From: Trond Myklebust <Trond.Myklebust@netapp.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Jamie Lokier <jamie@shareable.org>,
Brad Boyer <flar@allandria.com>, James Morris <jmorris@namei.org>,
linux-nfs@vger.kernel.org, linux-security-module@vger.kernel.org,
"J. Bruce Fields" <bfields@fieldses.org>,
Neil Brown <neilb@suse.de>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 0/6][v4][RFC] NFSv3: implement extended attribute protocol (XATTR)
Date: Mon, 15 Mar 2010 19:49:07 -0400 [thread overview]
Message-ID: <1268696947.3155.6.camel@localhost.localdomain> (raw)
In-Reply-To: <4B9EC2B9.3030800@schaufler-ca.com>
On Mon, 2010-03-15 at 16:28 -0700, Casey Schaufler wrote:
> You're missing something. Privilege semantics are different. The
> behavior of unlinked files is different. Locking is different. You
> are correct that in most cases it does not matter. We're not talking
> about the common case, we're talking about using xattrs to store
> information that is used to make security decisions. It is quite
> difficult to make security claims when an object can be accessed
> under two different sets of semantics.
I'm sorry. Exactly _how_ are you going to prevent files from being
accessed under more than one set of semantics under NFS? You have _no_
idea what kind of security mechanisms are implemented on the client.
All you can do is export a given set of security labels and hope...
Trond
next prev parent reply other threads:[~2010-03-15 23:49 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-26 4:33 [PATCH 0/5][v3][RFC] NFSv3: implement extended attribute protocol (XATTR) James Morris
2010-02-26 4:34 ` [PATCH 1/5] NFSv3: convert client to generic xattr API James Morris
2010-02-26 4:35 ` [PATCH 2/5] NFSv3: add xattr API config option for client James Morris
[not found] ` <alpine.LRH.2.00.1002261457420.25193-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2010-02-26 4:36 ` Subject: [PATCH 3/5] NFSv3: add client implementation of XATTR protocol James Morris
2010-02-26 4:36 ` [PATCH 4/5] NFSv3: add server " James Morris
2010-02-26 4:37 ` [PATCH 5/5] NFSv3: Add server namespace support for XATTR protocol implementation James Morris
2010-02-26 13:46 ` Stephen Smalley
2010-03-01 0:49 ` Casey Schaufler
2010-03-01 1:17 ` Trond Myklebust
2010-03-01 8:09 ` James Morris
2010-03-08 10:42 ` [PATCH 0/6][v4][RFC] NFSv3: implement extended attribute protocol (XATTR) James Morris
2010-03-08 10:43 ` [PATCH 1/6] NFSv3: convert client to generic xattr API James Morris
2010-03-08 10:44 ` [PATCH 3/6] NFSv3: add client implementation of XATTR protocol James Morris
2010-03-08 10:45 ` [PATCH 4/6] NFSv3: add server " James Morris
2010-03-08 10:46 ` [PATCH 5/6] xattr: add new top level nfsd namespace and implement ext3 support James Morris
[not found] ` <alpine.LRH.2.00.1003082122340.6314-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2010-03-08 10:43 ` [PATCH 2/6] NFSv3: add xattr API config option for client James Morris
2010-03-08 10:43 ` James Morris
2010-03-08 10:47 ` [PATCH 6/6] NFSv3: Add server namespace support for XATTR protocol implementation James Morris
2010-03-08 10:47 ` James Morris
2010-03-09 3:59 ` [PATCH 0/6][v4][RFC] NFSv3: implement extended attribute protocol (XATTR) Brad Boyer
2010-03-09 5:49 ` Casey Schaufler
2010-03-09 7:04 ` Brad Boyer
2010-03-09 7:04 ` Brad Boyer
2010-03-09 19:35 ` Jamie Lokier
2010-03-10 3:46 ` Casey Schaufler
2010-03-10 3:46 ` Casey Schaufler
2010-03-15 3:19 ` Jamie Lokier
2010-03-15 4:42 ` Casey Schaufler
2010-03-15 14:28 ` Jamie Lokier
2010-03-15 14:28 ` Jamie Lokier
2010-03-15 23:28 ` Casey Schaufler
2010-03-15 23:28 ` Casey Schaufler
2010-03-15 23:49 ` Trond Myklebust [this message]
2010-03-16 2:31 ` Casey Schaufler
2010-03-17 20:13 ` Eric Paris
2010-03-17 20:13 ` Eric Paris
2010-03-17 21:23 ` Casey Schaufler
2010-03-09 8:13 ` James Morris
2010-03-13 7:28 ` Brad Boyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1268696947.3155.6.camel@localhost.localdomain \
--to=trond.myklebust@netapp.com \
--cc=bfields@fieldses.org \
--cc=casey@schaufler-ca.com \
--cc=flar@allandria.com \
--cc=jamie@shareable.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.