[RFC] SENFS: MAC labeling support for NFSv4

[RFC] SENFS: MAC labeling support for NFSv4

[David P. Quigley]

This is the first set of patches attempting to provide a generic framework for
MAC labeling in NFSv4. This patch set is based heavily off of the patch from
Sparta that was circulated privately in our discussion. It contains several new
LSM hooks to provide a method for setting the incore inode data and encoding
security information for passing across the wire in a module independent
manner. This patch set does not provide a method for setting the label on the
server from the client but provides the method for encoding those labels on the
client. The patch applies on top of James Morris's SELinux git tree at git
commit hash 80ba80a9bf25d251237694c3fcee850a73324532. I am currently
maintaining these patches using guilt so if you have any patches for me to add
to the set or to fold into the current patch set please mail them to the list
and I will add them to the next round of patches.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 1/7] Security: Add inode_{get,set}secid LSM hooks and security helper functions

[David P. Quigley]

From: David P. Quigley <dpquigl@tycho.nsa.gov>

This patch adds a pair of new hooks to LSM. The existing method of setting
security information through inode_getsecurity and inode_setsecurity use
extended attributes. However, NFS prefers to manipulate inode fields directly
and to do this we need a method to access the inode's security field in a
module independent manner.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
---
 include/linux/security.h |   27 +++++++++++++++++++++++++++
 security/dummy.c         |   10 ++++++++++
 security/selinux/hooks.c |   15 +++++++++++++++
 3 files changed, 52 insertions(+), 0 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index c11dc8a..fbfada9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -413,6 +413,11 @@ struct request_sock;
  *	is specified by @buffer_size.  @buffer may be NULL to request
  *	the size of the buffer required.
  *	Returns number of bytes used/required on success.
+ * @inode_getsecid:
+ * 	Returns secid from @inode;
+ * @inode_setsecid:
+ * 	Set the security structure value of @inode with @sid.
+ * 	Returns 0 on success.
  *
  * Security hooks for file operations
  *
@@ -1235,6 +1240,8 @@ struct security_operations {
   	int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
   	int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
   	int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);
+	void (*inode_getsecid)(struct inode *inode, u32 *secid);
+	void (*inode_setsecid)(struct inode *inode, u32 secid);
 
 	int (*file_permission) (struct file * file, int mask);
 	int (*file_alloc_security) (struct file * file);
@@ -1793,6 +1800,18 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer,
 	return security_ops->inode_listsecurity(inode, buffer, buffer_size);
 }
 
+static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
+{
+	security_ops->inode_getsecid(inode, secid);
+}
+
+static inline void security_inode_setsecid(struct inode *inode, u32 sid)
+{
+	if (unlikely (IS_PRIVATE (inode)))
+		return;
+	security_ops->inode_setsecid(inode, sid);
+}
+
 static inline int security_file_permission (struct file *file, int mask)
 {
 	return security_ops->file_permission (file, mask);
@@ -2473,6 +2492,14 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer,
 	return 0;
 }
 
+static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
+{
+}
+
+static inline void security_inode_setsecid(struct inode *inode, u32 secid)
+{
+}
+
 static inline int security_file_permission (struct file *file, int mask)
 {
 	return 0;
diff --git a/security/dummy.c b/security/dummy.c
index 19d813d..c0c50aa 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -392,6 +392,14 @@ static int dummy_inode_listsecurity(struct inode *inode, char *buffer, size_t bu
 	return 0;
 }
 
+static void dummy_inode_getsecid(struct inode *inode, u32 *secid)
+{
+}
+
+static void dummy_inode_setsecid(struct inode *inode, u32 secid)
+{
+}
+
 static const char *dummy_inode_xattr_getsuffix(void)
 {
 	return NULL;
@@ -1022,6 +1030,8 @@ void security_fixup_ops (struct security_operations *ops)
 	set_to_dummy_if_null(ops, inode_getsecurity);
 	set_to_dummy_if_null(ops, inode_setsecurity);
 	set_to_dummy_if_null(ops, inode_listsecurity);
+	set_to_dummy_if_null(ops, inode_getsecid);
+	set_to_dummy_if_null(ops, inode_setsecid);
 	set_to_dummy_if_null(ops, file_permission);
 	set_to_dummy_if_null(ops, file_alloc_security);
 	set_to_dummy_if_null(ops, file_free_security);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0fac682..56d8ecb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2457,6 +2457,19 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
 	return len;
 }
 
+static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
+{
+	struct inode_security_struct *isec = inode->i_security;
+	*secid = isec->sid;
+}
+
+static void selinux_inode_setsecid(struct inode *inode, u32 secid)
+{
+	struct inode_security_struct *isec = inode->i_security;
+	isec->sid = secid;
+	isec->initialized = 1;
+}
+
 /* file security operations */
 
 static int selinux_file_permission(struct file *file, int mask)
@@ -4773,6 +4786,8 @@ static struct security_operations selinux_ops = {
 	.inode_getsecurity =            selinux_inode_getsecurity,
 	.inode_setsecurity =            selinux_inode_setsecurity,
 	.inode_listsecurity =           selinux_inode_listsecurity,
+	.inode_getsecid = 		selinux_inode_getsecid,
+	.inode_setsecid = 		selinux_inode_setsecid,
 
 	.file_permission =		selinux_file_permission,
 	.file_alloc_security =		selinux_file_alloc_security,
-- 
1.5.2.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 2/7] VFS: Add sid field to iattr structure for notify_change

[David P. Quigley]

From: David P. Quigley <dpquigl@tycho.nsa.gov>

Since NFSv4 likes to directly modify fields in the incore inode we need a way
to inform notify_change that the secid for the inode has changed. This patch
adds a flag for notify_change and a field into the iattr struct to allow us to
persist incore inode changes to disk.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
---
 include/linux/fs.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/include/linux/fs.h b/include/linux/fs.h
index d33bead..f5d324b 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -330,6 +330,7 @@ typedef void (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
 #define ATTR_KILL_SUID	2048
 #define ATTR_KILL_SGID	4096
 #define ATTR_FILE	8192
+#define ATTR_MAC_LABEL  16384
 
 /*
  * This is the Inode Attributes structure, used for notify_change().  It
@@ -356,6 +357,7 @@ struct iattr {
 	 * check for (ia_valid & ATTR_FILE), and not for (ia_file != NULL).
 	 */
 	struct file	*ia_file;
+	u32		ia_sid;
 };
 
 /*
-- 
1.5.2.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 3/7] KConfig: Add KConfig entries for MAC labeled NFS

[David P. Quigley]

From: David P. Quigley <dpquigl@tycho.nsa.gov>

This patch adds two entries into the fs/KConfig file. The first entry
NFS_V4_MAC enables MAC labeling support to the NFSv4 client while the second
entry NFSD_V4_MAC enables MAC labeling support on the server side.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
---
 fs/Kconfig |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/fs/Kconfig b/fs/Kconfig
index 58a0650..c4e42e2 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -1593,6 +1593,15 @@ config NFS_V4
 
 	  If unsure, say N.
 
+config NFS_V4_MAC
+	bool "Provide MAC Labeled NFSv4 client support"
+	depends on NFS_V4 && SECURITY_SELINUX
+	help
+	  Say Y here if you want label attribute support for NFS version 4.
+
+	  If unsure, say N.
+
+
 config NFS_DIRECTIO
 	bool "Allow direct I/O on NFS files"
 	depends on NFS_FS
@@ -1682,6 +1691,15 @@ config NFSD_V4
 	  should only be used if you are interested in helping to test NFSv4.
 	  If unsure, say N.
 
+config NFSD_V4_MAC
+	bool "Provide MAC Labeled NFSv4 server support"
+	depends on NFSD_V4 && SECURITY_SELINUX
+	help
+	  If you would like to include support for label file attributes
+	  over NFSv4, say Y here.
+
+	  If unsure, say N.
+
 config NFSD_TCP
 	bool "Provide NFS server over TCP support"
 	depends on NFSD
-- 
1.5.2.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 4/7] Security: Add secctx_to_secid LSM hooks and security helper functions

[David P. Quigley]

From: David P. Quigley <dpquigl@tycho.nsa.gov>

The existing LSM interface provides a hook for converting a security identifier
to a security context. This patch introduces a complementary hook to provide
the conversion from the security context to corresponding security identifier.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
---
 include/linux/security.h |   17 ++++++++++++++---
 security/dummy.c         |    6 +++++-
 security/selinux/hooks.c |    6 +++++-
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index fbfada9..d55bb5a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1147,6 +1147,11 @@ struct request_sock;
  *	@secid contains the security ID.
  *	@secdata contains the pointer that stores the converted security context.
  *
+ * @secctx_to_secid:
+ *	Convert security context to secid.
+ *	@secid contains the security ID.
+ *	@secdata contains the pointer that stores the converted security context.
+ *
  * @release_secctx:
  *	Release the security context.
  *	@secdata contains the security context.
@@ -1336,6 +1341,7 @@ struct security_operations {
  	int (*getprocattr)(struct task_struct *p, char *name, char **value);
  	int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size);
 	int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
+	int (*secctx_to_secid)(u32 *secid, char *secdata, u32 seclen);
 	void (*release_secctx)(char *secdata, u32 seclen);
 
 #ifdef CONFIG_SECURITY_NETWORK
@@ -2140,7 +2146,10 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
 {
 	return security_ops->secid_to_secctx(secid, secdata, seclen);
 }
-
+static inline int security_secctx_to_secid(u32 *secid, char *secdata, u32 seclen)
+{
+	return security_ops->secctx_to_secid(secid, secdata, seclen);
+}
 static inline void security_release_secctx(char *secdata, u32 seclen)
 {
 	return security_ops->release_secctx(secdata, seclen);
@@ -2826,7 +2835,10 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
 {
 	return -EOPNOTSUPP;
 }
-
+static inline int security_secctx_to_secid(u32 *secid, char *secdata, u32 seclen)
+{
+	return -EOPNOTSUPP;
+}
 static inline void security_release_secctx(char *secdata, u32 seclen)
 {
 }
@@ -3330,6 +3342,5 @@ static inline int security_key_permission(key_ref_t key_ref,
 
 #endif
 #endif /* CONFIG_KEYS */
-
 #endif /* ! __LINUX_SECURITY_H */
 
diff --git a/security/dummy.c b/security/dummy.c
index c0c50aa..1eecab7 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -933,6 +933,10 @@ static int dummy_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return -EOPNOTSUPP;
 }
+static int dummy_secctx_to_secid(u32 *secid, char *secdata, u32 seclen)
+{
+	return -EOPNOTSUPP;
+}
 
 static void dummy_release_secctx(char *secdata, u32 seclen)
 {
@@ -1093,6 +1097,7 @@ void security_fixup_ops (struct security_operations *ops)
  	set_to_dummy_if_null(ops, getprocattr);
  	set_to_dummy_if_null(ops, setprocattr);
  	set_to_dummy_if_null(ops, secid_to_secctx);
+	set_to_dummy_if_null(ops, secctx_to_secid);
  	set_to_dummy_if_null(ops, release_secctx);
 #ifdef CONFIG_SECURITY_NETWORK
 	set_to_dummy_if_null(ops, unix_stream_connect);
@@ -1141,6 +1146,5 @@ void security_fixup_ops (struct security_operations *ops)
 	set_to_dummy_if_null(ops, key_free);
 	set_to_dummy_if_null(ops, key_permission);
 #endif	/* CONFIG_KEYS */
-
 }
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 56d8ecb..ea517ad 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4668,7 +4668,10 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
 	return security_sid_to_context(secid, secdata, seclen);
 }
-
+static int selinux_secctx_to_secid(u32 *secid, char* secdata, u32 seclen)
+{
+	return security_context_to_sid(secdata, seclen, secid);
+}
 static void selinux_release_secctx(char *secdata, u32 seclen)
 {
 	if (secdata)
@@ -4858,6 +4861,7 @@ static struct security_operations selinux_ops = {
 	.setprocattr =                  selinux_setprocattr,
 
