Return-Path: linux-nfs-owner@vger.kernel.org
Received: from smtp105.biz.mail.bf1.yahoo.com ([98.139.221.43]:28659 "HELO
	smtp105.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with SMTP id S1767956Ab2KOQGy (ORCPT
	<rfc822;linux-nfs@vger.kernel.org>); Thu, 15 Nov 2012 11:06:54 -0500
Message-ID: <50A51195.9080004@schaufler-ca.com>
Date: Thu, 15 Nov 2012 08:00:21 -0800
From: Casey Schaufler <casey@schaufler-ca.com>
MIME-Version: 1.0
To: David Quigley <dpquigl@davequigley.com>
CC: "J. Bruce Fields" <bfields@fieldses.org>,
        Steve Dickson <steved@redhat.com>,
        "David P. Quigley" <selinux@davequigley.com>,
        trond.myklebust@netapp.com, sds@tycho.nsa.gov,
        linux-nfs@vger.kernel.org, selinux@tycho.nsa.gov,
        linux-security-module@vger.kernel.org,
        Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: Labeled NFS [v5]
References: <50A116F0.5050404@davequigley.com> <20121112160959.GK30713@fieldses.org> <50A16269.4060601@RedHat.com> <50A1A4EE.7030507@davequigley.com> <50A24345.8080309@RedHat.com> <50A31EF5.1050801@davequigley.com> <20121114134535.GD23604@fieldses.org> <624cc90c1bf726d8ff1a1ea0ace5f50f@countercultured.net> <20121114135939.GE23604@fieldses.org> <80f36fef2a58eb538bce28daba3a862a@countercultured.net> <20121114142458.GF23604@fieldses.org> <4f9b24e3942b4a28cd9068d5bc0135fa@countercultured.net>
In-Reply-To: <4f9b24e3942b4a28cd9068d5bc0135fa@countercultured.net>
Content-Type: text/plain; charset=UTF-8
Sender: linux-nfs-owner@vger.kernel.org
List-ID: <linux-nfs.vger.kernel.org>

On 11/14/2012 6:30 AM, David Quigley wrote:
> On 11/14/2012 09:24, J. Bruce Fields wrote:
>> On Wed, Nov 14, 2012 at 09:04:18AM -0500, David Quigley wrote:
>>> On 11/14/2012 08:59, J. Bruce Fields wrote:
>>> >On Wed, Nov 14, 2012 at 08:50:17AM -0500, David Quigley wrote:
>>> >>On 11/14/2012 08:45, J. Bruce Fields wrote:
>>> >>>On Tue, Nov 13, 2012 at 11:32:53PM -0500, Dave Quigley wrote:
>>> >>>>Ok so if you go to http://www.selinuxproject.org/git you will
>>> >>see a
>>> >>>>repo for lnfs and lnfs-patchset. The instructions at
>>> >>>>http://www.selinuxproject.org/page/Labeled_NFS give you a better
>>> >>>>indication on how to pull the trees. I've attached a patch for NFS
>>> >>>>utils which gives support for security_label/nosecurity_label in
>>> >>>>your /etc/exports file.
>>> >>>
>>> >>>Do we need an export option?  Is there any reason not to make the
>>> >>>feature available whenever there's support available for it?
>>> >>
>>> >>I guess we could build it in but I figured an export option allowed
>>> >>someone to turn off security labeling support if they didn't want it
>>> >>on that export. What happens to clients when the server returns a
>>> >>cap that they don't support? Do they mask the bits out?
>>> >
>>> >Yeah, they should just ignore it.
>>> >
>>> >While this is still experimental it's still nice to have a way to
>>> >turn
>>> >this on and off at runtime so people can experiment without having to
>>> >have it on for everyone all the time.  But
>>> >nfsd_supported_minorversion
>>> >should be sufficient for that.
>>> >
>>> >(I don't think your patches actually dealt yet with the fact that
>>> >this
>>> >is part of minor version 2?  Another for the todo list.)
>>> >
>>> >--b.
>>>
>>> If we use nfsd_supported_minorversion which I'm guessing is an
>>> export option
>>
>> That's just a variable in the code.  It's controlled by
>> /proc/fs/nfsd/versions.
>>
>>> what happens if someone wants to use other 4.2
>>> features but not labeling?
>>
>> We'll cross that bridge when we come to it, maybe by adding some new
>> global paramater.
>>
>> There's no reason this really needs to be per-export, is there?
>>
>> --b.
>
> At the moment I can't really think of a reason to have it be
> per-export. I think we need a new LSM patch though to determine if the
> LSM supports labeling over NFS unless Steve can think of a better way
> to tell if the LSM supports labeling.

If the LSM has a secid_to_secctx hook it supports labeling.
Today that's SELinux and Smack. You already have support in
for SELinux, and providing Smack's review and possibly updates
is #2 on my gotta do list. On the whole, I think that, except
for the fundamental philosophical difference between label
support and xattr support, it should be a simple matter to
get support in for any LSM that has secid_to_secctx.

But I'm still working on the review.

>
>
>>
>>> I'll switch it over if you guys want it
>>> done that way, I think though that this provides more flexibility.
>>> Although anything that makes me carry around fewer patches is good
>>> in my book.
>>>
>>> Dave
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe
> linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>