Re: How to get SE-PostgreSQL acceptable

Robert Haas wrote:
>> My concern is that superuser is allowed to modify system catalog
>> by hand, like:
>>
>> UPDATE pg_proc SET probin = '/tmp/malicious_library.so'
>> WHERE oid = ...;
>>
>> It is logically same as ALTER FUNCTION.
>>
>> Even if I remove a hook from simple_heap_xxxx(), it is necessary
>> to check queries from clients.
>
> That's a valid concern, I think all we're saying here is that you need
> to find a better place to block that, maybe by assigning pg_proc an
> security label that prevents modification by the superuser.

On SE-PostgreSQL, we have two kind of superuser:
1. A superuser with privileged domain for ALTER FUNCTION.
2. A superuser with unprivileged domain for ALTER FUNCTION.

SE-PostgreSQL also allows (1) to modify pg_proc by hand,
becuase security policy allows it.
(But, OS feature can block someone untrusted (like web app) to
translate into privileged domain.)

Stephen's suggestion (deny to update all the system catalog) seems
to me a bit rough. I don't make sure there is no application which
depends on superuser is writable to system catalog.

In addition, this limitation is not based on security policy.

So, I think we have to deploy a hook on ExecUpdate() at least,
simple_heap_update() aside.
If we cannot obtain enough information from context, we can
apply possible maximum permissions here.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>