 	.secid_to_secctx =		selinux_secid_to_secctx,
+	.secctx_to_secid =		selinux_secctx_to_secid,
 	.release_secctx =		selinux_release_secctx,
 
         .unix_stream_connect =		selinux_socket_unix_stream_connect,
-- 
1.5.2.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 5/7] NFSv4: Add secid recommended attribute and NFSv4 flags

[David P. Quigley]

From: David P. Quigley <dpquigl@tycho.nsa.gov>

This patch adds a new recommended attribute named secid into the NFSv4 file
attribute structure. In addition it also adds several new flags to allow the
NFS client and server to determine if this attribute is supported and if it is
being sent over the wire.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
---
 fs/nfs/nfs4proc.c           |    1 +
 include/linux/nfs4.h        |    1 +
 include/linux/nfs_xdr.h     |    3 +++
 include/linux/nfsd/export.h |    5 +++--
 include/linux/nfsd/nfsd.h   |    8 +++++---
 5 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 6ca2795..9caddc9 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -98,6 +98,7 @@ const u32 nfs4_fattr_bitmap[2] = {
 	| FATTR4_WORD1_TIME_ACCESS
 	| FATTR4_WORD1_TIME_METADATA
 	| FATTR4_WORD1_TIME_MODIFY
+	| FATTR4_WORD1_MAC_LABEL
 };
 
 const u32 nfs4_statfs_bitmap[2] = {
diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
index 8726491..e978031 100644
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -348,6 +348,7 @@ enum lock_type4 {
 #define FATTR4_WORD1_TIME_MODIFY        (1UL << 21)
 #define FATTR4_WORD1_TIME_MODIFY_SET    (1UL << 22)
 #define FATTR4_WORD1_MOUNTED_ON_FILEID  (1UL << 23)
+#define FATTR4_WORD1_MAC_LABEL		(1UL << 31)
 
 #define NFSPROC4_NULL 0
 #define NFSPROC4_COMPOUND 1
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index cf74a4d..f6100e7 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -56,6 +56,9 @@ struct nfs_fattr {
 	__u64			change_attr;	/* NFSv4 change attribute */
 	__u64			pre_change_attr;/* pre-op NFSv4 change attribute */
 	unsigned long		time_start;
+#ifdef CONFIG_NFS_V4_MAC
+	__u32			secid;
+#endif
 };
 
 #define NFS_ATTR_WCC		0x0001		/* pre-op WCC data    */
diff --git a/include/linux/nfsd/export.h b/include/linux/nfsd/export.h
index 5cd1924..76652ad 100644
--- a/include/linux/nfsd/export.h
+++ b/include/linux/nfsd/export.h
@@ -32,7 +32,8 @@
 #define NFSEXP_ALLSQUASH	0x0008
 #define NFSEXP_ASYNC		0x0010
 #define NFSEXP_GATHERED_WRITES	0x0020
-/* 40 80 100 currently unused */
+#define NFSEXP_MAC_LABEL	0x0040 /* Support Mac label fattr4 */
+/* 80 100 currently unused */
 #define NFSEXP_NOHIDE		0x0200
 #define NFSEXP_NOSUBTREECHECK	0x0400
 #define	NFSEXP_NOAUTHNLM	0x0800		/* Don't authenticate NLM requests - just trust */
@@ -40,7 +41,7 @@
 #define NFSEXP_FSID		0x2000
 #define	NFSEXP_CROSSMOUNT	0x4000
 #define	NFSEXP_NOACL		0x8000	/* reserved for possible ACL related use */
-#define NFSEXP_ALLFLAGS		0xFE3F
+#define NFSEXP_ALLFLAGS		0xFE7F
 
 /* The flags that may vary depending on security flavor: */
 #define NFSEXP_SECINFO_FLAGS	(NFSEXP_READONLY | NFSEXP_ROOTSQUASH \
diff --git a/include/linux/nfsd/nfsd.h b/include/linux/nfsd/nfsd.h
index e452256..f381441 100644
--- a/include/linux/nfsd/nfsd.h
+++ b/include/linux/nfsd/nfsd.h
@@ -309,8 +309,9 @@ extern struct timeval	nfssvc_boot;
  | FATTR4_WORD1_OWNER	        | FATTR4_WORD1_OWNER_GROUP  | FATTR4_WORD1_RAWDEV           \
  | FATTR4_WORD1_SPACE_AVAIL     | FATTR4_WORD1_SPACE_FREE   | FATTR4_WORD1_SPACE_TOTAL      \
  | FATTR4_WORD1_SPACE_USED      | FATTR4_WORD1_TIME_ACCESS  | FATTR4_WORD1_TIME_ACCESS_SET  \
- | FATTR4_WORD1_TIME_DELTA   | FATTR4_WORD1_TIME_METADATA    \
- | FATTR4_WORD1_TIME_MODIFY     | FATTR4_WORD1_TIME_MODIFY_SET | FATTR4_WORD1_MOUNTED_ON_FILEID)
+ | FATTR4_WORD1_TIME_DELTA   	| FATTR4_WORD1_TIME_METADATA    			    \
+ | FATTR4_WORD1_TIME_MODIFY     | FATTR4_WORD1_TIME_MODIFY_SET 				    \
+ | FATTR4_WORD1_MOUNTED_ON_FILEID | FATTR4_WORD1_MAC_LABEL)
 
 /* These will return ERR_INVAL if specified in GETATTR or READDIR. */
 #define NFSD_WRITEONLY_ATTRS_WORD1							    \
@@ -321,7 +322,8 @@ extern struct timeval	nfssvc_boot;
 (FATTR4_WORD0_SIZE              | FATTR4_WORD0_ACL                                         )
 #define NFSD_WRITEABLE_ATTRS_WORD1                                                          \
 (FATTR4_WORD1_MODE              | FATTR4_WORD1_OWNER         | FATTR4_WORD1_OWNER_GROUP     \
- | FATTR4_WORD1_TIME_ACCESS_SET | FATTR4_WORD1_TIME_METADATA | FATTR4_WORD1_TIME_MODIFY_SET)
+ | FATTR4_WORD1_TIME_ACCESS_SET | FATTR4_WORD1_TIME_METADATA 				    \
+ | FATTR4_WORD1_TIME_MODIFY_SET | FATTR4_WORD1_MAC_LABEL)
 
 #endif /* CONFIG_NFSD_V4 */
 
-- 
1.5.2.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 6/7] NFSv4: Client implementation of MAC Labeling

[David P. Quigley]

From: David P. Quigley <dpquigl@tycho.nsa.gov>

There are several places where recommended attributes are implemented in the
NFSv4 client code. This patch adds two functions to encode and decode the secid
recommended attribute which makes use of the LSM hooks added earlier. It also
adds code to grab the label from the file attribute structures and encode the
label to be sent back to the server. Even though the code is there to encode a
label to be sent back to the server there does not appear to be an interface to
use it yet.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
---
 fs/nfs/inode.c   |   16 ++++++++++++++
 fs/nfs/nfs4xdr.c |   61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 fs/nfs/super.c   |   10 ++++++++
 3 files changed, 87 insertions(+), 0 deletions(-)

diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index bca6cdc..1bc0951 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -37,6 +37,7 @@
 #include <linux/vfs.h>
 #include <linux/inet.h>
 #include <linux/nfs_xdr.h>
+#include <linux/security.h>
 
 #include <asm/system.h>
 #include <asm/uaccess.h>
@@ -287,6 +288,14 @@ nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr)
 		inode->i_nlink = fattr->nlink;
 		inode->i_uid = fattr->uid;
 		inode->i_gid = fattr->gid;
+		
+#ifdef CONFIG_NFS_V4_MAC
+		if ((fattr->valid & NFS_ATTR_FATTR_V4) &&
+				(fattr->bitmap[1] & FATTR4_WORD1_MAC_LABEL)) {
+			security_inode_setsecid(inode, fattr->secid);
+		}
+#endif /* CONFIG_NFS_V4_MAC  */
+
 		if (fattr->valid & (NFS_ATTR_FATTR_V3 | NFS_ATTR_FATTR_V4)) {
 			/*
 			 * report the blocks in 512byte units
@@ -1038,6 +1047,13 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
 	inode->i_uid = fattr->uid;
 	inode->i_gid = fattr->gid;
 
+#ifdef CONFIG_NFS_V4_MAC
+	if ((fattr->valid & NFS_ATTR_FATTR_V4) &&
+	    (fattr->bitmap[1] & FATTR4_WORD1_MAC_LABEL)) {
+		security_inode_setsecid(inode, fattr->secid);
+	}
+#endif /* CONFIG_NFS_V4_MAC */
+
 	if (fattr->valid & (NFS_ATTR_FATTR_V3 | NFS_ATTR_FATTR_V4)) {
 		/*
 		 * report the blocks in 512byte units
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index badd73b..4dc8943 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -51,6 +51,7 @@
 #include <linux/nfs4.h>
 #include <linux/nfs_fs.h>
 #include <linux/nfs_idmap.h>
+#include <linux/security.h>
 #include "nfs4_fs.h"
 
 #define NFSDBG_FACILITY		NFSDBG_XDR
@@ -610,6 +611,10 @@ static int encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const s
 	uint32_t bmval0 = 0;
 	uint32_t bmval1 = 0;
 	int status;
+#ifdef CONFIG_NFS_V4_MAC
+	char *label = NULL;
+	u32 label_len = 0;
+#endif
 
 	/*
 	 * We reserve enough space to write the entire attribute buffer at once.
@@ -648,6 +653,18 @@ static int encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const s
 		}
 		len += 4 + (XDR_QUADLEN(owner_grouplen) << 2);
 	}
+#ifdef CONFIG_NFS_V4_MAC
+	if (iap->ia_valid & ATTR_MAC_LABEL) {
+		security_secid_to_secctx(iap->ia_sid, &label, &label_len);
+		if (label_len < 0) {
+			printk(KERN_WARNING
+					"nfs4: couldn't resolve sid %d to string\n",
+					iap->ia_sid);
+			/* XXX: Should we be going to an error label? */
+		}
+		len += 4 + (XDR_QUADLEN(label_len) << 2);
+	}
+#endif
 	if (iap->ia_valid & ATTR_ATIME_SET)
 		len += 16;
 	else if (iap->ia_valid & ATTR_ATIME)
@@ -706,6 +723,14 @@ static int encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const s
 		bmval1 |= FATTR4_WORD1_TIME_MODIFY_SET;
 		WRITE32(NFS4_SET_TO_SERVER_TIME);
 	}
+#ifdef CONFIG_NFS_V4_MAC
+	if (iap->ia_valid & ATTR_MAC_LABEL) {
+		bmval1 |= FATTR4_WORD1_MAC_LABEL;
+		WRITE32(label_len);
+		WRITEMEM(label, label_len);
+		security_release_secctx(label, label_len);
+	}
+#endif /* CONFIG_NFS_V4_MAC */
 	
 	/*
 	 * Now we backfill the bitmap and the attribute buffer length.
@@ -2944,6 +2969,37 @@ static int decode_attr_time_modify(struct xdr_stream *xdr, uint32_t *bitmap, str
 	return status;
 }
 
