Commit Graph

45 Commits

Author SHA1 Message Date
Bruce Momjian
7e04792a1c Update copyright for 2014
Update all files in head, and files COPYRIGHT and legal.sgml in all back
branches.
2014-01-07 16:05:30 -05:00
Robert Haas
568d4138c6 Use an MVCC snapshot, rather than SnapshotNow, for catalog scans.
SnapshotNow scans have the undesirable property that, in the face of
concurrent updates, the scan can fail to see either the old or the new
versions of the row.  In many cases, we work around this by requiring
DDL operations to hold AccessExclusiveLock on the object being
modified; in some cases, the existing locking is inadequate and random
failures occur as a result.  This commit doesn't change anything
related to locking, but will hopefully pave the way to allowing lock
strength reductions in the future.

The major issue has held us back from making this change in the past
is that taking an MVCC snapshot is significantly more expensive than
using a static special snapshot such as SnapshotNow.  However, testing
of various worst-case scenarios reveals that this problem is not
severe except under fairly extreme workloads.  To mitigate those
problems, we avoid retaking the MVCC snapshot for each new scan;
instead, we take a new snapshot only when invalidation messages have
been processed.  The catcache machinery already requires that
invalidation messages be sent before releasing the related heavyweight
lock; else other backends might rely on locally-cached data rather
than scanning the catalog at all.  Thus, making snapshot reuse
dependent on the same guarantees shouldn't break anything that wasn't
already subtly broken.

Patch by me.  Review by Michael Paquier and Andres Freund.
2013-07-02 09:47:01 -04:00
Bruce Momjian
9af4159fce pgindent run for release 9.3
This is the first run of the Perl-based pgindent script.  Also update
pgindent instructions.
2013-05-29 16:58:43 -04:00
Tom Lane
f8db76e875 Editorialize a bit on new ProcessUtility() API.
Choose a saner ordering of parameters (adding a new input param after
the output params seemed a bit random), update the function's header
comment to match reality (cmon folks, is this really that hard?),
get rid of useless and sloppily-defined distinction between
PROCESS_UTILITY_SUBCOMMAND and PROCESS_UTILITY_GENERATED.
2013-04-28 00:18:45 -04:00
Robert Haas
f050457978 sepgsql: Minor improvement to test script, doc fix.
KaiGai Kohei
2013-04-17 09:55:24 -04:00
Robert Haas
0bf5c548d6 sepgsql: One more getObjectIdentity in lieu of getObjectDescription.
KaiGai Kohei, based on a suggestion from Álvaro Herrera
2013-04-17 09:52:59 -04:00
Robert Haas
f8a54e936b sepgsql: Enforce db_procedure:{execute} permission.
To do this, we add an additional object access hook type,
OAT_FUNCTION_EXECUTE.

KaiGai Kohei
2013-04-12 08:58:01 -04:00
Robert Haas
b620fdabba sepgql: Use getObjectIdentity rather than getObjectDescription.
KaiGai Kohei, based on a suggestion from Álvaro Herrera
2013-04-12 08:35:55 -04:00
Robert Haas
e965e6344c sepgsql: Enforce db_schema:search permission.
KaiGai Kohei, with comment and doc wordsmithing by me
2013-04-05 08:51:31 -04:00
Robert Haas
0f05840bf4 Allow sepgsql labels to depend on object name.
The main change here is to call security_compute_create_name_raw()
rather than security_compute_create_raw().  This ups the minimum
requirement for libselinux from 2.0.99 to 2.1.10, but it looks
like most distributions will have picked that up before 9.3 is out.

KaiGai Kohei
2013-03-28 15:41:38 -04:00
Robert Haas
1cea9bbb21 sepgsql: Support for new post-ALTER access hook.
KaiGai Kohei
2013-03-27 08:14:19 -04:00
Bruce Momjian
bd61a623ac Update copyrights for 2013
Fully update git head, and update back branches in ./COPYRIGHT and
legal.sgml files.
2013-01-01 17:15:01 -05:00
Alvaro Herrera
f4c4335a4a Add context info to OAT_POST_CREATE security hook
... and have sepgsql use it to determine whether to check permissions
during certain operations.  Indexes that are being created as a result
of REINDEX, for instance, do not need to have their permissions checked;
they were already checked when the index was created.

