Commit 7f11724b authored by Noah Misch's avatar Noah Misch

Remove the SECURITY_ROW_LEVEL_DISABLED security context bit.

This commit's parent made superfluous the bit's sole usage.  Referential
integrity checks have long run as the subject table's owner, and that
now implies RLS bypass.  Safe use of the bit was tricky, requiring
strict control over the SQL expressions evaluating therein.  Back-patch
to 9.5, where the bit was introduced.

Based on a patch by Stephen Frost.
parent 537bd178
...@@ -2970,7 +2970,6 @@ ri_PlanCheck(const char *querystr, int nargs, Oid *argtypes, ...@@ -2970,7 +2970,6 @@ ri_PlanCheck(const char *querystr, int nargs, Oid *argtypes,
Relation query_rel; Relation query_rel;
Oid save_userid; Oid save_userid;
int save_sec_context; int save_sec_context;
int temp_sec_context;
/* /*
* Use the query type code to determine whether the query is run against * Use the query type code to determine whether the query is run against
...@@ -2983,22 +2982,8 @@ ri_PlanCheck(const char *querystr, int nargs, Oid *argtypes, ...@@ -2983,22 +2982,8 @@ ri_PlanCheck(const char *querystr, int nargs, Oid *argtypes,
/* Switch to proper UID to perform check as */ /* Switch to proper UID to perform check as */
GetUserIdAndSecContext(&save_userid, &save_sec_context); GetUserIdAndSecContext(&save_userid, &save_sec_context);
/*
* Row-level security should be disabled in the case where a foreign-key
* relation is queried to check existence of tuples that references the
* primary-key being modified.
*/
temp_sec_context = save_sec_context | SECURITY_LOCAL_USERID_CHANGE;
if (qkey->constr_queryno == RI_PLAN_CHECK_LOOKUPPK
|| qkey->constr_queryno == RI_PLAN_CHECK_LOOKUPPK_FROM_PK
|| qkey->constr_queryno == RI_PLAN_RESTRICT_DEL_CHECKREF
|| qkey->constr_queryno == RI_PLAN_RESTRICT_UPD_CHECKREF)
temp_sec_context |= SECURITY_ROW_LEVEL_DISABLED;
SetUserIdAndSecContext(RelationGetForm(query_rel)->relowner, SetUserIdAndSecContext(RelationGetForm(query_rel)->relowner,
temp_sec_context); save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
/* Create the plan */ /* Create the plan */
qplan = SPI_prepare(querystr, nargs, argtypes); qplan = SPI_prepare(querystr, nargs, argtypes);
......
...@@ -204,7 +204,6 @@ CreateCachedPlan(Node *raw_parse_tree, ...@@ -204,7 +204,6 @@ CreateCachedPlan(Node *raw_parse_tree,
plansource->total_custom_cost = 0; plansource->total_custom_cost = 0;
plansource->num_custom_plans = 0; plansource->num_custom_plans = 0;
plansource->hasRowSecurity = false; plansource->hasRowSecurity = false;
plansource->rowSecurityDisabled = InRowLevelSecurityDisabled();
plansource->row_security_env = row_security; plansource->row_security_env = row_security;
plansource->planUserId = InvalidOid; plansource->planUserId = InvalidOid;
...@@ -601,17 +600,10 @@ RevalidateCachedQuery(CachedPlanSource *plansource) ...@@ -601,17 +600,10 @@ RevalidateCachedQuery(CachedPlanSource *plansource)
} }
/* /*
* Check if row security is enabled for this query and things have changed * If the plan has a possible RLS dependency, force a replan if either the
* such that we need to invalidate this plan and rebuild it. Note that if * role or the row_security setting has changed.
* row security was explicitly disabled (eg: this is a FK check plan) then
* we don't invalidate due to RLS.
*
* Otherwise, if the plan has a possible RLS dependency, force a replan if
* either the role under which the plan was planned or the row_security
* setting has been changed.
*/ */
if (plansource->is_valid if (plansource->is_valid
&& !plansource->rowSecurityDisabled
&& plansource->hasRowSecurity && plansource->hasRowSecurity
&& (plansource->planUserId != GetUserId() && (plansource->planUserId != GetUserId()
|| plansource->row_security_env != row_security)) || plansource->row_security_env != row_security))
......
...@@ -341,7 +341,7 @@ GetAuthenticatedUserId(void) ...@@ -341,7 +341,7 @@ GetAuthenticatedUserId(void)
* GetUserIdAndSecContext/SetUserIdAndSecContext - get/set the current user ID * GetUserIdAndSecContext/SetUserIdAndSecContext - get/set the current user ID
* and the SecurityRestrictionContext flags. * and the SecurityRestrictionContext flags.
* *
* Currently there are three valid bits in SecurityRestrictionContext: * Currently there are two valid bits in SecurityRestrictionContext:
* *
* SECURITY_LOCAL_USERID_CHANGE indicates that we are inside an operation * SECURITY_LOCAL_USERID_CHANGE indicates that we are inside an operation