+#ifdef CONFIG_NFS_V4_MAC
+static int decode_attr_mac_label(struct xdr_stream *xdr, uint32_t *bitmap,
+					struct nfs_client *clp, u32 *sid)
+{
+	uint32_t len;
+	__be32 *p;
+	int rc = 0;
+	if (unlikely(bitmap[1] & (FATTR4_WORD1_MAC_LABEL - 1U))) {
+		rc = -EIO;
+		goto out;
+	}
+	if (likely(bitmap[1] & FATTR4_WORD1_MAC_LABEL)) {
+		READ_BUF(4);
+		READ32(len);
+		READ_BUF(len);
+		if (len < XDR_MAX_NETOBJ) {
+			if (security_secctx_to_secid(sid, (char *)p, len) != 0)
+				dprintk("%s: security_decode_secid failed!\n",
+								__FUNCTION__);
+		} else {
+			printk(KERN_WARNING "%s: label too long (%u)!\n",
+					__FUNCTION__, len);
+		}
+		bitmap[1] &= ~FATTR4_WORD1_MAC_LABEL;
+	}
+	dprintk("%s: sid=%d\n", __FUNCTION__, (u32)*sid);
+out:
+	return rc;
+}
+#endif /* CONFIG_NFS_V4_MAC */
+
 static int verify_attr_len(struct xdr_stream *xdr, __be32 *savep, uint32_t attrlen)
 {
 	unsigned int attrwords = XDR_QUADLEN(attrlen);
@@ -3175,6 +3231,11 @@ static int decode_getfattr(struct xdr_stream *xdr, struct nfs_fattr *fattr, cons
 		goto xdr_error;
 	if ((status = decode_attr_mounted_on_fileid(xdr, bitmap, &fileid)) != 0)
 		goto xdr_error;
+#ifdef CONFIG_NFS_V4_MAC
+	if ((status = decode_attr_mac_label(xdr, bitmap, server->nfs_client,
+					&fattr->secid)) != 0)
+		goto xdr_error;
+#endif /* CONFIG_NFS_V4_MAC */
 	if (fattr->fileid == 0 && fileid != 0)
 		fattr->fileid = fileid;
 	if ((status = verify_attr_len(xdr, savep, attrlen)) == 0)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index b2a851c..fec4cfb 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -495,6 +495,12 @@ static void nfs_show_mount_options(struct seq_file *m, struct nfs_server *nfss,
 	seq_printf(m, ",timeo=%lu", 10U * clp->retrans_timeo / HZ);
 	seq_printf(m, ",retrans=%u", clp->retrans_count);
 	seq_printf(m, ",sec=%s", nfs_pseudoflavour_to_name(nfss->client->cl_auth->au_flavor));
+
+#ifdef CONFIG_NFS_V4_MAC
+	if ((nfss->nfs_client->cl_nfsversion == 4) &&
+	    (nfss->attr_bitmask[1] & FATTR4_WORD1_MAC_LABEL))
+		seq_printf(m, ",mac_label");
+#endif /* CONFIG_NFS_V4_MAC */
 }
 
 /*
@@ -549,6 +555,10 @@ static int nfs_show_stats(struct seq_file *m, struct vfsmount *mnt)
 		seq_printf(m, "bm0=0x%x", nfss->attr_bitmask[0]);
 		seq_printf(m, ",bm1=0x%x", nfss->attr_bitmask[1]);
 		seq_printf(m, ",acl=0x%x", nfss->acl_bitmask);
+#ifdef CONFIG_NFS_V4_MAC
+		if (nfss->attr_bitmask[1] & FATTR4_WORD1_MAC_LABEL)
+			seq_printf(m, ",mac_label");
+#endif /* CONFIG_NFS_V4_MAC */
 	}
 #endif
 
-- 
1.5.2.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 7/7] NFSv4: Server implementation of MAC Labeling

[David P. Quigley]

From: David P. Quigley <dpquigl@tycho.nsa.gov>

This patch implements the encoding of a MAC label on the server side to be sent
across the wire to the NFSv4 client. At this time there is no method of
receiving a label from the client to be set on the server.

Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
---
 fs/nfsd/nfs4xdr.c |   77 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 76 insertions(+), 1 deletions(-)

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 8ef0964..593a0b9 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -58,6 +58,7 @@
 #include <linux/nfs4_acl.h>
 #include <linux/sunrpc/gss_api.h>
 #include <linux/sunrpc/svcauth_gss.h>
+#include <linux/security.h>
 
 #define NFSDDBG_FACILITY		NFSDDBG_XDR
 
@@ -408,6 +409,20 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval, struct iattr *ia
 			goto xdr_error;
 		}
 	}
+#ifdef CONFIG_NFSD_V4_MAC
+	if (bmval[1] & FATTR4_WORD1_MAC_LABEL) {
+		READ_BUF(4);
+		len += 4;
+		READ32(dummy32);
+		READ_BUF(dummy32);
+		len += (XDR_QUADLEN(dummy32) << 2);
+		READMEM(buf, dummy32);
+		if (security_secctx_to_secid(&iattr->ia_sid,
+						(char *)buf, dummy32) != 0)
+			goto out_nfserr;
+		iattr->ia_valid |= ATTR_MAC_LABEL;
+	}
+#endif /* CONFIG_NFSD_V4_MAC */
 	if (len != expected_len)
 		goto xdr_error;
 
@@ -1414,6 +1429,34 @@ nfsd4_encode_aclname(struct svc_rqst *rqstp, int whotype, uid_t id, int group,
 	return nfsd4_encode_name(rqstp, whotype, id, group, p, buflen);
 }
 
+#ifdef CONFIG_NFSD_V4_MAC
+static inline __be32
+nfsd4_encode_mac_label(struct svc_rqst *rqstp,
+			struct dentry *dentry,
+			__be32 **p, int *buflen)
+{
+	char *context;
+	unsigned len = 0;
+	u32 secid;
+
+	security_inode_getsecid(dentry->d_inode, &secid);
+	security_secid_to_secctx(secid, &context, &len);
+	if (len < 0)
+		return nfserrno(len);
+	if (*buflen < ((XDR_QUADLEN(len) << 2) + 4)) {
+		kfree(context);
+		return nfserr_resource;
+	}
+
+	*p = xdr_encode_opaque(*p, context, len);
+	*buflen -= (XDR_QUADLEN(len) << 2) + 4;
+	BUG_ON(*buflen < 0);
+
+	kfree(context);
+	return 0;
+}
+#endif /* CONFIG_NFSD_V4_MAC */
+
 #define WORD0_ABSENT_FS_ATTRS (FATTR4_WORD0_FS_LOCATIONS | FATTR4_WORD0_FSID | \
 			      FATTR4_WORD0_RDATTR_ERROR)
 #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
@@ -1508,6 +1551,17 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct svc_export *exp,
 			bmval0 &= ~FATTR4_WORD0_FS_LOCATIONS;
 		}
 	}
+#ifdef CONFIG_NFSD_V4_MAC
+	/**
+	 * This really isn't a good way to do this. We need the framework to detect a
+	 * mac implementation and handle this if it doesn't find one.
+	 *
+	 if (bmval1 & FATTR4_WORD1_MAC_LABEL) {
+	 if(!selinux_enabled)
+	 bmval1 &= ~FATTR_WORD1_MAC_LABEL;
+	 }
+	 */
+#endif /* CONFIG_NFSD_V4_MAC */
 	if ((buflen -= 16) < 0)
 		goto out_resource;
 
@@ -1518,15 +1572,25 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct svc_export *exp,
 
 	if (bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) {
 		u32 word0 = NFSD_SUPPORTED_ATTRS_WORD0;
+		u32 word1 = NFSD_SUPPORTED_ATTRS_WORD1;
 		if ((buflen -= 12) < 0)
 			goto out_resource;
 		if (!aclsupport)
 			word0 &= ~FATTR4_WORD0_ACL;
 		if (!exp->ex_fslocs.locations)
 			word0 &= ~FATTR4_WORD0_FS_LOCATIONS;
+		#ifdef CONFIG_NFSD_V4_MAC
+			/* XXX: should also be turned into a check to the framework */
+			/* XXX: turn this on unconditionally for now ...*/
+				if (1 || exp->ex_flags & NFSEXP_MAC_LABEL)
+					word1 |= FATTR4_WORD1_MAC_LABEL;
+				else
+					word1 &= ~FATTR4_WORD1_MAC_LABEL;
+		#endif /* CONFIG_NFSD_V4_MAC */
+		
 		WRITE32(2);
 		WRITE32(word0);
-		WRITE32(NFSD_SUPPORTED_ATTRS_WORD1);
+		WRITE32(word1);
 	}
 	if (bmval0 & FATTR4_WORD0_TYPE) {
 		if ((buflen -= 4) < 0)
@@ -1832,6 +1896,17 @@ out_acl:
 		} else
                 	WRITE64((u64) stat.ino);
 	}
+#ifdef CONFIG_NFSD_V4_MAC
+	if (bmval1 & FATTR4_WORD1_MAC_LABEL) {
+		status = nfsd4_encode_mac_label(rqstp, dentry,
+				&p, &buflen);
+		if (status == nfserr_resource)
+			goto out_resource;
+		if (status)
+			goto out;
+	}
+#endif /* CONFIG_NFSD_V4_MAC */
+	
 	*attrlenp = htonl((char *)p - (char *)attrlenp - 4);
 	*countp = p - buffer;
 	status = nfs_ok;
-- 
1.5.2.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] SENFS: MAC labeling support for NFSv4

[Casey Schaufler]

--- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:

> This is the first set of patches attempting to provide a generic framework
> for
> MAC labeling in NFSv4.

I've read through the patches and I have one very important issue.
If you are going to provide a "generic" framework you need to support
label representations other than u32. If you only want to support
SELinux, and I understand that that is your initial target, a u32
is fine, but if you want a generic framework you need to allow for
the kinds of labels that have been used elsewhere. Smack (under
review now) uses an 8byte label. Trusted Irix uses a 510byte label,
and although I wouldn't expect that implementation to actually get
ported any time soon it provides an existence proof for large labels.
If you're talking about NFS you need to seriously consider what
TrustedSolaris requires, if just out of courtesy to those who brought
you NFS in the first place.

> This patch set is based heavily off of the patch from
> Sparta that was circulated privately in our discussion. It contains several
> new
> LSM hooks to provide a method for setting the incore inode data and encoding
> security information for passing across the wire in a module independent
> manner. This patch set does not provide a method for setting the label on the
> server from the client but provides the method for encoding those labels on
> the
> client. The patch applies on top of James Morris's SELinux git tree at git
> commit hash 80ba80a9bf25d251237694c3fcee850a73324532. I am currently
> maintaining these patches using guilt so if you have any patches for me to
> add
> to the set or to fold into the current patch set please mail them to the list
> and I will add them to the next round of patches.
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> 


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/7] Security: Add inode_{get,set}secid LSM hooks and security helper functions

[Casey Schaufler]

--- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:

> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> 
> This patch adds a pair of new hooks to LSM. The existing method of setting
> security information through inode_getsecurity and inode_setsecurity use
> extended attributes. However, NFS prefers to manipulate inode fields directly
> and to do this we need a method to access the inode's security field in a
> module independent manner.
> 
> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> ---
>  include/linux/security.h |   27 +++++++++++++++++++++++++++
>  security/dummy.c         |   10 ++++++++++
>  security/selinux/hooks.c |   15 +++++++++++++++
>  3 files changed, 52 insertions(+), 0 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index c11dc8a..fbfada9 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -413,6 +413,11 @@ struct request_sock;
>   *	is specified by @buffer_size.  @buffer may be NULL to request
>   *	the size of the buffer required.
>   *	Returns number of bytes used/required on success.
> + * @inode_getsecid:
> + * 	Returns secid from @inode;
> + * @inode_setsecid:
> + * 	Set the security structure value of @inode with @sid.
> + * 	Returns 0 on success.

How about dealing with inode security blobs instead of secids?

>   *
>   * Security hooks for file operations
>   *
> @@ -1235,6 +1240,8 @@ struct security_operations {
>    	int (*inode_getsecurity)(const struct inode *inode, const char *name,
> void *buffer, size_t size, int err);
>    	int (*inode_setsecurity)(struct inode *inode, const char *name, const
> void *value, size_t size, int flags);
>    	int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t
> buffer_size);
> +	void (*inode_getsecid)(struct inode *inode, u32 *secid);
> +	void (*inode_setsecid)(struct inode *inode, u32 secid);

void (*inode_getblob) (struct inode *inode, void *blob);
void (*inode_setblob) (struct inode *inode, void *blob);

Or something like that, where the number of "*"s may vary.

>  	int (*file_permission) (struct file * file, int mask);
>  	int (*file_alloc_security) (struct file * file);
> @@ -1793,6 +1800,18 @@ static inline int security_inode_listsecurity(struct
> inode *inode, char *buffer,
>  	return security_ops->inode_listsecurity(inode, buffer, buffer_size);
>  }
>  
> +static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
> +{
> +	security_ops->inode_getsecid(inode, secid);
> +}
> +
> +static inline void security_inode_setsecid(struct inode *inode, u32 sid)
> +{
> +	if (unlikely (IS_PRIVATE (inode)))
> +		return;
> +	security_ops->inode_setsecid(inode, sid);
> +}
> +
>  static inline int security_file_permission (struct file *file, int mask)
>  {
>  	return security_ops->file_permission (file, mask);
> @@ -2473,6 +2492,14 @@ static inline int security_inode_listsecurity(struct
> inode *inode, char *buffer,
>  	return 0;
>  }
>  
> +static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
> +{
> +}
> +
> +static inline void security_inode_setsecid(struct inode *inode, u32 secid)
> +{
> +}
> +
>  static inline int security_file_permission (struct file *file, int mask)
>  {
>  	return 0;
> diff --git a/security/dummy.c b/security/dummy.c
> index 19d813d..c0c50aa 100644
> --- a/security/dummy.c
> +++ b/security/dummy.c
> @@ -392,6 +392,14 @@ static int dummy_inode_listsecurity(struct inode *inode,
> char *buffer, size_t bu
>  	return 0;
>  }
>  
> +static void dummy_inode_getsecid(struct inode *inode, u32 *secid)
> +{
> +}
> +
> +static void dummy_inode_setsecid(struct inode *inode, u32 secid)
> +{
> +}
> +
>  static const char *dummy_inode_xattr_getsuffix(void)
>  {
>  	return NULL;
> @@ -1022,6 +1030,8 @@ void security_fixup_ops (struct security_operations
> *ops)
>  	set_to_dummy_if_null(ops, inode_getsecurity);
>  	set_to_dummy_if_null(ops, inode_setsecurity);
>  	set_to_dummy_if_null(ops, inode_listsecurity);
> +	set_to_dummy_if_null(ops, inode_getsecid);
> +	set_to_dummy_if_null(ops, inode_setsecid);
>  	set_to_dummy_if_null(ops, file_permission);
>  	set_to_dummy_if_null(ops, file_alloc_security);
>  	set_to_dummy_if_null(ops, file_free_security);
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0fac682..56d8ecb 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2457,6 +2457,19 @@ static int selinux_inode_listsecurity(struct inode
> *inode, char *buffer, size_t
>  	return len;
>  }
>  
> +static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
> +{
> +	struct inode_security_struct *isec = inode->i_security;
> +	*secid = isec->sid;
> +}
> +
> +static void selinux_inode_setsecid(struct inode *inode, u32 secid)
> +{
> +	struct inode_security_struct *isec = inode->i_security;
> +	isec->sid = secid;
> +	isec->initialized = 1;
> +}
> +
>  /* file security operations */
>  
>  static int selinux_file_permission(struct file *file, int mask)
> @@ -4773,6 +4786,8 @@ static struct security_operations selinux_ops = {
>  	.inode_getsecurity =            selinux_inode_getsecurity,
>  	.inode_setsecurity =            selinux_inode_setsecurity,
>  	.inode_listsecurity =           selinux_inode_listsecurity,
> +	.inode_getsecid = 		selinux_inode_getsecid,
> +	.inode_setsecid = 		selinux_inode_setsecid,
>  
>  	.file_permission =		selinux_file_permission,
>  	.file_alloc_security =		selinux_file_alloc_security,
> -- 
> 1.5.2.2
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> 


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 2/7] VFS: Add sid field to iattr structure for notify_change

[Casey Schaufler]

--- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:

> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> 
> Since NFSv4 likes to directly modify fields in the incore inode we need a way
> to inform notify_change that the secid for the inode has changed. This patch
> adds a flag for notify_change and a field into the iattr struct to allow us
> to
> persist incore inode changes to disk.
> 
> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> ---
>  include/linux/fs.h |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index d33bead..f5d324b 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -330,6 +330,7 @@ typedef void (dio_iodone_t)(struct kiocb *iocb, loff_t
> offset,
>  #define ATTR_KILL_SUID	2048
>  #define ATTR_KILL_SGID	4096
>  #define ATTR_FILE	8192
> +#define ATTR_MAC_LABEL  16384
>  
>  /*
>   * This is the Inode Attributes structure, used for notify_change().  It
> @@ -356,6 +357,7 @@ struct iattr {
>  	 * check for (ia_valid & ATTR_FILE), and not for (ia_file != NULL).
>  	 */
>  	struct file	*ia_file;
> +	u32		ia_sid;

void *ia_blob;

so as not to be dependent on u32 labels.

>  };
>  
>  /*
> -- 
> 1.5.2.2
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> 


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/7] KConfig: Add KConfig entries for MAC labeled NFS

[Casey Schaufler]

--- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:

> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> 
> This patch adds two entries into the fs/KConfig file. The first entry
> NFS_V4_MAC enables MAC labeling support to the NFSv4 client while the second
> entry NFSD_V4_MAC enables MAC labeling support on the server side.
> 
> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> ---
>  fs/Kconfig |   18 ++++++++++++++++++
>  1 files changed, 18 insertions(+), 0 deletions(-)
> 

Unless you change away from u32 labels:

> diff --git a/fs/Kconfig b/fs/Kconfig
> index 58a0650..c4e42e2 100644
> --- a/fs/Kconfig
> +++ b/fs/Kconfig
> @@ -1593,6 +1593,15 @@ config NFS_V4
>  
>  	  If unsure, say N.
>  
> +config NFS_V4_MAC

config NFS_V4_SELINUX

> +	bool "Provide MAC Labeled NFSv4 client support"

bool "Provide SELINUX Labeled NFSv4 client support"

> +	depends on NFS_V4 && SECURITY_SELINUX
> +	help
> +	  Say Y here if you want label attribute support for NFS version 4.
> +
> +	  If unsure, say N.
> +
> +
>  config NFS_DIRECTIO
>  	bool "Allow direct I/O on NFS files"
>  	depends on NFS_FS
> @@ -1682,6 +1691,15 @@ config NFSD_V4
>  	  should only be used if you are interested in helping to test NFSv4.
>  	  If unsure, say N.
>  
> +config NFSD_V4_MAC

config NFS_V4_SELINUX

> +	bool "Provide MAC Labeled NFSv4 server support"

bool "Provide SELINUX Labeled NFSv4 server support"

> +	depends on NFSD_V4 && SECURITY_SELINUX
> +	help
> +	  If you would like to include support for label file attributes
> +	  over NFSv4, say Y here.
> +
> +	  If unsure, say N.
> +
>  config NFSD_TCP
>  	bool "Provide NFS server over TCP support"
>  	depends on NFSD
> -- 
> 1.5.2.2
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> 


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 4/7] Security: Add secctx_to_secid LSM hooks and security helper functions

[Casey Schaufler]

--- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:

> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> 
> The existing LSM interface provides a hook for converting a security
> identifier
> to a security context. This patch introduces a complementary hook to provide
> the conversion from the security context to corresponding security
> identifier.

This is strictly SELinux behavior. I don't suppose it hurts
anything, but a general framework won't need this.

> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> 

...


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 5/7] NFSv4: Add secid recommended attribute and NFSv4 flags

[Casey Schaufler]

--- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:

> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> 
> This patch adds a new recommended attribute named secid into the NFSv4 file
> attribute structure. In addition it also adds several new flags to allow the
> NFS client and server to determine if this attribute is supported and if it
> is
> being sent over the wire.

Sorry to keep repeating myself, I expect the message has come through
by now, but this is assumes a u32 label, which is fine for SELinux
but not for a general framework. 

> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> ---
>  fs/nfs/nfs4proc.c           |    1 +
>  include/linux/nfs4.h        |    1 +
>  include/linux/nfs_xdr.h     |    3 +++
>  include/linux/nfsd/export.h |    5 +++--
>  include/linux/nfsd/nfsd.h   |    8 +++++---
>  5 files changed, 13 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> index 6ca2795..9caddc9 100644
> --- a/fs/nfs/nfs4proc.c
> +++ b/fs/nfs/nfs4proc.c
> @@ -98,6 +98,7 @@ const u32 nfs4_fattr_bitmap[2] = {
>  	| FATTR4_WORD1_TIME_ACCESS
>  	| FATTR4_WORD1_TIME_METADATA
>  	| FATTR4_WORD1_TIME_MODIFY
> +	| FATTR4_WORD1_MAC_LABEL

If you're sticking with a u32 label make this FATTR4_WORD1_SELINUX_LABEL

>  };
>  
>  const u32 nfs4_statfs_bitmap[2] = {
> diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
> index 8726491..e978031 100644
> --- a/include/linux/nfs4.h
> +++ b/include/linux/nfs4.h
> @@ -348,6 +348,7 @@ enum lock_type4 {
>  #define FATTR4_WORD1_TIME_MODIFY        (1UL << 21)
>  #define FATTR4_WORD1_TIME_MODIFY_SET    (1UL << 22)
>  #define FATTR4_WORD1_MOUNTED_ON_FILEID  (1UL << 23)
> +#define FATTR4_WORD1_MAC_LABEL		(1UL << 31)

If you're sticking with a u32 label make this FATTR4_WORD1_SELINUX_LABEL

>  
>  #define NFSPROC4_NULL 0
>  #define NFSPROC4_COMPOUND 1
> diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
> index cf74a4d..f6100e7 100644
> --- a/include/linux/nfs_xdr.h
> +++ b/include/linux/nfs_xdr.h
> @@ -56,6 +56,9 @@ struct nfs_fattr {
>  	__u64			change_attr;	/* NFSv4 change attribute */
>  	__u64			pre_change_attr;/* pre-op NFSv4 change attribute */
>  	unsigned long		time_start;
> +#ifdef CONFIG_NFS_V4_MAC
> +	__u32			secid;
> +#endif
>  };

Make this field accomodating of other label formats, please.

