On Fri, Jan 21, 2011 at 11:00 AM, Kohei KaiGai <kai...@kaigai.gr.jp> wrote: > 2011/1/22 Robert Haas <robertmh...@gmail.com>: >> On Fri, Jan 21, 2011 at 10:46 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >>> Robert Haas <robertmh...@gmail.com> writes: >>>> On Fri, Jan 21, 2011 at 9:55 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >>>>> ALTER FUNCTION is supposed to cause plan invalidation in such a case. >>>>> Not sure if GRANT plays nice with that though. >>> >>>> And in the case of SE-Linux, this could get changed from outside the >>>> database. Not sure how to handle that. I guess we could just never >>>> inline anything, but that might be an overreaction. >>> >>> I think SELinux is just out of luck in that case. If it didn't refuse >>> execution permission at the time we checked before inlining (which we >>> do), it doesn't get to change its mind later. >> >> Seems reasonable to me, if it works for KaiGai. >> > I assume users of SE-PostgreSQL put their first priority on security, > not best-performance. So, I also think it is reasonable to kill a part of > optimization for the strict security checks. > > Here is one request for the hook. > needs_fmgr_hook() is called by fmgr_info_cxt_security() and routines > to inline. I need a flag to distinct these cases, because we don't need > to invoke all the functions via fmgr_security_definer(), even if it never > allows to inline.
I don't want to go there, and it's not what Tom was proposing anyway. The idea is - if the user creates a function which is NOT a trusted procedure and executes it, and then subsequently changes the system security policy so that it becomes a trusted procedure, the user will be responsible for flushing the cached plans before the new value will take effect. That doesn't require nearly as much de-optimization, and I don't believe it is a serious issue from a security perspective, either. (Note that the reverse case, where a trusted procedure is demoted to a non-trusted procedure, isn't an issue, because we will have suppressed inlining and the new execution will follow the right rules, just with reduced performance.) -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