* that is temporarily changing CurrentUserId via these functions. This is * that is temporarily changing CurrentUserId via these functions. This is
...@@ -359,9 +359,6 @@ GetAuthenticatedUserId(void) ...@@ -359,9 +359,6 @@ GetAuthenticatedUserId(void)
* where the called functions are really supposed to be side-effect-free * where the called functions are really supposed to be side-effect-free
* anyway, such as VACUUM/ANALYZE/REINDEX. * anyway, such as VACUUM/ANALYZE/REINDEX.
* *
* SECURITY_ROW_LEVEL_DISABLED indicates that we are inside an operation that
* needs to bypass row level security checks, for example FK checks.
*
* Unlike GetUserId, GetUserIdAndSecContext does *not* Assert that the current * Unlike GetUserId, GetUserIdAndSecContext does *not* Assert that the current
* value of CurrentUserId is valid; nor does SetUserIdAndSecContext require * value of CurrentUserId is valid; nor does SetUserIdAndSecContext require
* the new value to be valid. In fact, these routines had better not * the new value to be valid. In fact, these routines had better not
...@@ -404,15 +401,6 @@ InSecurityRestrictedOperation(void) ...@@ -404,15 +401,6 @@ InSecurityRestrictedOperation(void)
return (SecurityRestrictionContext & SECURITY_RESTRICTED_OPERATION) != 0; return (SecurityRestrictionContext & SECURITY_RESTRICTED_OPERATION) != 0;
} }
/*
* InRowLevelSecurityDisabled - are we inside a RLS-disabled operation?
*/
bool
InRowLevelSecurityDisabled(void)
{
return (SecurityRestrictionContext & SECURITY_ROW_LEVEL_DISABLED) != 0;
}
/* /*
* These are obsolete versions of Get/SetUserIdAndSecContext that are * These are obsolete versions of Get/SetUserIdAndSecContext that are
......
...@@ -63,13 +63,6 @@ check_enable_rls(Oid relid, Oid checkAsUser, bool noError) ...@@ -63,13 +63,6 @@ check_enable_rls(Oid relid, Oid checkAsUser, bool noError)
if (relid < FirstNormalObjectId) if (relid < FirstNormalObjectId)
return RLS_NONE; return RLS_NONE;
/*
* Check if we have been told to explicitly skip RLS (perhaps because this
* is a foreign key check)
*/
if (InRowLevelSecurityDisabled())
return RLS_NONE;
tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relid)); tuple = SearchSysCache1(RELOID, ObjectIdGetDatum(relid));
if (!HeapTupleIsValid(tuple)) if (!HeapTupleIsValid(tuple))
return RLS_NONE; return RLS_NONE;
......
...@@ -286,7 +286,6 @@ extern int trace_recovery(int trace_level); ...@@ -286,7 +286,6 @@ extern int trace_recovery(int trace_level);
/* flags to be OR'd to form sec_context */ /* flags to be OR'd to form sec_context */
#define SECURITY_LOCAL_USERID_CHANGE 0x0001 #define SECURITY_LOCAL_USERID_CHANGE 0x0001
#define SECURITY_RESTRICTED_OPERATION 0x0002 #define SECURITY_RESTRICTED_OPERATION 0x0002
#define SECURITY_ROW_LEVEL_DISABLED 0x0004
extern char *DatabasePath; extern char *DatabasePath;
...@@ -305,7 +304,6 @@ extern void GetUserIdAndSecContext(Oid *userid, int *sec_context); ...@@ -305,7 +304,6 @@ extern void GetUserIdAndSecContext(Oid *userid, int *sec_context);
extern void SetUserIdAndSecContext(Oid userid, int sec_context); extern void SetUserIdAndSecContext(Oid userid, int sec_context);
extern bool InLocalUserIdChange(void); extern bool InLocalUserIdChange(void);
extern bool InSecurityRestrictedOperation(void); extern bool InSecurityRestrictedOperation(void);
extern bool InRowLevelSecurityDisabled(void);
extern void GetUserIdAndContext(Oid *userid, bool *sec_def_context); extern void GetUserIdAndContext(Oid *userid, bool *sec_def_context);
extern void SetUserIdAndContext(Oid userid, bool sec_def_context); extern void SetUserIdAndContext(Oid userid, bool sec_def_context);
extern void InitializeSessionUserId(const char *rolename, Oid useroid); extern void InitializeSessionUserId(const char *rolename, Oid useroid);
......
...@@ -111,7 +111,6 @@ typedef struct CachedPlanSource ...@@ -111,7 +111,6 @@ typedef struct CachedPlanSource
int num_custom_plans; /* number of plans included in total */ int num_custom_plans; /* number of plans included in total */
bool hasRowSecurity; /* planned with row security? */ bool hasRowSecurity; /* planned with row security? */
bool row_security_env; /* row security setting when planned */ bool row_security_env; /* row security setting when planned */
bool rowSecurityDisabled; /* is row security disabled? */
} CachedPlanSource; } CachedPlanSource;
/* /*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment