Return-Path: linux-nfs-owner@vger.kernel.org Received: from countercultured.net ([209.51.175.25]:53098 "HELO countercultured.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1752857Ab3C2Oib (ORCPT ); Fri, 29 Mar 2013 10:38:31 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Date: Fri, 29 Mar 2013 10:38:29 -0400 From: David Quigley To: "J. Bruce Fields" Cc: Steve Dickson , Trond Myklebust , "J. Bruce Fields" , "David P. Quigley" , Linux NFS list , Linux Security List , SELinux List Subject: Re: [PATCH 13/14] NFSD: Server implementation of MAC Labeling In-Reply-To: <20130329142331.GA22307@fieldses.org> References: <1364478845-29796-1-git-send-email-SteveD@redhat.com> <1364478845-29796-14-git-send-email-SteveD@redhat.com> <20130328185845.GI7080@fieldses.org> <20130328191918.GA14748@fieldses.org> <51550B67.40108@davequigley.com> <20130329142331.GA22307@fieldses.org> Message-ID: Sender: linux-nfs-owner@vger.kernel.org List-ID: On 03/29/2013 10:23, J. Bruce Fields wrote: > On Thu, Mar 28, 2013 at 11:32:55PM -0400, Dave Quigley wrote: >> On 3/28/2013 3:19 PM, J. Bruce Fields wrote: >> >Dave, I think these are both questions for you? >> > >> >--b. >> > >> >On Thu, Mar 28, 2013 at 02:58:45PM -0400, bfields wrote: >> >>On Thu, Mar 28, 2013 at 09:54:04AM -0400, Steve Dickson wrote: >> >>>@@ -1988,6 +2044,50 @@ nfsd4_encode_aclname(struct svc_rqst >> *rqstp, struct nfs4_ace *ace, >> >>> FATTR4_WORD0_RDATTR_ERROR) >> >>> #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID >> >>> >> >>>+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL >> >>>+static inline __be32 >> >>>+nfsd4_encode_security_label(struct svc_rqst *rqstp, struct >> dentry *dentry, __be32 **pp, int *buflen) >> >>>+{ >> >>>+ void *context; >> >>>+ int err; >> >>>+ int len; >> >>>+ uint32_t pi = 0; >> >>>+ uint32_t lfs = 0; >> >>>+ __be32 *p = *pp; >> >>>+ >> >>>+ err = 0; >> >>>+ (void)security_inode_getsecctx(dentry->d_inode, &context, >> &len); >> >>>+ if (len < 0) >> >>>+ return nfserrno(len); >> >>>+ >> >>>+ if (*buflen < ((XDR_QUADLEN(len) << 2) + 4 + 4 + 4)) { >> >>>+ err = nfserr_resource; >> >>>+ goto out; >> >>>+ } >> >>>+ >> >>>+ /* XXX: A call to the translation code should be placed here >> >>>+ * for now send 0 until we have that to indicate the null >> >>>+ * translation */ >> >> >> >>Could we better a better comment here? >> >> We could remove this comment all together if you want. We're trying >> to indicate that at some point in the future there will be a label >> translation facility like idmapd but for labels instead. This is >> where the call would go if we had it. I had a basic version of the >> code a long time ago and that is where I had the call but there was >> way too much work to make it usable for now. Instead I just pass the >> null translation indicator on the wire and we wave our hands and say >> don't look at the man behind the curtain. > > So how about just: > > /* > * For now we use a 0 here to indicate the null translation; in > * the future we may place a call to translation code here. > */ > Works for me. >> >> >... >> >>>+#ifdef CONFIG_NFSD_V4_SECURITY_LABEL >> >>>+__be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct >> svc_fh *fhp, >> >>>+ struct nfs4_label *label) >> >>>+{ >> >>>+ __be32 error; >> >>>+ int host_error; >> >>>+ struct dentry *dentry; >> >>>+ >> >>>+ /* XXX: should we have a MAY_SSECCTX? */ >> >> >> >>Again: could we get an answer to this question? >> >> I'm pretty sure we can just remove that comment. It was a question >> from about 5 years ago now and I never found a compelling reason to >> say yes to it. > > OK, let's remove the comment. > Agreed > --b.