From: "David P. Quigley" <selinux@davequigley.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Dave Quigley <dpquigl@davequigley.com>,
trond.myklebust@netapp.com, sds@tycho.nsa.gov,
linux-nfs@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org,
"Matthew N. Dodd" <Matthew.Dodd@sparta.com>,
Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>,
Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>,
Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Subject: Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.
Date: Mon, 12 Nov 2012 14:36:09 -0500 [thread overview]
Message-ID: <50A14FA9.8070606@davequigley.com> (raw)
In-Reply-To: <20121112163617.GN30713@fieldses.org>
On 11/12/2012 11:36 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 09:56:37AM -0500, Dave Quigley wrote:
>> On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
>>>> From: David Quigley<dpquigl@davequigley.com>
>>>>
>>>> The interface to request security labels from user space is the xattr
>>>> interface. When requesting the security label from an NFS server it is
>>>> important to make sure the requested xattr
>>> I'm confused--clients can't request xattrs from NFS servers. I must be
>>> reading this wrong, but I'm not sure what you meant.
>>>
>>> --b.
>>>
>> Generically clients can't use xattrs from NFS servers but the LSM
>> method for getting labels is through the xattr interface. THe point
>> of this is if someone selects security.capability that we don't
>> translate that into a call in labeled nfs to get the security label.
>> We only want label based LSMs to cause a getfattr on the server to
>> grab the label and populate the inode with that information.
>> Currently if you use security.selinux or security.smack then labeled
>> nfs will handle the translation of that into a get/setfattr on the
>> security_label attribute in NFSv4.
> OK, I think I understand: so this is to help the NFS client implement
> the necessary xattr interface for userspace that get and sets security
> labels on NFS filesystems?
>
> --b.
Exactly. The problem is we don't want to have LSM specific logic in so
the best we can do is ask if the security.* xattr being accessed has the
proper semantics to be used with Labeled NFS.
>
>>
>>>> actually is a MAC label. This allows
>>>> us to make sure that we get the desired semantics from the attribute instead of
>>>> something else such as capabilities or a time based LSM.
>>>>
>>>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>>>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>>>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>>>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>>>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>>>> ---
>>>> include/linux/security.h | 14 ++++++++++++++
>>>> security/capability.c | 6 ++++++
>>>> security/security.c | 6 ++++++
>>>> security/selinux/hooks.c | 6 ++++++
>>>> security/smack/smack_lsm.c | 11 +++++++++++
>>>> 5 files changed, 43 insertions(+)
>>>>
>>>> diff --git a/include/linux/security.h b/include/linux/security.h
>>>> index c9f5eec..167bdd5 100644
>>>> --- a/include/linux/security.h
>>>> +++ b/include/linux/security.h
>>>> @@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>>>> * @pages contains the number of pages.
>>>> * Return 0 if permission is granted.
>>>> *
>>>> + * @ismaclabel:
>>>> + * Check if the extended attribute specified by @name
>>>> + * represents a MAC label. Returns 0 if name is a MAC
>>>> + * attribute otherwise returns non-zero.
>>>> + * @name full extended attribute name to check against
>>>> + * LSM as a MAC label.
>>>> + *
>>>> * @secid_to_secctx:
>>>> * Convert secid to security context. If secdata is NULL the length of
>>>> * the result will be returned in seclen, but no secdata will be returned.
>>>> @@ -1581,6 +1588,7 @@ struct security_operations {
>>>>
>>>> int (*getprocattr) (struct task_struct *p, char *name, char **value);
>>>> int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
>>>> + int (*ismaclabel) (const char *name);
>>>> int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
>>>> int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
>>>> void (*release_secctx) (char *secdata, u32 seclen);
>>>> @@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
>>>> int security_getprocattr(struct task_struct *p, char *name, char **value);
>>>> int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
>>>> int security_netlink_send(struct sock *sk, struct sk_buff *skb);
>>>> +int security_ismaclabel(const char *name);
>>>> int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
>>>> int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
>>>> void security_release_secctx(char *secdata, u32 seclen);
>>>> @@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>>> return cap_netlink_send(sk, skb);
>>>> }
>>>>
>>>> +static inline int security_ismaclabel(const char *name)
>>>> +{
>>>> + return 0;
>>>> +}
>>>> +
>>>> static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>> {
>>>> return -EOPNOTSUPP;
>>>> diff --git a/security/capability.c b/security/capability.c
>>>> index f1eb284..9071447 100644
>>>> --- a/security/capability.c
>>>> +++ b/security/capability.c
>>>> @@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
>>>> return -EINVAL;
>>>> }
>>>>
>>>> +static int cap_ismaclabel(const char *name)
>>>> +{
>>>> + return 0;
>>>> +}
>>>> +
>>>> static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>> {
>>>> return -EOPNOTSUPP;
>>>> @@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>>>> set_to_cap_if_null(ops, d_instantiate);
>>>> set_to_cap_if_null(ops, getprocattr);
>>>> set_to_cap_if_null(ops, setprocattr);
>>>> + set_to_cap_if_null(ops, ismaclabel);
>>>> set_to_cap_if_null(ops, secid_to_secctx);
>>>> set_to_cap_if_null(ops, secctx_to_secid);
>>>> set_to_cap_if_null(ops, release_secctx);
>>>> diff --git a/security/security.c b/security/security.c
>>>> index b4b2017..a7bee7b 100644
>>>> --- a/security/security.c
>>>> +++ b/security/security.c
>>>> @@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>>> return security_ops->netlink_send(sk, skb);
>>>> }
>>>>
>>>> +int security_ismaclabel(const char *name)
>>>> +{
>>>> + return security_ops->ismaclabel(name);
>>>> +}
>>>> +EXPORT_SYMBOL(security_ismaclabel);
>>>> +
>>>> int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>> {
>>>> return security_ops->secid_to_secctx(secid, secdata, seclen);
>>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>>> index 22d9adf..f7c4899 100644
>>>> --- a/security/selinux/hooks.c
>>>> +++ b/security/selinux/hooks.c
>>>> @@ -5401,6 +5401,11 @@ abort_change:
>>>> return error;
>>>> }
>>>>
>>>> +static int selinux_ismaclabel(const char *name)
>>>> +{
>>>> + return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
>>>> +}
>>>> +
>>>> static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>> {
>>>> return security_sid_to_context(secid, secdata, seclen);
>>>> @@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
>>>> .getprocattr = selinux_getprocattr,
>>>> .setprocattr = selinux_setprocattr,
>>>>
>>>> + .ismaclabel = selinux_ismaclabel,
>>>> .secid_to_secctx = selinux_secid_to_secctx,
>>>> .secctx_to_secid = selinux_secctx_to_secid,
>>>> .release_secctx = selinux_release_secctx,
>>>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>>>> index 38be92c..82c3c72 100644
>>>> --- a/security/smack/smack_lsm.c
>>>> +++ b/security/smack/smack_lsm.c
>>>> @@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
>>>> #endif /* CONFIG_AUDIT */
>>>>
>>>> /**
>>>> + * smack_ismaclabel - check if xattr @name references a smack MAC label
>>>> + * @name: Full xattr name to check.
>>>> + */
>>>> +static int smack_ismaclabel(const char *name)
>>>> +{
>>>> + return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
>>>> +}
>>>> +
>>>> +
>>>> +/**
>>>> * smack_secid_to_secctx - return the smack label for a secid
>>>> * @secid: incoming integer
>>>> * @secdata: destination
>>>> @@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
>>>> .audit_rule_free = smack_audit_rule_free,
>>>> #endif /* CONFIG_AUDIT */
>>>>
>>>> + .ismaclabel = smack_ismaclabel,
>>>> .secid_to_secctx = smack_secid_to_secctx,
>>>> .secctx_to_secid = smack_secctx_to_secid,
>>>> .release_secctx = smack_release_secctx,
>>>> --
>>>> 1.7.11.7
>>>>
WARNING: multiple messages have this Message-ID (diff)
From: "David P. Quigley" <selinux@davequigley.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Dave Quigley <dpquigl@davequigley.com>,
trond.myklebust@netapp.com, sds@tycho.nsa.gov,
linux-nfs@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org,
"Matthew N. Dodd" <Matthew.Dodd@sparta.com>,
Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>,
Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>,
Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Subject: Re: [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model.