>  
>  #define NFS_ATTR_WCC		0x0001		/* pre-op WCC data    */
> diff --git a/include/linux/nfsd/export.h b/include/linux/nfsd/export.h
> index 5cd1924..76652ad 100644
> --- a/include/linux/nfsd/export.h
> +++ b/include/linux/nfsd/export.h
> @@ -32,7 +32,8 @@
>  #define NFSEXP_ALLSQUASH	0x0008
>  #define NFSEXP_ASYNC		0x0010
>  #define NFSEXP_GATHERED_WRITES	0x0020
> -/* 40 80 100 currently unused */
> +#define NFSEXP_MAC_LABEL	0x0040 /* Support Mac label fattr4 */

If you're sticking with a u32 label make this NFSEXP_SELINUX_LABEL

> +/* 80 100 currently unused */
>  #define NFSEXP_NOHIDE		0x0200
>  #define NFSEXP_NOSUBTREECHECK	0x0400
>  #define	NFSEXP_NOAUTHNLM	0x0800		/* Don't authenticate NLM requests - just
> trust */
> @@ -40,7 +41,7 @@
>  #define NFSEXP_FSID		0x2000
>  #define	NFSEXP_CROSSMOUNT	0x4000
>  #define	NFSEXP_NOACL		0x8000	/* reserved for possible ACL related use */
> -#define NFSEXP_ALLFLAGS		0xFE3F
> +#define NFSEXP_ALLFLAGS		0xFE7F
>  
>  /* The flags that may vary depending on security flavor: */
>  #define NFSEXP_SECINFO_FLAGS	(NFSEXP_READONLY | NFSEXP_ROOTSQUASH \
> diff --git a/include/linux/nfsd/nfsd.h b/include/linux/nfsd/nfsd.h
> index e452256..f381441 100644
> --- a/include/linux/nfsd/nfsd.h
> +++ b/include/linux/nfsd/nfsd.h
> @@ -309,8 +309,9 @@ extern struct timeval	nfssvc_boot;
>   | FATTR4_WORD1_OWNER	        | FATTR4_WORD1_OWNER_GROUP  |
> FATTR4_WORD1_RAWDEV           \
>   | FATTR4_WORD1_SPACE_AVAIL     | FATTR4_WORD1_SPACE_FREE   |
> FATTR4_WORD1_SPACE_TOTAL      \
>   | FATTR4_WORD1_SPACE_USED      | FATTR4_WORD1_TIME_ACCESS  |
> FATTR4_WORD1_TIME_ACCESS_SET  \
> - | FATTR4_WORD1_TIME_DELTA   | FATTR4_WORD1_TIME_METADATA    \
> - | FATTR4_WORD1_TIME_MODIFY     | FATTR4_WORD1_TIME_MODIFY_SET |
> FATTR4_WORD1_MOUNTED_ON_FILEID)
> + | FATTR4_WORD1_TIME_DELTA   	| FATTR4_WORD1_TIME_METADATA    			    \
> + | FATTR4_WORD1_TIME_MODIFY     | FATTR4_WORD1_TIME_MODIFY_SET 				    \
> + | FATTR4_WORD1_MOUNTED_ON_FILEID | FATTR4_WORD1_MAC_LABEL)
>  
>  /* These will return ERR_INVAL if specified in GETATTR or READDIR. */
>  #define NFSD_WRITEONLY_ATTRS_WORD1							    \
> @@ -321,7 +322,8 @@ extern struct timeval	nfssvc_boot;
>  (FATTR4_WORD0_SIZE              | FATTR4_WORD0_ACL                          
>               )
>  #define NFSD_WRITEABLE_ATTRS_WORD1                                          
>                \
>  (FATTR4_WORD1_MODE              | FATTR4_WORD1_OWNER         |
> FATTR4_WORD1_OWNER_GROUP     \
> - | FATTR4_WORD1_TIME_ACCESS_SET | FATTR4_WORD1_TIME_METADATA |
> FATTR4_WORD1_TIME_MODIFY_SET)
> + | FATTR4_WORD1_TIME_ACCESS_SET | FATTR4_WORD1_TIME_METADATA 				    \
> + | FATTR4_WORD1_TIME_MODIFY_SET | FATTR4_WORD1_MAC_LABEL)
>  
>  #endif /* CONFIG_NFSD_V4 */
>  
> -- 
> 1.5.2.2
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> 


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 6/7] NFSv4: Client implementation of MAC Labeling

[Casey Schaufler]

--- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:

> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> 
> There are several places where recommended attributes are implemented in the
> NFSv4 client code. This patch adds two functions to encode and decode the
> secid
> recommended attribute which makes use of the LSM hooks added earlier. It also
> adds code to grab the label from the file attribute structures and encode the
> label to be sent back to the server. Even though the code is there to encode
> a
> label to be sent back to the server there does not appear to be an interface
> to
> use it yet.

My usual comments regarding configuration names being SELINUX instead
of MAC if you stick with u32 labels.

Now I'm confused. Are you sending the context string on the wire,
or a sid? 

> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> ---
>  fs/nfs/inode.c   |   16 ++++++++++++++
>  fs/nfs/nfs4xdr.c |   61
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  fs/nfs/super.c   |   10 ++++++++
>  3 files changed, 87 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
> index bca6cdc..1bc0951 100644
> --- a/fs/nfs/inode.c
> +++ b/fs/nfs/inode.c
> @@ -37,6 +37,7 @@
>  #include <linux/vfs.h>
>  #include <linux/inet.h>
>  #include <linux/nfs_xdr.h>
> +#include <linux/security.h>
>  
>  #include <asm/system.h>
>  #include <asm/uaccess.h>
> @@ -287,6 +288,14 @@ nfs_fhget(struct super_block *sb, struct nfs_fh *fh,
> struct nfs_fattr *fattr)
>  		inode->i_nlink = fattr->nlink;
>  		inode->i_uid = fattr->uid;
>  		inode->i_gid = fattr->gid;
> +		
> +#ifdef CONFIG_NFS_V4_MAC
> +		if ((fattr->valid & NFS_ATTR_FATTR_V4) &&
> +				(fattr->bitmap[1] & FATTR4_WORD1_MAC_LABEL)) {
> +			security_inode_setsecid(inode, fattr->secid);

fattr->security, which is a blob instead of the secid.

> +		}
> +#endif /* CONFIG_NFS_V4_MAC  */
> +
>  		if (fattr->valid & (NFS_ATTR_FATTR_V3 | NFS_ATTR_FATTR_V4)) {
>  			/*
>  			 * report the blocks in 512byte units
> @@ -1038,6 +1047,13 @@ static int nfs_update_inode(struct inode *inode,
> struct nfs_fattr *fattr)
>  	inode->i_uid = fattr->uid;
>  	inode->i_gid = fattr->gid;
>  
> +#ifdef CONFIG_NFS_V4_MAC
> +	if ((fattr->valid & NFS_ATTR_FATTR_V4) &&
> +	    (fattr->bitmap[1] & FATTR4_WORD1_MAC_LABEL)) {
> +		security_inode_setsecid(inode, fattr->secid);

fattr->security, which is a blob instead of the secid.

> +	}
> +#endif /* CONFIG_NFS_V4_MAC */
> +
>  	if (fattr->valid & (NFS_ATTR_FATTR_V3 | NFS_ATTR_FATTR_V4)) {
>  		/*
>  		 * report the blocks in 512byte units
> diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
> index badd73b..4dc8943 100644
> --- a/fs/nfs/nfs4xdr.c
> +++ b/fs/nfs/nfs4xdr.c
> @@ -51,6 +51,7 @@
>  #include <linux/nfs4.h>
>  #include <linux/nfs_fs.h>
>  #include <linux/nfs_idmap.h>
> +#include <linux/security.h>
>  #include "nfs4_fs.h"
>  
>  #define NFSDBG_FACILITY		NFSDBG_XDR
> @@ -610,6 +611,10 @@ static int encode_attrs(struct xdr_stream *xdr, const
> struct iattr *iap, const s
>  	uint32_t bmval0 = 0;
>  	uint32_t bmval1 = 0;
>  	int status;
> +#ifdef CONFIG_NFS_V4_MAC
> +	char *label = NULL;
> +	u32 label_len = 0;
> +#endif
>  
>  	/*
>  	 * We reserve enough space to write the entire attribute buffer at once.
> @@ -648,6 +653,18 @@ static int encode_attrs(struct xdr_stream *xdr, const
> struct iattr *iap, const s
>  		}
>  		len += 4 + (XDR_QUADLEN(owner_grouplen) << 2);
>  	}
> +#ifdef CONFIG_NFS_V4_MAC
> +	if (iap->ia_valid & ATTR_MAC_LABEL) {
> +		security_secid_to_secctx(iap->ia_sid, &label, &label_len);
> +		if (label_len < 0) {
> +			printk(KERN_WARNING
> +					"nfs4: couldn't resolve sid %d to string\n",
> +					iap->ia_sid);
> +			/* XXX: Should we be going to an error label? */
> +		}
> +		len += 4 + (XDR_QUADLEN(label_len) << 2);
> +	}
> +#endif
>  	if (iap->ia_valid & ATTR_ATIME_SET)
>  		len += 16;
>  	else if (iap->ia_valid & ATTR_ATIME)
> @@ -706,6 +723,14 @@ static int encode_attrs(struct xdr_stream *xdr, const
> struct iattr *iap, const s
>  		bmval1 |= FATTR4_WORD1_TIME_MODIFY_SET;
>  		WRITE32(NFS4_SET_TO_SERVER_TIME);
>  	}
> +#ifdef CONFIG_NFS_V4_MAC
> +	if (iap->ia_valid & ATTR_MAC_LABEL) {
> +		bmval1 |= FATTR4_WORD1_MAC_LABEL;
> +		WRITE32(label_len);
> +		WRITEMEM(label, label_len);
> +		security_release_secctx(label, label_len);
> +	}
> +#endif /* CONFIG_NFS_V4_MAC */
>  	
>  	/*
>  	 * Now we backfill the bitmap and the attribute buffer length.
> @@ -2944,6 +2969,37 @@ static int decode_attr_time_modify(struct xdr_stream
> *xdr, uint32_t *bitmap, str
>  	return status;
>  }
>  
> +#ifdef CONFIG_NFS_V4_MAC
> +static int decode_attr_mac_label(struct xdr_stream *xdr, uint32_t *bitmap,
> +					struct nfs_client *clp, u32 *sid)
> +{
> +	uint32_t len;
> +	__be32 *p;
> +	int rc = 0;
> +	if (unlikely(bitmap[1] & (FATTR4_WORD1_MAC_LABEL - 1U))) {
> +		rc = -EIO;
> +		goto out;
> +	}
> +	if (likely(bitmap[1] & FATTR4_WORD1_MAC_LABEL)) {
> +		READ_BUF(4);
> +		READ32(len);
> +		READ_BUF(len);
> +		if (len < XDR_MAX_NETOBJ) {
> +			if (security_secctx_to_secid(sid, (char *)p, len) != 0)
> +				dprintk("%s: security_decode_secid failed!\n",
> +								__FUNCTION__);
> +		} else {
> +			printk(KERN_WARNING "%s: label too long (%u)!\n",
> +					__FUNCTION__, len);
> +		}
> +		bitmap[1] &= ~FATTR4_WORD1_MAC_LABEL;
> +	}
> +	dprintk("%s: sid=%d\n", __FUNCTION__, (u32)*sid);
> +out:
> +	return rc;
> +}
> +#endif /* CONFIG_NFS_V4_MAC */
> +
>  static int verify_attr_len(struct xdr_stream *xdr, __be32 *savep, uint32_t
> attrlen)
>  {
>  	unsigned int attrwords = XDR_QUADLEN(attrlen);
> @@ -3175,6 +3231,11 @@ static int decode_getfattr(struct xdr_stream *xdr,
> struct nfs_fattr *fattr, cons
>  		goto xdr_error;
>  	if ((status = decode_attr_mounted_on_fileid(xdr, bitmap, &fileid)) != 0)
>  		goto xdr_error;
> +#ifdef CONFIG_NFS_V4_MAC
> +	if ((status = decode_attr_mac_label(xdr, bitmap, server->nfs_client,
> +					&fattr->secid)) != 0)
> +		goto xdr_error;
> +#endif /* CONFIG_NFS_V4_MAC */
>  	if (fattr->fileid == 0 && fileid != 0)
>  		fattr->fileid = fileid;
>  	if ((status = verify_attr_len(xdr, savep, attrlen)) == 0)
> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> index b2a851c..fec4cfb 100644
> --- a/fs/nfs/super.c
> +++ b/fs/nfs/super.c
> @@ -495,6 +495,12 @@ static void nfs_show_mount_options(struct seq_file *m,
> struct nfs_server *nfss,
>  	seq_printf(m, ",timeo=%lu", 10U * clp->retrans_timeo / HZ);
>  	seq_printf(m, ",retrans=%u", clp->retrans_count);
>  	seq_printf(m, ",sec=%s",
> nfs_pseudoflavour_to_name(nfss->client->cl_auth->au_flavor));
> +
> +#ifdef CONFIG_NFS_V4_MAC
> +	if ((nfss->nfs_client->cl_nfsversion == 4) &&
> +	    (nfss->attr_bitmask[1] & FATTR4_WORD1_MAC_LABEL))
> +		seq_printf(m, ",mac_label");
> +#endif /* CONFIG_NFS_V4_MAC */
>  }
>  
>  /*
> @@ -549,6 +555,10 @@ static int nfs_show_stats(struct seq_file *m, struct
> vfsmount *mnt)
>  		seq_printf(m, "bm0=0x%x", nfss->attr_bitmask[0]);
>  		seq_printf(m, ",bm1=0x%x", nfss->attr_bitmask[1]);
>  		seq_printf(m, ",acl=0x%x", nfss->acl_bitmask);
> +#ifdef CONFIG_NFS_V4_MAC
> +		if (nfss->attr_bitmask[1] & FATTR4_WORD1_MAC_LABEL)
> +			seq_printf(m, ",mac_label");
> +#endif /* CONFIG_NFS_V4_MAC */
>  	}
>  #endif
>  
> -- 
> 1.5.2.2
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> 


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] SENFS: MAC labeling support for NFSv4

[Stephen Smalley]

On Wed, 2007-08-01 at 13:55 -0700, Casey Schaufler wrote:
> --- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:
> 
> > This is the first set of patches attempting to provide a generic framework
> > for
> > MAC labeling in NFSv4.
> 
> I've read through the patches and I have one very important issue.
> If you are going to provide a "generic" framework you need to support
> label representations other than u32. If you only want to support
> SELinux, and I understand that that is your initial target, a u32
> is fine, but if you want a generic framework you need to allow for
> the kinds of labels that have been used elsewhere. Smack (under
> review now) uses an 8byte label. Trusted Irix uses a 510byte label,
> and although I wouldn't expect that implementation to actually get
> ported any time soon it provides an existence proof for large labels.
> If you're talking about NFS you need to seriously consider what
> TrustedSolaris requires, if just out of courtesy to those who brought
> you NFS in the first place.

The label representation over the wire isn't a u32 (or inherently
limited in size); the u32 secid is just a handle to the label.  As long
as the code invokes a secid_to_secctx hook to obtain the actual label to
be conveyed over the wire, there is no harm, and it is more efficient to
handle them as secids than full labels internally.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 7/7] NFSv4: Server implementation of MAC Labeling

[Casey Schaufler]

--- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:

> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> 
> This patch implements the encoding of a MAC label on the server side to be
> sent
> across the wire to the NFSv4 client. At this time there is no method of
> receiving a label from the client to be set on the server.

Perhaps you should look into how the ACL code deals with attributes
with non-uniform sizes. 

> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> ---
>  fs/nfsd/nfs4xdr.c |   77
> ++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  1 files changed, 76 insertions(+), 1 deletions(-)
> 
> diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
> index 8ef0964..593a0b9 100644
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -58,6 +58,7 @@
>  #include <linux/nfs4_acl.h>
>  #include <linux/sunrpc/gss_api.h>
>  #include <linux/sunrpc/svcauth_gss.h>
> +#include <linux/security.h>
>  
>  #define NFSDDBG_FACILITY		NFSDDBG_XDR
>  
> @@ -408,6 +409,20 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32
> *bmval, struct iattr *ia
>  			goto xdr_error;
>  		}
>  	}
> +#ifdef CONFIG_NFSD_V4_MAC
> +	if (bmval[1] & FATTR4_WORD1_MAC_LABEL) {
> +		READ_BUF(4);
> +		len += 4;
> +		READ32(dummy32);
> +		READ_BUF(dummy32);
> +		len += (XDR_QUADLEN(dummy32) << 2);
> +		READMEM(buf, dummy32);
> +		if (security_secctx_to_secid(&iattr->ia_sid,
> +						(char *)buf, dummy32) != 0)
> +			goto out_nfserr;
> +		iattr->ia_valid |= ATTR_MAC_LABEL;
> +	}
> +#endif /* CONFIG_NFSD_V4_MAC */
>  	if (len != expected_len)
>  		goto xdr_error;
>  
> @@ -1414,6 +1429,34 @@ nfsd4_encode_aclname(struct svc_rqst *rqstp, int
> whotype, uid_t id, int group,
>  	return nfsd4_encode_name(rqstp, whotype, id, group, p, buflen);
>  }
>  
> +#ifdef CONFIG_NFSD_V4_MAC
> +static inline __be32
> +nfsd4_encode_mac_label(struct svc_rqst *rqstp,
> +			struct dentry *dentry,
> +			__be32 **p, int *buflen)
> +{
> +	char *context;
> +	unsigned len = 0;
> +	u32 secid;
> +
> +	security_inode_getsecid(dentry->d_inode, &secid);
> +	security_secid_to_secctx(secid, &context, &len);
> +	if (len < 0)
> +		return nfserrno(len);
> +	if (*buflen < ((XDR_QUADLEN(len) << 2) + 4)) {
> +		kfree(context);
> +		return nfserr_resource;
> +	}
> +
> +	*p = xdr_encode_opaque(*p, context, len);
> +	*buflen -= (XDR_QUADLEN(len) << 2) + 4;
> +	BUG_ON(*buflen < 0);
> +
> +	kfree(context);
> +	return 0;
> +}
> +#endif /* CONFIG_NFSD_V4_MAC */
> +
>  #define WORD0_ABSENT_FS_ATTRS (FATTR4_WORD0_FS_LOCATIONS | FATTR4_WORD0_FSID
> | \
>  			      FATTR4_WORD0_RDATTR_ERROR)
>  #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
> @@ -1508,6 +1551,17 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct
> svc_export *exp,
>  			bmval0 &= ~FATTR4_WORD0_FS_LOCATIONS;
>  		}
>  	}
> +#ifdef CONFIG_NFSD_V4_MAC
> +	/**
> +	 * This really isn't a good way to do this. We need the framework to detect
> a
> +	 * mac implementation and handle this if it doesn't find one.
> +	 *
> +	 if (bmval1 & FATTR4_WORD1_MAC_LABEL) {
> +	 if(!selinux_enabled)

Eh Hm.

> +	 bmval1 &= ~FATTR_WORD1_MAC_LABEL;
> +	 }
> +	 */
> +#endif /* CONFIG_NFSD_V4_MAC */
>  	if ((buflen -= 16) < 0)
>  		goto out_resource;
>  
> @@ -1518,15 +1572,25 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct
> svc_export *exp,
>  
>  	if (bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) {
>  		u32 word0 = NFSD_SUPPORTED_ATTRS_WORD0;
> +		u32 word1 = NFSD_SUPPORTED_ATTRS_WORD1;
>  		if ((buflen -= 12) < 0)
>  			goto out_resource;
>  		if (!aclsupport)
>  			word0 &= ~FATTR4_WORD0_ACL;
>  		if (!exp->ex_fslocs.locations)
>  			word0 &= ~FATTR4_WORD0_FS_LOCATIONS;
> +		#ifdef CONFIG_NFSD_V4_MAC
> +			/* XXX: should also be turned into a check to the framework */
> +			/* XXX: turn this on unconditionally for now ...*/
> +				if (1 || exp->ex_flags & NFSEXP_MAC_LABEL)
> +					word1 |= FATTR4_WORD1_MAC_LABEL;
> +				else
> +					word1 &= ~FATTR4_WORD1_MAC_LABEL;
> +		#endif /* CONFIG_NFSD_V4_MAC */
> +		
>  		WRITE32(2);
>  		WRITE32(word0);
> -		WRITE32(NFSD_SUPPORTED_ATTRS_WORD1);
> +		WRITE32(word1);
>  	}
>  	if (bmval0 & FATTR4_WORD0_TYPE) {
>  		if ((buflen -= 4) < 0)
> @@ -1832,6 +1896,17 @@ out_acl:
>  		} else
>                  	WRITE64((u64) stat.ino);
>  	}
> +#ifdef CONFIG_NFSD_V4_MAC
> +	if (bmval1 & FATTR4_WORD1_MAC_LABEL) {
> +		status = nfsd4_encode_mac_label(rqstp, dentry,
> +				&p, &buflen);
> +		if (status == nfserr_resource)
> +			goto out_resource;
> +		if (status)
> +			goto out;
> +	}
> +#endif /* CONFIG_NFSD_V4_MAC */
> +	
>  	*attrlenp = htonl((char *)p - (char *)attrlenp - 4);
>  	*countp = p - buffer;
>  	status = nfs_ok;
> -- 
> 1.5.2.2
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
> 


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Labeled-nfs] [PATCH 6/7] NFSv4: Client implementation of MAC Labeling

[Stephen Smalley]

On Wed, 2007-08-01 at 14:29 -0700, Casey Schaufler wrote:
> --- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:
> 
> > From: David P. Quigley <dpquigl@tycho.nsa.gov>
> > 
> > There are several places where recommended attributes are implemented in the
> > NFSv4 client code. This patch adds two functions to encode and decode the
> > secid
> > recommended attribute which makes use of the LSM hooks added earlier. It also
> > adds code to grab the label from the file attribute structures and encode the
> > label to be sent back to the server. Even though the code is there to encode
> > a
> > label to be sent back to the server there does not appear to be an interface
> > to
> > use it yet.
> 
> My usual comments regarding configuration names being SELINUX instead
> of MAC if you stick with u32 labels.
> 
> Now I'm confused. Are you sending the context string on the wire,
> or a sid? 

The context string.  But it is then mapped to a local SID when it is
received.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 4/7] Security: Add secctx_to_secid LSM hooks and security helper functions

[Paul Moore]

On Wednesday, August 1 2007 5:11:27 pm Casey Schaufler wrote:
> --- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:
> > From: David P. Quigley <dpquigl@tycho.nsa.gov>
> >
> > The existing LSM interface provides a hook for converting a security
> > identifier
> > to a security context. This patch introduces a complementary hook to
> > provide the conversion from the security context to corresponding
> > security identifier.
>
> This is strictly SELinux behavior. I don't suppose it hurts
> anything, but a general framework won't need this.