Author: KaiGai Kohei, slightly revised by me
2012-10-23 18:24:24 -03:00
Robert Haas
aa2b237ce5 sepgsql cleanups.
This is needed to match recent changes elsewhere.  Along the way, some
renaming for clarity.

KaiGai Kohei
2012-09-05 14:01:59 -04:00
Robert Haas
d7c734841b Reduce messages about implicit indexes and sequences to DEBUG1.
Per recent discussion on pgsql-hackers, these messages are too
chatty for most users.
2012-07-04 20:35:29 -04:00
Bruce Momjian
927d61eeff Run pgindent on 9.2 source tree in preparation for first 9.3
commit-fest.
2012-06-10 15:20:04 -04:00
Robert Haas
8fbe5a317d Fix error message for COMMENT/SECURITY LABEL ON COLUMN xxx IS 'yyy'
When the column name is an unqualified name, rather than table.column,
the error message complains about too many dotted names, which is
wrong.  Report by Peter Eisentraut based on examination of the
sepgsql regression test output, but the problem also affects COMMENT.
New wording as suggested by Tom Lane.
2012-05-22 11:23:36 -04:00
Robert Haas
e01e66f808 More duplicate word removal. 2012-05-02 09:28:16 -04:00
Robert Haas
5d4b60f2f2 Lots of doc corrections.
Josh Kupershmidt
2012-04-23 22:43:09 -04:00
Robert Haas
523176cbf1 sepgsql_setcon().
This is intended as infrastructure to allow sepgsql to cooperate with
connection pooling software, by allowing the effective security label
to be set for each new connection.

KaiGai Kohei, reviewed by Yeb Havinga.
2012-03-15 16:08:40 -04:00
Robert Haas
e914a144d3 sepgsql DROP support.
KaiGai Kohei
2012-03-09 15:18:45 -05:00
Robert Haas
d44a3fb55d sepgsql: Move some code from hooks.c to label.c
This is some preliminary refactoring related to a pending patch
to allow sepgsql-enable sessions to make dynamic label transitions.
But this commit doesn't involve any functional change: it just puts
some bits of code in more logical places.

KaiGai Kohei
2012-02-15 13:54:26 -05:00
Bruce Momjian
e126958c2e Update copyright notices for year 2012. 2012-01-01 18:01:58 -05:00
Robert Haas
e1042a3484 sepgsql: Check CREATE permissions for some object types.
KaiGai Kohei, reviewed by Dimitri Fontaine and me.
2011-12-21 09:14:02 -05:00
Tom Lane
cc4ff8742b Take sepgsql regression tests out of the regular regression test mechanism.
Because these tests require root privileges, not to mention invasive
changes to the security configuration of the host system, it's not
reasonable for them to be invoked by a regular "make check" or "make
installcheck".  Instead, dike out the Makefile's knowledge of the tests,
and change chkselinuxenv (now renamed "test_sepgsql") into a script that
verifies the environment is workable and then runs the tests.  It's
expected that test_sepgsql will only be run manually.

While at it, do some cleanup in the error checking in the script, and
do some wordsmithing in the documentation.
2011-09-27 20:07:15 -04:00
Robert Haas
a9d845be49 sepgsql uavc comment improvements.
Robert Haas and KaiGai Kohei
2011-09-27 08:37:46 -04:00
Robert Haas
291873c155 Teach sepgsql about database labels.
This is still a bit of a hack, but it's better than the old way, for sure.

KaiGai Kohei, with one change by me to make it compile
2011-09-23 17:09:34 -04:00
Robert Haas
e50b052a3b Add missing brackets to chkselinuxenv. 2011-09-23 17:02:09 -04:00
Robert Haas
4232c4b406 Userspace access vector cache for contrib/sepgsql.
KaiGai Kohei
2011-09-01 08:38:40 -04:00
Robert Haas
3d14bd2563 Fix "is db labeled test?" in chkselinuxenv script.
Don't test whether the number of labels is numerically equal to zero;
count(*) isn't going return zero anyway, and the current coding blows
up if it returns an empty string or an error.
2011-09-01 08:28:26 -04:00
Tom Lane
d1d388603e Fix pgxs.mk to always add --dbname=$(CONTRIB_TESTDB) to REGRESS_OPTS.
The previous coding resulted in contrib modules unintentionally overriding
the use of CONTRIB_TESTDB.  There seems no particularly good reason to
allow that (after all, the makefile can set CONTRIB_TESTDB if that's really
what it intends).