Date: Mon, 12 Nov 2012 14:36:09 -0500 [thread overview]
Message-ID: <50A14FA9.8070606@davequigley.com> (raw)
In-Reply-To: <20121112163617.GN30713@fieldses.org>
On 11/12/2012 11:36 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 09:56:37AM -0500, Dave Quigley wrote:
>> On 11/12/2012 7:15 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 01:15:36AM -0500, David Quigley wrote:
>>>> From: David Quigley<dpquigl@davequigley.com>
>>>>
>>>> The interface to request security labels from user space is the xattr
>>>> interface. When requesting the security label from an NFS server it is
>>>> important to make sure the requested xattr
>>> I'm confused--clients can't request xattrs from NFS servers. I must be
>>> reading this wrong, but I'm not sure what you meant.
>>>
>>> --b.
>>>
>> Generically clients can't use xattrs from NFS servers but the LSM
>> method for getting labels is through the xattr interface. THe point
>> of this is if someone selects security.capability that we don't
>> translate that into a call in labeled nfs to get the security label.
>> We only want label based LSMs to cause a getfattr on the server to
>> grab the label and populate the inode with that information.
>> Currently if you use security.selinux or security.smack then labeled
>> nfs will handle the translation of that into a get/setfattr on the
>> security_label attribute in NFSv4.
> OK, I think I understand: so this is to help the NFS client implement
> the necessary xattr interface for userspace that get and sets security
> labels on NFS filesystems?
>
> --b.
Exactly. The problem is we don't want to have LSM specific logic in so
the best we can do is ask if the security.* xattr being accessed has the
proper semantics to be used with Labeled NFS.
>
>>
>>>> actually is a MAC label. This allows
>>>> us to make sure that we get the desired semantics from the attribute instead of
>>>> something else such as capabilities or a time based LSM.
>>>>
>>>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>>>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>>>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>>>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>>>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>>>> ---
>>>> include/linux/security.h | 14 ++++++++++++++
>>>> security/capability.c | 6 ++++++
>>>> security/security.c | 6 ++++++
>>>> security/selinux/hooks.c | 6 ++++++
>>>> security/smack/smack_lsm.c | 11 +++++++++++
>>>> 5 files changed, 43 insertions(+)
>>>>
>>>> diff --git a/include/linux/security.h b/include/linux/security.h
>>>> index c9f5eec..167bdd5 100644
>>>> --- a/include/linux/security.h
>>>> +++ b/include/linux/security.h
>>>> @@ -1301,6 +1301,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
>>>> * @pages contains the number of pages.
>>>> * Return 0 if permission is granted.
>>>> *
>>>> + * @ismaclabel:
>>>> + * Check if the extended attribute specified by @name
>>>> + * represents a MAC label. Returns 0 if name is a MAC
>>>> + * attribute otherwise returns non-zero.
>>>> + * @name full extended attribute name to check against
>>>> + * LSM as a MAC label.
>>>> + *
>>>> * @secid_to_secctx:
>>>> * Convert secid to security context. If secdata is NULL the length of
>>>> * the result will be returned in seclen, but no secdata will be returned.