I'm not so sure about that ... having a mechanism which maps an arbitrarily 
large label into a easily manipulated token (and back again) seems like 
something that could be of use to other security mechanisms besides 
SELinux/TE.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] SENFS: MAC labeling support for NFSv4

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Wed, 2007-08-01 at 13:55 -0700, Casey Schaufler wrote:
> > --- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:
> > 
> > > This is the first set of patches attempting to provide a generic
> framework
> > > for
> > > MAC labeling in NFSv4.
> > 
> > I've read through the patches and I have one very important issue.
> > If you are going to provide a "generic" framework you need to support
> > label representations other than u32. If you only want to support
> > SELinux, and I understand that that is your initial target, a u32
> > is fine, but if you want a generic framework you need to allow for
> > the kinds of labels that have been used elsewhere. Smack (under
> > review now) uses an 8byte label. Trusted Irix uses a 510byte label,
> > and although I wouldn't expect that implementation to actually get
> > ported any time soon it provides an existence proof for large labels.
> > If you're talking about NFS you need to seriously consider what
> > TrustedSolaris requires, if just out of courtesy to those who brought
> > you NFS in the first place.
> 
> The label representation over the wire isn't a u32 (or inherently
> limited in size); the u32 secid is just a handle to the label.  As long
> as the code invokes a secid_to_secctx hook to obtain the actual label to
> be conveyed over the wire, there is no harm, and it is more efficient to
> handle them as secids than full labels internally.

This is true for SELinux, where the secid is a map to a sophisticated
label. On Smack the label is completely unsophisticated and
translating back and forth to secids adds unnecessary overhead.

In the spirit of LSM I suggest that blobs are more appropriate
units of data than u32s. I understand that the SELinux design
philosophy is well served by secids. My design philosophy, which
is pretty much the opposite, has no need for secids and is
negatively impacted by interfaces that require them.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Labeled-nfs] [PATCH 6/7] NFSv4: Client implementation of MAC Labeling

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Wed, 2007-08-01 at 14:29 -0700, Casey Schaufler wrote:
> > --- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:
> > 
> > > From: David P. Quigley <dpquigl@tycho.nsa.gov>
> > > 
> > > There are several places where recommended attributes are implemented in
> the
> > > NFSv4 client code. This patch adds two functions to encode and decode the
> > > secid
> > > recommended attribute which makes use of the LSM hooks added earlier. It
> also
> > > adds code to grab the label from the file attribute structures and encode
> the
> > > label to be sent back to the server. Even though the code is there to
> encode
> > > a
> > > label to be sent back to the server there does not appear to be an
> interface
> > > to
> > > use it yet.
> > 
> > My usual comments regarding configuration names being SELINUX instead
> > of MAC if you stick with u32 labels.
> > 
> > Now I'm confused. Are you sending the context string on the wire,
> > or a sid? 
> 
> The context string.  But it is then mapped to a local SID when it is
> received.

For Smack I would want to pass the label (a short character string)
and then use the string unaltered. I don't need to map it to a SID.
If the interface translates the label to a SID I then have to
translate it right back to a label. I need to invoke the translation
infrastructure twice just to get back what I had originally.

My conculsion* is that the interface needs to be LSM clean, and
leave the representation and processing of the data up to the
LSM module and not make assumptions about how it should be represented.

----
* In support of my goal, of course.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 4/7] Security: Add secctx_to_secid LSM hooks and security helper functions

[Casey Schaufler]

--- Paul Moore <paul.moore@hp.com> wrote:

> On Wednesday, August 1 2007 5:11:27 pm Casey Schaufler wrote:
> > --- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:
> > > From: David P. Quigley <dpquigl@tycho.nsa.gov>
> > >
> > > The existing LSM interface provides a hook for converting a security
> > > identifier
> > > to a security context. This patch introduces a complementary hook to
> > > provide the conversion from the security context to corresponding
> > > security identifier.
> >
> > This is strictly SELinux behavior. I don't suppose it hurts
> > anything, but a general framework won't need this.
> 
> I'm not so sure about that ... having a mechanism which maps an arbitrarily 
> large label into a easily manipulated token (and back again) seems like 
> something that could be of use to other security mechanisms besides 
> SELinux/TE.

Yes, if you wanted to port the SecureWare CMW to Linux it would be
quite valuable. If on the other hand you have a small, directly
used label a mapping mechanism is unnecessary and being required
to do mappings is a pain in the bum. But, that's just me.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/7] Security: Add inode_{get,set}secid LSM hooks and security helper functions

[James Morris]

On Wed, 1 Aug 2007, David P. Quigley wrote:

> + * @inode_getsecid:
> + * 	Returns secid from @inode;

Probably best to specify that this happens via *secid.

> + * @inode_setsecid:
> + * 	Set the security structure value of @inode with @sid.
> + * 	Returns 0 on success.

Except when it returns void :-)

> +	void (*inode_getsecid)(struct inode *inode, u32 *secid);
> +	void (*inode_setsecid)(struct inode *inode, u32 secid);

> +static inline void security_inode_setsecid(struct inode *inode, u32 sid)
> +{
> +	if (unlikely (IS_PRIVATE (inode)))

Please remove the extra spaces.


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 2/7] VFS: Add sid field to iattr structure for notify_change

[James Morris]

On Wed, 1 Aug 2007, David P. Quigley wrote:

>  	struct file	*ia_file;
> +	u32		ia_sid;

This should be called ia_secid, and conditionally compiled per some 
Kconfig parameter.



-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/7] KConfig: Add KConfig entries for MAC labeled NFS

[James Morris]

On Wed, 1 Aug 2007, David P. Quigley wrote:

> This patch adds two entries into the fs/KConfig file. The first entry
> NFS_V4_MAC enables MAC labeling support to the NFSv4 client while the second
> entry NFSD_V4_MAC enables MAC labeling support on the server side.

> +	depends on NFS_V4 && SECURITY_SELINUX

I think you want these as

	depends on NFS_V4 && SECURITY



-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 6/7] NFSv4: Client implementation of MAC Labeling

[James Morris]

On Wed, 1 Aug 2007, David P. Quigley wrote:

> +#ifdef CONFIG_NFS_V4_MAC
> +		if ((fattr->valid & NFS_ATTR_FATTR_V4) &&
> +				(fattr->bitmap[1] & FATTR4_WORD1_MAC_LABEL)) {
> +			security_inode_setsecid(inode, fattr->secid);
> +		}
> +#endif /* CONFIG_NFS_V4_MAC  */

Turn this into a static inline & reuse it, then it can be compiled away 
cleanly for !CONFIG_NFS_V4_MAC.

> +			if (security_secctx_to_secid(sid, (char *)p, len) != 0)
> +				dprintk("%s: security_decode_secid failed!\n",
> +								__FUNCTION__);

Standard form is:

	err = foo();
	if (err)
		bar();


And then you can print the error code, too.



-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] SENFS: MAC labeling support for NFSv4

[James Morris]

On Wed, 1 Aug 2007, David P. Quigley wrote:

> This is the first set of patches attempting to provide a generic framework for
> MAC labeling in NFSv4.

I agree with Casey that this is too SELinux-specific to be regarded as 
a generic framework.

Given that it's a prototype, which only addresses label transport, I think 
it's probably ok to proceed with this prototype work as SELinux-specific, 
and then look at how it might be refactored as a generic framework with 
SELinux as one flavor.

I suggest making the explanation of the patch set much clearer, so that 
reviewers and developers can more readily understand the scope, purpose, 
test/demonstration status, outstanding issues, next steps etc.

In this case, IIUC, these patches are an SELinux-specific prototype, which 
demonstrate recommended attributes as a potential label transport 
mechanism.  Can you explain, for example, how and why this is a desirable 
approach, and what the patches demonstrate?

Also, in this discussion, we need to also make a distinction between LSM, 
an existing Linux-specific generic framework, and Labeled NFS, which is 
expected to be an OS-independent framework.

LSM already provides a u32 secid / string conversion interface, which was 
required for the Linux Labeled IPsec and Audit work, based on SELinux 
requirements.  The existence of this interface does not mean that it has 
to be used, or that it is the only possible interface.  If another LSM is 
merged which wants to make use of these facilities, a case could be made 
as part of that merge to further generalize the interfaces, and until 
then, using blobs instead of u32 is adding unnecessary infrastructure and 
overhead, while also further weakening the semantics of the API.

IOW:

-  Work which extends LSM should continue to extend the secid/secctx 
   interfaces in a consistent manner.  These interfaces may be subject to 
   change if another LSM is merged.

-  Initial prototyping should probably just remain SELinux-specific, with 
   the Linux implementation code using LSM for security calls, and 
   with any related extensions to NFS/RPC itself be clearly marked as 
   SELinux-specific.



-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 7/7] NFSv4: Server implementation of MAC Labeling

[Stephen Smalley]

On Wed, 2007-08-01 at 16:02 -0400, David P. Quigley wrote:
> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> 
> This patch implements the encoding of a MAC label on the server side to be sent
> across the wire to the NFSv4 client. At this time there is no method of
> receiving a label from the client to be set on the server.
> 
> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> ---
>  fs/nfsd/nfs4xdr.c |   77 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
>  1 files changed, 76 insertions(+), 1 deletions(-)
> 
> diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
> index 8ef0964..593a0b9 100644
> --- a/fs/nfsd/nfs4xdr.c
> +++ b/fs/nfsd/nfs4xdr.c
> @@ -58,6 +58,7 @@
>  #include <linux/nfs4_acl.h>
>  #include <linux/sunrpc/gss_api.h>
>  #include <linux/sunrpc/svcauth_gss.h>
> +#include <linux/security.h>
>  
>  #define NFSDDBG_FACILITY		NFSDDBG_XDR
>  
> @@ -408,6 +409,20 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval, struct iattr *ia
>  			goto xdr_error;
>  		}
>  	}
> +#ifdef CONFIG_NFSD_V4_MAC
> +	if (bmval[1] & FATTR4_WORD1_MAC_LABEL) {
> +		READ_BUF(4);
> +		len += 4;
> +		READ32(dummy32);
> +		READ_BUF(dummy32);
> +		len += (XDR_QUADLEN(dummy32) << 2);
> +		READMEM(buf, dummy32);
> +		if (security_secctx_to_secid(&iattr->ia_sid,
> +						(char *)buf, dummy32) != 0)
> +			goto out_nfserr;
> +		iattr->ia_valid |= ATTR_MAC_LABEL;
> +	}
> +#endif /* CONFIG_NFSD_V4_MAC */
>  	if (len != expected_len)
>  		goto xdr_error;
>  
> @@ -1414,6 +1429,34 @@ nfsd4_encode_aclname(struct svc_rqst *rqstp, int whotype, uid_t id, int group,
>  	return nfsd4_encode_name(rqstp, whotype, id, group, p, buflen);
>  }
>  
> +#ifdef CONFIG_NFSD_V4_MAC
> +static inline __be32
> +nfsd4_encode_mac_label(struct svc_rqst *rqstp,
> +			struct dentry *dentry,
> +			__be32 **p, int *buflen)
> +{
> +	char *context;
> +	unsigned len = 0;
> +	u32 secid;
> +
> +	security_inode_getsecid(dentry->d_inode, &secid);
> +	security_secid_to_secctx(secid, &context, &len);

Need to check the return value here, not just len.

> +	if (len < 0)
> +		return nfserrno(len);
> +	if (*buflen < ((XDR_QUADLEN(len) << 2) + 4)) {
> +		kfree(context);
> +		return nfserr_resource;
> +	}
> +
> +	*p = xdr_encode_opaque(*p, context, len);
> +	*buflen -= (XDR_QUADLEN(len) << 2) + 4;
> +	BUG_ON(*buflen < 0);
> +
> +	kfree(context);

Need to use security_secctx_release() rather than direct kfree().

> +	return 0;
> +}
> +#endif /* CONFIG_NFSD_V4_MAC */
> +
>  #define WORD0_ABSENT_FS_ATTRS (FATTR4_WORD0_FS_LOCATIONS | FATTR4_WORD0_FSID | \
>  			      FATTR4_WORD0_RDATTR_ERROR)
>  #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
> @@ -1508,6 +1551,17 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct svc_export *exp,
>  			bmval0 &= ~FATTR4_WORD0_FS_LOCATIONS;
>  		}
>  	}
> +#ifdef CONFIG_NFSD_V4_MAC
> +	/**
> +	 * This really isn't a good way to do this. We need the framework to detect a
> +	 * mac implementation and handle this if it doesn't find one.
> +	 *
> +	 if (bmval1 & FATTR4_WORD1_MAC_LABEL) {
> +	 if(!selinux_enabled)

As per your comment, needs to be handled via LSM hook.