In passing, document REGRESS_OPTS where the other pgxs.mk options are
documented.

Back-patch to 9.1 --- in prior versions, there were no cases of contrib
modules setting REGRESS_OPTS without including the --dbname switch, so
while the coding was fragile there was no actual bug.
2011-08-24 15:16:50 -04:00
Robert Haas
a4b3feebc4 Clean up 'chkselinuxenv' script.
Eliminate dependencies on "which", as we don't really need that to be
installed for proper testing.  Don't number the tests, as that increases
the footprint of every patch that wants to add or remove tests.  Make
the test output more informative, so that it's a bit easier to see what
went right (or wrong).  Spelling and grammar improvements.
2011-08-19 13:09:40 -04:00
Robert Haas
10c378f235 Fix contrib/sepgsql and contrib/xml2 to always link required libraries.
contrib/xml2 can get by without libxslt; the relevant features just
won't work.  But if doesn't have libxml2, or if sepgsql doesn't have
libselinux, the link succeeds but the module then fails to work at load
time.  To avoid that, link the require libraries unconditionally, so
that it will be clear at link-time that there is a problem.

Per discussion with Tom Lane and KaiGai Kohei.
2011-08-19 12:00:45 -04:00
Robert Haas
a64bdf5f65 Allow sepgsql regression tests to be run from a user homedir.
KaiGai Kohei, with some changes by me.
2011-08-19 11:53:14 -04:00
Robert Haas
ffaf9eca4c Typo fix. 2011-08-18 13:10:43 -04:00
Robert Haas
8cca49d8a0 Add some environment checks prior to sepgsql regression testing.
This probably needs more work, but it's a start.

KaiGai Kohei
2011-07-25 10:51:02 -04:00
Bruce Momjian
bf50caf105 pgindent run before PG 9.1 beta 1. 2011-04-10 11:42:00 -04:00
Tom Lane
2594cf0e8c Revise the API for GUC variable assign hooks.
The previous functions of assign hooks are now split between check hooks
and assign hooks, where the former can fail but the latter shouldn't.
Aside from being conceptually clearer, this approach exposes the
"canonicalized" form of the variable value to guc.c without having to do
an actual assignment.  And that lets us fix the problem recently noted by
Bernd Helmle that the auto-tune patch for wal_buffers resulted in bogus
log messages about "parameter "wal_buffers" cannot be changed without
restarting the server".  There may be some speed advantage too, because
this design lets hook functions avoid re-parsing variable values when
restoring a previous state after a rollback (they can store a pre-parsed
representation of the value instead).  This patch also resolves a
longstanding annoyance about custom error messages from variable assign
hooks: they should modify, not appear separately from, guc.c's own message
about "invalid parameter value".
2011-04-07 00:12:02 -04:00
Robert Haas
595a441ae9 Add missing check on invocation of trusted procedures.
KaiGai Kohei
2011-04-04 13:25:42 -04:00
Alvaro Herrera
e5948e3504 Add missing #include 2011-03-28 10:37:29 -03:00
Robert Haas
24bc6b3db3 Remove rule to build sepgsql-regtest.pp.
Instead, document how to build it manually.

Per discussion.  KaiGai Kohei, with some wordsmithing by me.
2011-02-17 06:40:32 -05:00
Robert Haas
87d967f70f Minor sepgsql regression test fixes. 2011-02-02 23:46:51 -05:00
Robert Haas
c7689ee733 Various sepgsql corrections.
KaiGai Kohei
2011-02-02 23:39:43 -05:00
Robert Haas
194c8f713a First round of cleanup of sepgsql code and documentation.
Robert Haas, with a few suggestions from Thom Brown
2011-01-23 22:48:22 -05:00
Robert Haas
968bc6fac9 sepgsql, an SE-Linux integration for PostgreSQL
This is still pretty rough - among other things, the documentation
needs work, and the messages need a visit from the style police -
but this gets the basic framework in place.

KaiGai Kohei
2011-01-23 20:48:27 -05:00