Re: 8.4 release planning

Joshua Brindle <method@manicmethod.com>

From: Joshua Brindle <method@manicmethod.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Ron Mayer <rm_pg@cheapcomplexdevices.com>, Stephen Frost <sfrost@snowman.net>, Gregory Stark <stark@enterprisedb.com>, Robert Haas <robertmhaas@gmail.com>, Simon Riggs <simon@2ndquadrant.com>, Josh Berkus <josh@agliodbs.com>, "Joshua D. Drake" <jd@commandprompt.com>, Merlin Moncure <mmoncure@gmail.com>, "Jonah H. Harris" <jonah.harris@gmail.com>, Bruce Momjian <bruce@momjian.us>, Bernd Helmle <mailings@oopsware.de>, Peter Eisentraut <peter_e@gmx.net>, pgsql-hackers@postgresql.org
Date: 2009-01-27T20:34:17Z
Lists: pgsql-hackers
Tom Lane wrote:
> Ron Mayer <rm_pg@cheapcomplexdevices.com> writes:
>> It seems to me that there are two different standards to which this feature
>> might be held.
> 
>> Is the goal
>>   a) SEPostgres can provide useful rules to add security to some
>>      specific applications so long as you're careful to avoid crafting
>>      policies that produce bizarre behaviors (like avoiding restricing
>>      access to foreign key data you might need).   On the other hand it
>>      gives you enough rope to hang yourself and produce weird results
>>      that don't make sense from a SQL standard point of view if you
>>      aren't careful matching the SEPostgres rules with your apps.
> 
>> or
>>   b) SEPostgreSQL should only give enough rope that you can not
>>      craft rules that produce unexpected behavior from a SQL point
>>      of view; and that it would be bad if one can produce SEPostgres
>>      policies that produce unexpected SQL behavior.
> 
> With my other hat on (the red one) what I'm concerned about is whether
> this patch will ever produce a feature that I could turn on in the
> standard Red Hat/Fedora build of Postgres.  Right at the moment it seems
> that the potential performance hit, for users who are *not using*
> SEPostgres but merely have to use a build in which it is present,
> might be bad enough to guarantee that that will never happen.
> 

According to the comments in security/sepgsql/core.c:


/*
  * sepgsqlIsEnabled
  *
  * This function returns the state of SE-PostgreSQL when PGACE hooks
  * are invoked, to prevent to call sepgsqlXXXX() functions when
  * SE-PostgreSQL is disabled.
  *
  * We can config the state of SE-PostgreSQL in $PGDATA/postgresql.conf.
  * The GUC option "sepostgresql" can have the following four parameter.
  *
  * - default    : It always follows the in-kernel SELinux state. When it
  *                works in Enforcing mode, SE-PostgreSQL also works in
  *                Enforcing mode. Changes of in-kernel state are delivered
  *                to userspace SE-PostgreSQL soon, and SELinux state
  *                monitoring process updates it rapidly.
  * - enforcing  : It always works in Enforcing mode. In-kernel SELinux
  *                has to be enabled.
  * - permissive : It always works in Permissive mode. In-kernel SELinux
  *                has to be enabled.
  * - disabled   : It disables SE-PostgreSQL feature. It works as if
  *                original PostgreSQL
  */


and in the hooks there is a pgace_feature that turns off the checks:

void
pgaceGramAlterRelation(Relation rel, HeapTuple tuple, DefElem *defel)
{
         switch (pgace_feature)
         {
#ifdef HAVE_SELINUX
         case PGACE_FEATURE_SELINUX:
                 if (sepgsqlIsEnabled())
                 {
                         sepgsqlGramAlterRelation(rel, tuple, defel);
                         return;
                 }
                 break;
#endif
         default:
                 break;
         }

         if (defel)
                 ereport(ERROR,
                                 (errcode(ERRCODE_PGACE_ERROR),
                                  errmsg("unable to set security attribute of 
table "
                                                 "via ALTER TABLE")));
}


So the pgace_feature turns off the backend call, there is an extra function 
call, and a branch but that shouldn't cause the kind of performance degradation 
you are talking about.