>>>> @@ -1581,6 +1588,7 @@ struct security_operations {
>>>>
>>>> int (*getprocattr) (struct task_struct *p, char *name, char **value);
>>>> int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
>>>> + int (*ismaclabel) (const char *name);
>>>> int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
>>>> int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
>>>> void (*release_secctx) (char *secdata, u32 seclen);
>>>> @@ -1829,6 +1837,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
>>>> int security_getprocattr(struct task_struct *p, char *name, char **value);
>>>> int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
>>>> int security_netlink_send(struct sock *sk, struct sk_buff *skb);
>>>> +int security_ismaclabel(const char *name);
>>>> int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
>>>> int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
>>>> void security_release_secctx(char *secdata, u32 seclen);
>>>> @@ -2512,6 +2521,11 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>>> return cap_netlink_send(sk, skb);
>>>> }
>>>>
>>>> +static inline int security_ismaclabel(const char *name)
>>>> +{
>>>> + return 0;
>>>> +}
>>>> +
>>>> static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>> {
>>>> return -EOPNOTSUPP;
>>>> diff --git a/security/capability.c b/security/capability.c
>>>> index f1eb284..9071447 100644
>>>> --- a/security/capability.c
>>>> +++ b/security/capability.c
>>>> @@ -797,6 +797,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
>>>> return -EINVAL;
>>>> }
>>>>
>>>> +static int cap_ismaclabel(const char *name)
>>>> +{
>>>> + return 0;
>>>> +}
>>>> +
>>>> static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>> {
>>>> return -EOPNOTSUPP;
>>>> @@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
>>>> set_to_cap_if_null(ops, d_instantiate);
>>>> set_to_cap_if_null(ops, getprocattr);
>>>> set_to_cap_if_null(ops, setprocattr);
>>>> + set_to_cap_if_null(ops, ismaclabel);
>>>> set_to_cap_if_null(ops, secid_to_secctx);
>>>> set_to_cap_if_null(ops, secctx_to_secid);
>>>> set_to_cap_if_null(ops, release_secctx);
>>>> diff --git a/security/security.c b/security/security.c
>>>> index b4b2017..a7bee7b 100644
>>>> --- a/security/security.c
>>>> +++ b/security/security.c
>>>> @@ -1047,6 +1047,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
>>>> return security_ops->netlink_send(sk, skb);
>>>> }
>>>>
>>>> +int security_ismaclabel(const char *name)
>>>> +{
>>>> + return security_ops->ismaclabel(name);
>>>> +}
>>>> +EXPORT_SYMBOL(security_ismaclabel);
>>>> +
>>>> int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>> {
>>>> return security_ops->secid_to_secctx(secid, secdata, seclen);
>>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>>> index 22d9adf..f7c4899 100644
>>>> --- a/security/selinux/hooks.c
>>>> +++ b/security/selinux/hooks.c
>>>> @@ -5401,6 +5401,11 @@ abort_change:
>>>> return error;
>>>> }
>>>>
>>>> +static int selinux_ismaclabel(const char *name)
>>>> +{
>>>> + return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
>>>> +}
>>>> +
>>>> static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
>>>> {
>>>> return security_sid_to_context(secid, secdata, seclen);
>>>> @@ -5639,6 +5644,7 @@ static struct security_operations selinux_ops = {
>>>> .getprocattr = selinux_getprocattr,
>>>> .setprocattr = selinux_setprocattr,
>>>>
>>>> + .ismaclabel = selinux_ismaclabel,
>>>> .secid_to_secctx = selinux_secid_to_secctx,
>>>> .secctx_to_secid = selinux_secctx_to_secid,
>>>> .release_secctx = selinux_release_secctx,
>>>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>>>> index 38be92c..82c3c72 100644
>>>> --- a/security/smack/smack_lsm.c
>>>> +++ b/security/smack/smack_lsm.c
>>>> @@ -3335,6 +3335,16 @@ static void smack_audit_rule_free(void *vrule)
>>>> #endif /* CONFIG_AUDIT */
>>>>
>>>> /**
>>>> + * smack_ismaclabel - check if xattr @name references a smack MAC label
