PGACE security framework at first.
Any comments are welcome.

[1/3] PGACE core features
http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-1-core.r713.patch

It adds the following new files:
- src/include/security/pgace.h
declares all of PGACE related hooks and functions.
- src/backend/security/pgaceHooks.c
provides dummy functions to be invoked when no security modules are enabled.
They don't affect anything in access control.
- src/backend/security/pgaceCommon.c
provides common feature for every security modules, including security-attribute
system column support, SQL extention, functions to manage security-attribute of
large object.

[2/3] Security attribute system column
http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-2-security-attr.r713.patch

Guest modules of PGACE can associate a security attribute with a tuple.
The guest module can utilize this to make its decision in access control.
(Unclassified users cannot access 'Secret' tuples, for example)
This attribute is stored in the padding field of HeapTupleHeaderData, as
oid doing. It requires additional "sizeof(Oid)" bytes to store it.

Users can refer this attribute via system column.
The name of new system column is defined as SECURITY_SYSATTR_NAME
at include/pg_config.h.in, and the guest module decide its name.
In SE-PostgreSQL, it is named as "security_context".

EXAMPLE of security attribute)
postgres=# SELECT security_context, * FROM drink;
security_context | id | name | price | alcohol
------------------------------------------+----+-------+-------+---------
unconfined_u:object_r:sepgsql_table_t:s0 | 1 | water | 100 | f
unconfined_u:object_r:sepgsql_table_t:s0 | 2 | coke | 120 | f
unconfined_u:object_r:sepgsql_table_t:s0 | 3 | juice | 130 | f
system_u:object_r:sepgsql_table_t:s0:c0 | 4 | cofee | 180 | f
system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer | 240 | t
system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake | 320 | t
(6 rows)

We can use this security attribute as a target of UPDATE or INSERT statement.
It enables DBA to manage security attribute with normal SQL operation.

[3/3] PGACE security hooks
http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-3-security-hooks.r713.patch

This patch deploys several PGACE hooks on strategic points in PostgreSQL.
These hooks invoke a security module mounted on PGACE, and it can make its
decision whether this action should be allowed, or not.

The list of PGACE hooks at:
http://code.google.com/p/sepgsql/wiki/WhatIsPGACE
It shouws us more comprehensive specification about what kind of hooks are provided,
what informations are given and what value should be returned.

NOTE: I categorized patched files into three parts. However, some of them
contains security attribute system column facilities and PGACE hooks
facilities.
In this case, I categorized these files into part 2.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>