KaiGai Kohei <kaigai@kaigai.gr.jp> writes:
> Yes, the purpose of sepgsqlCheckProcedureInstall() is to prevent users
> to invoke functions installed by other malicious/untrusted one, typically
> known as trojan-horse.
> ...
> We should not assume only C-functions can be installed on pg_conversion
> (and other internal stuff), because a superuser can update system catalog
> by hand.
> ...
> SE-PostgreSQL intends to acquire them and apply access control policy
> in this case also.
I don't think that anyone except KaiGai-san has bought into the concept
that sepostgres should get to override superuser capabilities, much less
that it should be trying to control semantics at this kind of level of
detail.
I've been convinced for awhile that the sepostgres project is going
off the rails, and these last couple of exchanges just confirm the fear.
This is absolutely *not* the kind of thing that we should be designing
four months after feature freeze.
regards, tom lane