Re: RFC: make labeled NFS opt-in

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "J. Bruce Fields" <bfields@fieldses.org>
To: Andy Adamson <androsadamson@gmail.com>
Cc: NFS list <linux-nfs@vger.kernel.org>, tibbs@math.uh.edu
Subject: Re: RFC: make labeled NFS opt-in
Date: Thu, 12 Jan 2017 11:10:05 -0500	[thread overview]
Message-ID: <20170112161005.GA8589@fieldses.org> (raw)
In-Reply-To: <CAHVgHyWeGj4GGap8axPnaJYAOBup=LXdeVdQ3fz1o6q7JWkT_w@mail.gmail.com>

On Thu, Jan 12, 2017 at 10:29:14AM -0500, Andy Adamson wrote:
> NFSv4.2 labeled NFS provides 'guest mode' Mandatory Access Control
> (MAC) where the client can enforce labeling and store a label on the
> server, but the server itself does not enforce the same MAC as the
> client because the client request thread label is unknown to the
> server. RPCSEC_GSS version 3 label assertions asserts the client
> thread label on the NFSD thread handling the request, and so along
> with LNFS provides Full Mode MAC.
> 
> AFAICS the only time we want GSS3 label assertions is if LNFS is
> enabled.  Does this sound right to you? If so, I will use this new per
> export LNFS option to determine when GSS3 label assertions are
> enabled.

How do you disable or enable this on the server side?

I haven't been following the GSS3 development well, apologies.  So I
guess you must do something like:

	1. decode the GSS3 stuff in the RPC layer and store the
	resulting subject label somewhere like rqstp->rq_cred.
	2. in nfsd_setuser, set the nfsd thread's label to the label
	stored in rq_cred.

You probably need to have the processing in step 1 enabled all the time,
because you don't know which export you're going to be dealing with yet
at that point.

By step 2 you have the export.  So I guess you'd use the export option
to decide whether to silently ignore the label, or apply it to the nfsd
thread?

That might make sense.

--b.

next prev parent reply	other threads:[~2017-01-12 16:10 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-04 16:56 RFC: make labeled NFS opt-in J. Bruce Fields
2017-01-12  2:17 ` J. Bruce Fields
2017-01-12 15:29   ` Andy Adamson
2017-01-12 16:10     ` J. Bruce Fields [this message]
2017-01-12 16:51       ` Andy Adamson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170112161005.GA8589@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=androsadamson@gmail.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=tibbs@math.uh.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.