Re: [v9.1] sepgsql - userspace access vector cache
| От | Kohei KaiGai |
|---|---|
| Тема | Re: [v9.1] sepgsql - userspace access vector cache |
| Дата | |
| Msg-id | CADyhKSUZLe7jpzWi-WDTW8mUdmaSa8dvXfhpDy2KmYtxzmsBqg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [v9.1] sepgsql - userspace access vector cache (Kohei KaiGai <kaigai@kaigai.gr.jp>) |
| Ответы |
Re: [v9.1] sepgsql - userspace access vector cache
Re: [v9.1] sepgsql - userspace access vector cache |
| Список | pgsql-hackers |
BTW, what is the current status of this patch? The status of contrib/sepgsql part is unclear for me, although we agreed that syscache is suitable mechanism for security labels. Thanks, 2011/7/22 Kohei KaiGai <kaigai@kaigai.gr.jp>: > 2011/7/22 Yeb Havinga <yebhavinga@gmail.com>: >> On 2011-07-22 11:55, Kohei Kaigai wrote: >>> >>>> 2) Also I thought if it could work to not remember tcontext is valid, but >>>> instead remember the consequence, >>>> which is that it is replaced by "unlabeled". It makes the avc_cache >>>> struct shorter and the code somewhat >>>> simpler. >>>> >>> Here is a reason why we hold tcontext, even if it is not valid. >>> The hash key of avc_cache is combination of scontext, tcontext and tclass. >>> Thus, if we replaced an invalid >>> tcontext by unlabeled context, it would always make cache mishit and >>> performance loss. >> >> I see that now, thanks. >> >> I have no further comments, and I think that the patch in it's current >> status is ready for committer. >> > Thanks for your reviewing. > > The attached patch is a revised one according to your suggestion to > include fallback for 'unlabeled' label within sepgsql_avc_lookup(). > And I found a noise in regression test results, so eliminated it from v5. > -- > KaiGai Kohei <kaigai@kaigai.gr.jp> > -- KaiGai Kohei <kaigai@kaigai.gr.jp>
В списке pgsql-hackers по дате отправления: