Re: [Labeled-nfs] [PATCH 13/13] NFSD: Label change notification for NFSv4 Server

Re: [Labeled-nfs] [PATCH 13/13] NFSD: Label change notification for NFSv4 Server

[Casey Schaufler]

--- Trond Myklebust <trond.myklebust@fys.uio.no> wrote:

> 
> On Mon, 2007-11-19 at 15:30 -0500, Matthew N. Dodd wrote:
> > J. Bruce Fields wrote:
> > > On Fri, Nov 16, 2007 at 03:13:02PM -0500, David P. Quigley wrote:
> > >> NFSv4 Provides methods for detecting changes in attributes and
> > >> recalling delegations when state has changed on the server. This has
> > >> been extended to include this functionality for label changes on the
> > >> server. This patch provides the server implementation for a new
> > >> callback used to signal relabeling of files.
> > > 
> > > What's the goal of these callbacks?
> > > 
> > > If you really need a guarantee that all clients will be notified before
> > > the relabelling operation, then I think you need something stronger than
> > > inotify.
> > > 
> > > If you don't care about synchronous notification, then why not just
> > > let nfs find out about the change the next time it does an access check
> > > or something?
> > 
> > That won't happen during vfs_read()/vfs_write().
> 
> You expect it to be common practice for people to change security labels
> on files in the middle of an application read and/or write?

No, it's not common, but it's really really important, and that's
the real problem with a remote callback approach. If you mostly
disallow label changes* you don't need the notification, and if you
do you absolutely need to check every access. There are very few
differences between lockd and what you're looking at here, and no one
is about to hold lockd up as an example of how things ought to work.

Or that's how it looks from here.

-----
* I had said completely, but don't have to be fanatical.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [Labeled-nfs] [PATCH 13/13] NFSD: Label change notification for NFSv4 Server

[James Morris]

On Mon, 19 Nov 2007, Trond Myklebust wrote:

> This proposal, OTOH, will force the server to track all clients that
> access a labelled file, and to notify them all synchronously if ever a
> change is made. That can never scale if, say, you want to relabel the
> entire filesystem as SELinux appears wont to do.

There are further requirements for conveying volatile security state 
between the peers, such as: the current security context of the client, 
and the client's current explicit label for new files (if present).

A possible approach for dealing with all of these is to use a 
per-procedure OP which is prefixed in a similar manner to SEQUENCE, when 
security labeling is active.  It may be possible to optimize this at the 
server so that an updated file security label (or ineed the entire 
security OP) is only sent if required.


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.