>>>> + * @name: Full xattr name to check.
>>>> + */
>>>> +static int smack_ismaclabel(const char *name)
>>>> +{
>>>> + return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
>>>> +}
>>>> +
>>>> +
>>>> +/**
>>>> * smack_secid_to_secctx - return the smack label for a secid
>>>> * @secid: incoming integer
>>>> * @secdata: destination
>>>> @@ -3530,6 +3540,7 @@ struct security_operations smack_ops = {
>>>> .audit_rule_free = smack_audit_rule_free,
>>>> #endif /* CONFIG_AUDIT */
>>>>
>>>> + .ismaclabel = smack_ismaclabel,
>>>> .secid_to_secctx = smack_secid_to_secctx,
>>>> .secctx_to_secid = smack_secctx_to_secid,
>>>> .release_secctx = smack_release_secctx,
>>>> --
>>>> 1.7.11.7
>>>>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2012-11-12 19:36 UTC|newest]
Thread overview: 162+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-12 6:15 Labeled NFS [v5] David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 01/13] Security: Add hook to calculate context based on a negative dentry David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 12:13 ` J. Bruce Fields
2012-11-12 14:52 ` Dave Quigley
2012-11-12 14:52 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 12:15 ` J. Bruce Fields
2012-11-12 14:56 ` Dave Quigley
2012-11-12 14:56 ` Dave Quigley
2012-11-12 16:36 ` J. Bruce Fields
2012-11-12 19:36 ` David P. Quigley [this message]
2012-11-12 19:36 ` David P. Quigley
2012-11-12 21:43 ` J. Bruce Fields
2012-11-13 0:12 ` Dave Quigley
2012-11-13 0:12 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 03/13] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 04/13] SELinux: Add new labeling type native labels David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 14:45 ` J. Bruce Fields
2012-11-12 14:57 ` Dave Quigley
2012-11-12 14:57 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 06/13] NFSv4: Add label recommended attribute and NFSv4 flags David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 07/13] NFSv4: Introduce new label structure David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 15:13 ` J. Bruce Fields
2012-11-12 15:32 ` David P. Quigley
2012-11-12 15:32 ` David P. Quigley
2012-11-12 16:05 ` J. Bruce Fields
2012-11-12 16:53 ` David P. Quigley
2012-11-12 16:53 ` David P. Quigley
2012-11-12 17:50 ` J. Bruce Fields
2012-11-12 6:15 ` [PATCH 08/13] NFSv4: Extend fattr bitmaps to support all 3 words David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 09/13] NFS:Add labels to client function prototypes David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 10/13] NFS: Add label lifecycle management David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 15:33 ` J. Bruce Fields
2012-11-12 15:36 ` David P. Quigley
2012-11-12 15:36 ` David P. Quigley
2012-11-12 6:15 ` [PATCH 11/13] NFS: Client implementation of Labeled-NFS David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 12/13] NFS: Extend NFS xattr handlers to accept the security namespace David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 6:15 ` [PATCH 13/13] NFSD: Server implementation of MAC Labeling David Quigley
2012-11-12 6:15 ` David Quigley
2012-11-12 16:31 ` J. Bruce Fields
2012-11-12 15:23 ` Labeled NFS [v5] J. Bruce Fields
2012-11-12 15:34 ` David P. Quigley
2012-11-12 15:34 ` David P. Quigley
2012-11-12 16:09 ` J. Bruce Fields
2012-11-12 20:56 ` Steve Dickson
2012-11-13 1:39 ` Dave Quigley
2012-11-13 1:39 ` Dave Quigley
2012-11-13 12:55 ` Steve Dickson
2012-11-14 4:32 ` Dave Quigley
2012-11-14 4:32 ` Dave Quigley
2012-11-14 13:45 ` J. Bruce Fields
2012-11-14 13:50 ` David Quigley
2012-11-14 13:50 ` David Quigley
2012-11-14 13:59 ` J. Bruce Fields
2012-11-14 14:01 ` David Quigley
2012-11-14 14:01 ` David Quigley
2012-11-14 14:04 ` David Quigley
2012-11-14 14:04 ` David Quigley
2012-11-14 14:24 ` J. Bruce Fields
2012-11-14 14:30 ` David Quigley
2012-11-14 14:30 ` David Quigley
2012-11-15 16:00 ` Casey Schaufler
2012-11-15 16:00 ` Casey Schaufler
2012-11-15 20:28 ` David Quigley
2012-11-15 20:28 ` David Quigley
2012-11-16 3:34 ` Casey Schaufler
2012-11-16 3:34 ` Casey Schaufler
2012-11-16 3:43 ` David Quigley
2012-11-16 3:43 ` David Quigley
2012-11-16 4:58 ` Dave Quigley
2012-11-16 4:58 ` Dave Quigley
2012-11-16 4:59 ` Dave Quigley
2012-11-16 4:59 ` Dave Quigley
2012-11-14 13:56 ` David Quigley
2012-11-14 13:56 ` David Quigley
2012-11-12 16:33 ` J. Bruce Fields
2012-11-12 20:44 ` Dave Quigley
2012-11-12 20:44 ` Dave Quigley
2012-11-12 22:23 ` Casey Schaufler
2012-11-12 22:23 ` Casey Schaufler
2012-11-13 3:16 ` Dave Quigley
2012-11-13 3:16 ` Dave Quigley
2012-11-20 21:09 ` Casey Schaufler
2012-11-20 21:09 ` Casey Schaufler
2012-11-21 0:04 ` Dave Quigley
2012-11-21 0:04 ` Dave Quigley
2012-11-21 0:29 ` Dave Quigley
2012-11-21 0:29 ` Dave Quigley
2012-11-21 0:32 ` Casey Schaufler
2012-11-21 0:32 ` Casey Schaufler
2012-11-21 0:37 ` Dave Quigley
2012-11-21 0:37 ` Dave Quigley
2012-11-21 2:52 ` Casey Schaufler
2012-11-21 2:52 ` Casey Schaufler
2012-11-21 3:28 ` Dave Quigley
2012-11-21 3:28 ` Dave Quigley
2012-11-28 18:57 ` Casey Schaufler
2012-11-29 1:14 ` Dave Quigley
2012-11-29 1:14 ` Dave Quigley
2012-11-29 2:08 ` Casey Schaufler
2012-11-29 22:28 ` Casey Schaufler
2012-11-29 22:28 ` Casey Schaufler
2012-11-29 22:49 ` David Quigley
2012-11-29 22:49 ` David Quigley
2012-11-30 0:02 ` David Quigley
2012-11-30 0:02 ` David Quigley
2012-11-30 0:07 ` David Quigley
2012-11-30 0:07 ` David Quigley
2012-11-30 0:34 ` Casey Schaufler
2012-11-30 0:34 ` Casey Schaufler
2012-11-30 0:46 ` David Quigley
2012-11-30 0:46 ` David Quigley
2012-11-30 1:50 ` Casey Schaufler
2012-11-30 1:50 ` Casey Schaufler
2012-11-30 2:02 ` David Quigley
2012-11-30 2:02 ` David Quigley
2012-11-30 12:14 ` J. Bruce Fields
2012-11-30 12:57 ` David Quigley
2012-11-30 12:57 ` David Quigley
2012-11-30 13:17 ` David Quigley
2012-11-30 13:17 ` David Quigley
2012-11-30 13:28 ` Stephen Smalley
2012-11-30 13:28 ` Stephen Smalley
2012-11-30 13:35 ` David Quigley
2012-11-30 13:35 ` David Quigley
2012-11-30 13:50 ` Stephen Smalley
2012-11-30 13:50 ` Stephen Smalley
2012-11-30 14:02 ` David Quigley
2012-11-30 14:02 ` David Quigley
2012-11-30 16:21 ` Casey Schaufler
2012-11-30 16:21 ` Casey Schaufler
2012-11-30 16:28 ` David Quigley
2012-11-30 16:28 ` David Quigley
2012-12-03 18:27 ` Casey Schaufler
2012-12-03 18:27 ` Casey Schaufler
2012-11-30 16:55 ` J. Bruce Fields
2012-11-30 16:59 ` David Quigley
2012-11-30 16:59 ` David Quigley
2012-11-30 13:20 ` David Quigley
2012-11-30 13:20 ` David Quigley
-- strict thread matches above, loose matches on Subject: below --
2012-12-17 15:42 [PATCH 00/13] NFSv4: Label NFS Patches Steve Dickson
2012-12-17 15:43 ` [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model Steve Dickson
2013-05-13 19:11 [PATCH 00/13] lnfs: linux-3.10-rc1 release Steve Dickson
2013-05-13 19:11 ` [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model Steve Dickson
2013-05-16 15:56 Froe e71bf1d708e1294b3bae64d04f03228b3625f2a3 Mon Sep 17 00:00:00 2001 Steve Dickson
2013-05-16 15:56 ` [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model Steve Dickson
2013-05-16 15:56 ` Steve Dickson
2013-05-20 21:15 ` Eric Paris
2013-05-20 21:15 ` Eric Paris
2013-05-20 21:15 ` Eric Paris
2013-05-22 16:50 [PATCH 00/13] lnfs: 3.10-rc2 release Steve Dickson
2013-05-22 16:50 ` [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A14FA9.8070606@davequigley.com \
--to=selinux@davequigley.com \
--cc=Matthew.Dodd@sparta.com \
--cc=Mi_Mi_AUNG@dsi.a-star.edu.sg \
--cc=PHUA_Eu_Gene@dsi.a-star.edu.sg \
--cc=Rodel_FM@dsi.a-star.edu.sg \
--cc=bfields@fieldses.org \
--cc=dpquigl@davequigley.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=trond.myklebust@netapp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.