> +	 bmval1 &= ~FATTR_WORD1_MAC_LABEL;
> +	 }
> +	 */
> +#endif /* CONFIG_NFSD_V4_MAC */
>  	if ((buflen -= 16) < 0)
>  		goto out_resource;
>  
> @@ -1518,15 +1572,25 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct svc_export *exp,
>  
>  	if (bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) {
>  		u32 word0 = NFSD_SUPPORTED_ATTRS_WORD0;
> +		u32 word1 = NFSD_SUPPORTED_ATTRS_WORD1;
>  		if ((buflen -= 12) < 0)
>  			goto out_resource;
>  		if (!aclsupport)
>  			word0 &= ~FATTR4_WORD0_ACL;
>  		if (!exp->ex_fslocs.locations)
>  			word0 &= ~FATTR4_WORD0_FS_LOCATIONS;
> +		#ifdef CONFIG_NFSD_V4_MAC
> +			/* XXX: should also be turned into a check to the framework */
> +			/* XXX: turn this on unconditionally for now ...*/
> +				if (1 || exp->ex_flags & NFSEXP_MAC_LABEL)
> +					word1 |= FATTR4_WORD1_MAC_LABEL;
> +				else
> +					word1 &= ~FATTR4_WORD1_MAC_LABEL;

Ditto.

> +		#endif /* CONFIG_NFSD_V4_MAC */
> +		
>  		WRITE32(2);
>  		WRITE32(word0);
> -		WRITE32(NFSD_SUPPORTED_ATTRS_WORD1);
> +		WRITE32(word1);
>  	}
>  	if (bmval0 & FATTR4_WORD0_TYPE) {
>  		if ((buflen -= 4) < 0)
> @@ -1832,6 +1896,17 @@ out_acl:
>  		} else
>                  	WRITE64((u64) stat.ino);
>  	}
> +#ifdef CONFIG_NFSD_V4_MAC
> +	if (bmval1 & FATTR4_WORD1_MAC_LABEL) {
> +		status = nfsd4_encode_mac_label(rqstp, dentry,
> +				&p, &buflen);
> +		if (status == nfserr_resource)
> +			goto out_resource;
> +		if (status)
> +			goto out;
> +	}
> +#endif /* CONFIG_NFSD_V4_MAC */
> +	
>  	*attrlenp = htonl((char *)p - (char *)attrlenp - 4);
>  	*countp = p - buffer;
>  	status = nfs_ok;
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 6/7] NFSv4: Client implementation of MAC Labeling

[Stephen Smalley]

On Wed, 2007-08-01 at 16:02 -0400, David P. Quigley wrote:
> From: David P. Quigley <dpquigl@tycho.nsa.gov>
> 
> There are several places where recommended attributes are implemented in the
> NFSv4 client code. This patch adds two functions to encode and decode the secid
> recommended attribute which makes use of the LSM hooks added earlier. It also
> adds code to grab the label from the file attribute structures and encode the
> label to be sent back to the server. Even though the code is there to encode a
> label to be sent back to the server there does not appear to be an interface to
> use it yet.
> 
> Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov>
> ---
>  fs/nfs/inode.c   |   16 ++++++++++++++
>  fs/nfs/nfs4xdr.c |   61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  fs/nfs/super.c   |   10 ++++++++
>  3 files changed, 87 insertions(+), 0 deletions(-)

> diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
> index badd73b..4dc8943 100644
> --- a/fs/nfs/nfs4xdr.c
> +++ b/fs/nfs/nfs4xdr.c
> @@ -648,6 +653,18 @@ static int encode_attrs(struct xdr_stream *xdr, const struct iattr *iap, const s
>  		}
>  		len += 4 + (XDR_QUADLEN(owner_grouplen) << 2);
>  	}
> +#ifdef CONFIG_NFS_V4_MAC
> +	if (iap->ia_valid & ATTR_MAC_LABEL) {
> +		security_secid_to_secctx(iap->ia_sid, &label, &label_len);
> +		if (label_len < 0) {
> +			printk(KERN_WARNING
> +					"nfs4: couldn't resolve sid %d to string\n",
> +					iap->ia_sid);
> +			/* XXX: Should we be going to an error label? */
> +		}

Need to check return value, not len.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] SENFS: MAC labeling support for NFSv4

[Stephen Smalley]

On Wed, 2007-08-01 at 14:59 -0700, Casey Schaufler wrote:
> --- Stephen Smalley <sds@tycho.nsa.gov> wrote:
> 
> > On Wed, 2007-08-01 at 13:55 -0700, Casey Schaufler wrote:
> > > --- "David P. Quigley" <dpquigl@tycho.nsa.gov> wrote:
> > > 
> > > > This is the first set of patches attempting to provide a generic
> > framework
> > > > for
> > > > MAC labeling in NFSv4.
> > > 
> > > I've read through the patches and I have one very important issue.
> > > If you are going to provide a "generic" framework you need to support
> > > label representations other than u32. If you only want to support
> > > SELinux, and I understand that that is your initial target, a u32
> > > is fine, but if you want a generic framework you need to allow for
> > > the kinds of labels that have been used elsewhere. Smack (under
> > > review now) uses an 8byte label. Trusted Irix uses a 510byte label,
> > > and although I wouldn't expect that implementation to actually get
> > > ported any time soon it provides an existence proof for large labels.
> > > If you're talking about NFS you need to seriously consider what
> > > TrustedSolaris requires, if just out of courtesy to those who brought
> > > you NFS in the first place.
> > 
> > The label representation over the wire isn't a u32 (or inherently
> > limited in size); the u32 secid is just a handle to the label.  As long
> > as the code invokes a secid_to_secctx hook to obtain the actual label to
> > be conveyed over the wire, there is no harm, and it is more efficient to
> > handle them as secids than full labels internally.
> 
> This is true for SELinux, where the secid is a map to a sophisticated
> label. On Smack the label is completely unsophisticated and
> translating back and forth to secids adds unnecessary overhead.
> 
> In the spirit of LSM I suggest that blobs are more appropriate
> units of data than u32s. I understand that the SELinux design
> philosophy is well served by secids. My design philosophy, which
> is pretty much the opposite, has no need for secids and is
> negatively impacted by interfaces that require them.

Blobs require full lifecycle management.  secids are lighter weight, and
it isn't that hard for you to implement a secid-to-label mapping in your
own module even if you don't otherwise use them internally.

secids are already entrenched in the LSM interface for labeled
networking and are already entrenched in the audit-selinux interface
(even if converted to using LSM hooks).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] SENFS: MAC labeling support for NFSv4

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:
 
> > In the spirit of LSM I suggest that blobs are more appropriate
> > units of data than u32s. I understand that the SELinux design
> > philosophy is well served by secids. My design philosophy, which
> > is pretty much the opposite, has no need for secids and is
> > negatively impacted by interfaces that require them.
> 
> Blobs require full lifecycle management.

Yup.

> secids are lighter weight,

They are lighter weight than big labels. They are heavier than
small labels. They require translation, while certain designs of
small labels don't even require translation to print.

> and
> it isn't that hard for you to implement a secid-to-label mapping in your
> own module even if you don't otherwise use them internally.

Is true. It just feels silly to translate a text string into a secid
so that I can pass it to someone who only cares about the secid because
they want to use it to get the string I had in the first place.

> secids are already entrenched in the LSM interface for labeled
> networking

The xfrm interfaces that require secids are seriously SELinux components.
Netlabel only uses secids for audit. 

> and are already entrenched in the audit-selinux interface
> (even if converted to using LSM hooks).

So I've found. It is annoying that the audit system passes around sids
when it never uses them except to get the associated strings, which
Smack uses natively and can provide trivially.

Well, I can generally identify a windmill when I'm tilting it, so
now that I've aired my heretical notions I'll get on with it.

Thank you.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] SENFS: MAC labeling support for NFSv4

[Stephen Smalley]

On Thu, 2007-08-02 at 08:26 -0700, Casey Schaufler wrote:
> --- Stephen Smalley <sds@tycho.nsa.gov> wrote:
>  
> > > In the spirit of LSM I suggest that blobs are more appropriate
> > > units of data than u32s. I understand that the SELinux design
> > > philosophy is well served by secids. My design philosophy, which
> > > is pretty much the opposite, has no need for secids and is
> > > negatively impacted by interfaces that require them.
> > 
> > Blobs require full lifecycle management.
> 
> Yup.
> 
> > secids are lighter weight,
> 
> They are lighter weight than big labels. They are heavier than
> small labels. They require translation, while certain designs of
> small labels don't even require translation to print.

I think you'd still lose on the lifecycle management overhead.

> > secids are already entrenched in the LSM interface for labeled
> > networking
> 
> The xfrm interfaces that require secids are seriously SELinux components.
> Netlabel only uses secids for audit. 

labeled xfrm isn't limited to SELinux; it could be used by any user of
labeled networking.

> > and are already entrenched in the audit-selinux interface
> > (even if converted to using LSM hooks).
> 
> So I've found. It is annoying that the audit system passes around sids
> when it never uses them except to get the associated strings, which
> Smack uses natively and can provide trivially.

...with corresponding lifecycle management overhead.  You'd have to
allocate and copy at time of audit collection even though the string
might never be used, versus only allocating and copying upon audit
record generation.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [RFC] SENFS: MAC labeling support for NFSv4

[Casey Schaufler]

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Thu, 2007-08-02 at 08:26 -0700, Casey Schaufler wrote:
> > --- Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >  
> > > > In the spirit of LSM I suggest that blobs are more appropriate
> > > > units of data than u32s. I understand that the SELinux design
> > > > philosophy is well served by secids. My design philosophy, which
> > > > is pretty much the opposite, has no need for secids and is
> > > > negatively impacted by interfaces that require them.
> > > 
> > > Blobs require full lifecycle management.
> > 
> > Yup.
> > 
> > > secids are lighter weight,
> > 
> > They are lighter weight than big labels. They are heavier than
> > small labels. They require translation, while certain designs of
> > small labels don't even require translation to print.
> 
> I think you'd still lose on the lifecycle management overhead.

Aw, 'cmon. I'm having to add a layer of lifecycle management to
keep secid mappings just so that I can pass them out so that others
can call be back to ask for the original label value. 

I would like to understand why you think I would lose on overhead.
I know you've looked at the Smack code.
 
> > > secids are already entrenched in the LSM interface for labeled
> > > networking
> > 
> > The xfrm interfaces that require secids are seriously SELinux components.
> > Netlabel only uses secids for audit. 
> 
> labeled xfrm isn't limited to SELinux; it could be used by any user of
> labeled networking.

But it isn't, and the xfrm code explictly identifes the messages types
as SELinux specific. If I were adding xfrm to Smack I would not reuse
those types because they strongly identify with SELinux behavior.

> > > and are already entrenched in the audit-selinux interface
> > > (even if converted to using LSM hooks).
> > 
> > So I've found. It is annoying that the audit system passes around sids
> > when it never uses them except to get the associated strings, which
> > Smack uses natively and can provide trivially.
> 
> ...with corresponding lifecycle management overhead.  You'd have to
> allocate and copy at time of audit collection even though the string
> might never be used, versus only allocating and copying upon audit
> record generation.

These copies can be easily avoided using well established
methods. Maybe I'll suggest them for Casey's Audit Update,
phase II.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.