On Sat, Jul 25, 2009 at 10:43:05AM +0900, KaiGai Kohei wrote: > Sam Mason wrote: > >This would seem to imply that all user defined trusted code has to > >perform its own permission checks. How is MAC any different from DAC in > >the presence of code such as: > > > >CREATE OR REPLACE FUNCTION show_customers () RETURNS SETOF RECORD > > LANGUAGE 'sql' > > SECURITY_LABEL = 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0' > > AS 'SELECT * FROM customer'; > > In this case, confined users cannot create a function labeled as > 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0', because it is > controlled by db_procedure:{create} permission.
Yes, that seems reasonable. The fact that you're still talking about "confined users" is slightly worrying and would seem to imply that there is still a superuser/normal user divide--it's probably just a terminology thing though. One thing I know I don't understand is what the security labels actually mean; I've had a couple of searches through your pages now and can't see anything described nor pointers to external documentation. > Confined user can create a function with "user_sepgsql_proc_exec_t" > (which is the default one for confined users), but it is not a trusted > procedure, so the "SELECT * FROM customer" is executed with confined > user's privileges as is, then it will be failed due to the lack of > permission on the customer.credit. So an "unconfined user" (whatever that means??) is basically working with DACs then? -- Sam http://samason.me.uk/ -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers