Sam Mason wrote:
On Sat, Jul 25, 2009 at 07:23:22AM +0900, KaiGai Kohei wrote:
Thanks, but I found an incorrect change at the trusted procedure section.

Old)
  CREATE TABLE customer (
      cid     integer primary key,
      cname   varchar(32),
      credit  varchar(32)
-         SECURITY_LABEL = 'system_u:object_r:sepgsql_secret_table_t:s0'
- );

New)
  CREATE TABLE customer (
      cid     integer primary key,
      cname   varchar(32),
      credit  varchar(32)
+ ) SECURITY_LABEL = 'system_u:object_r:sepgsql_secret_table_t:s0';

This example intends to assign "secret" label on the credit column,
not whole of the table. Note that the default security context shall
be assigned on the table and rest of columns in this case.

The show_credit() function in this section would seem to leak authority
as well; it seems possible to determine if customers exist that
otherwise may otherwise hidden.  For example, imagine we have a row
in the customer table with cid=1 whose security label would normally
prevent.  We can perform:

  SELECT show_credit(1);

and, as far as I can tell, this call would succeed.

This example shows that confined client cannot read credit card number
without using trusted procedure, but trusted procedure returns masked one.
It does not intend to hide existence of entries within customer table.

See the third box in the section.

 postgres=# SELECT cid, cname FROM customer;
  cid | cname
 -----+-------
   10 | jack
   13 | adam
   14 | liza
 (3 rows)

This query does not read from customer.credit, so it should be succeeded.

Thanks,
--
KaiGai Kohei <kai...@kaigai.gr.jp>

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to