pgsql-uavc-comments-update.patch

application/octet-stream

Filename: pgsql-uavc-comments-update.patch
Type: application/octet-stream
Part: 0
Message: Re: [v9.1] sepgsql - userspace access vector cache
diff --git a/contrib/sepgsql/uavc.c b/contrib/sepgsql/uavc.c
index bcf0d4c..f28c398 100644
--- a/contrib/sepgsql/uavc.c
+++ b/contrib/sepgsql/uavc.c
@@ -133,10 +133,33 @@ sepgsql_avc_reclaim(void)
 /*
  * sepgsql_avc_check_valid
  *
- * It checks whether the cached entries are still valid, or not.
- * If security policy has been reloaded since last reference of access
- * vector cache, we have to release all the entries, because they are
- * not valid yet.
+ * It checks whether the cached entries still hold valid access control
+ * decision, or not. If the security policy has been reloaded (or any
+ * other events that requires to reset userspace caches) since last
+ * reference of access vector cache, we have to release all the entries
+ * being invalid.
+ *
+ * An access control decision must be done in atomic; from concurrent
+ * reloading of the security policy in kernel side, although it takes
+ * a few system call invocation for an access control decision; as we
+ * implemented in sepgsql_compute_avd().
+ * So, a typical implementation to reference avc should be enclosed by
+ * do { ... } while() loop, as follows:
+ *
+ *   sepgsql_avc_check_valid();
+ *   do {
+ *           :
+ *       <reference to uavc>
+ *           :
+ *   } while (!sepgsql_avc_check_valid())
+ *
+ * The first sepgsql_avc_check_valid() reset cached entries, if the
+ * security policy had been reloaded since the last call.
+ * The second call after references to uavc checks reload of the policy
+ * during reference to uavc, although it is quite rare.
+ * In this case, we retry the reference to uavc; it always invokes
+ * system call towards the new policy because sepgsql_avc_checl_valid()
+ * also takes sepgsql_avc_reset() when it returns false.
  */
 static bool
 sepgsql_avc_check_valid(void)
@@ -221,9 +244,15 @@ sepgsql_avc_compute(const char *scontext, const char *tcontext, uint16 tclass)
 		sepgsql_compute_avd(scontext, ucontext, tclass, &avd);
 
 	/*
-	 * To boost up trusted procedure checks on db_procedure object
-	 * class, we also confirm the decision when user calls a procedure
-	 * labeled as 'tcontext'.
+	 * It also caches a security label to be switched when a client
+	 * labeled as 'scontext' executes a procedure labeled as 'tcontext',
+	 * not only access control decision on the procedure.
+	 * The security label to be switched shall be computed uniquely on
+	 * a pair of 'scontext' and 'tcontext', thus, it is reasonable to
+	 * cache the new label on avc, and enables to reduce unnecessary
+	 * system calls.
+	 * It shall be referenced at sepgsql_needs_fmgr_hook to check whether
+	 * the supplied function is a trusted procedure, or not.
 	 */
 	if (tclass == SEPG_CLASS_DB_PROCEDURE)
 	{