public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Robert Haas <[email protected]>
Cc: Jacob Champion <[email protected]>
Cc: Andres Freund <[email protected]>
Cc: Jeff Davis <[email protected]>
Cc: PostgreSQL-development <[email protected]>
Cc: Noah Misch <[email protected]>
Subject: Re: sandboxing untrusted code
Date: Mon, 01 Jun 2026 15:05:32 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+TgmoYiumw-yR8nUUX_8qdihPd0ZmT29ch0VR_r+kw+o7QJvQ@mail.gmail.com>
References: <[email protected]>
<CA+TgmoavSQVcvEW3ZgZ7a1Q-TJ-fp0+Nt7W3D7FCawArtTCBCQ@mail.gmail.com>
<[email protected]>
<CA+TgmobjdW845TLqmLod+arVbYRASA8tUaFpBNAm6GwF=UELTA@mail.gmail.com>
<[email protected]>
<[email protected]>
<CA+TgmoaHpmz9-7ybB17B2qpDoqsi7=OWigc-3VBctb6B_x8bKA@mail.gmail.com>
<CA+TgmoZgODUbMEcogibZJejmQWky3rnHfT50_n_DWU7oLm2ghA@mail.gmail.com>
<[email protected]>
<ajvq3mlf7tl72jwgvjhjywgt2i5zrqe6o5i7hx44kkad4mbs6h@pnzcylcxpd5n>
<CA+Tgmob5A2n39cyXvUaAg_1cA5qE1NSTOqt-sStshi+f7F6QHg@mail.gmail.com>
<CA+TgmobA_fqsg3c6zcNQ8O9QbKT6t=0Z+fHhEDTZ9aG8duqqZg@mail.gmail.com>
<CAOYmi+nqsNcAC9=ZocQ+i_zTe55+-xWLD2-Nuu2E7=HDPWdruA@mail.gmail.com>
<CA+TgmoYiumw-yR8nUUX_8qdihPd0ZmT29ch0VR_r+kw+o7QJvQ@mail.gmail.com>
Robert Haas <[email protected]> writes:
> ... One of the worst things for a security system to do is be
> so annoying that users turn it off, and blocking stuff that a human
> will immediately identify as harmless is a quick route to that goal.
Right. I'm reminded of SELinux, which in its early incarnations
was definitely in the category of "too annoying for normal users".
Red Hat spent literally years sanding down the rough edges, and
since then it's been on-by-default on just about every RH-based
machine, with few problems. Don't underestimate the amount of
effort needed to get to that status.
I was only on the periphery of that work, but from what I recall,
the years of fine-tuning were less about the core mechanisms than
about developing a set of policies that didn't get in people's way.
The corresponding labor here would probably be refining our ideas
about which sets of functions to distinguish and making sure that
all the functions are correctly classified.
regards, tom lane
view thread (49+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: sandboxing untrusted code
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox