Re: Updates of SE-PostgreSQL 8.4devel patches (r1710)

KaiGai Kohei wrote:
> I wonder why the vanilla PostgreSQL does not put pg_proc_aclcheck()
> on the ExecCallTriggerFunc().

I don't think we can assume any trigger functions are "trusted",
because normal users with ACL_TRIGGER privilege can set their
procedures on the allowed tables.
It also means someone without ACL_EXECUTE to invoke the functions,
but I cannot believe ACL_TRIGGER implicitly contains such a meaning.

Indeed, I put a hook to check db_procedure:{execute} permission
in SELinux, but putting pg_proc_aclcheck() here is meaningful
not only SE-PostgreSQL users.

I found another matter related to triggers.
I'll report it on another messages.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
*** src/backend/commands/trigger.c    (revision 1704)
--- src/backend/commands/trigger.c    (working copy)
***************
*** 1560,1566 ****
--- 1560,1576 ----
       * call.
       */
      if (finfo->fn_oid == InvalidOid)
+     {
+         AclResult    aclresult;
+
+         aclresult = pg_proc_aclcheck(trigdata->tg_trigger->tgfoid,
+                                      GetUserId(), ACL_EXECUTE);
+         if (aclresult != ACLCHECK_OK)
+             aclcheck_error(aclresult, ACL_KIND_PROC,
+                            get_func_name(trigdata->tg_trigger->tgfoid));
+
          fmgr_info(trigdata->tg_trigger->tgfoid, finfo);
+     }

      Assert(finfo->fn_oid == trigdata->tg_trigger->tgfoid);