From: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
To: James Morris <jmorris@namei.org>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>,
Peter Staubach <staubach@redhat.com>, Tom Haynes <tdh@excfb.com>,
"J. Bruce Fields" <bfields@fieldses.org>,
"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
Christoph Hellwig <hch@infradead.org>,
Casey Schaufler <casey@schaufler-ca.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
David Patrick Quigley <dpquigl@tycho.nsa.gov>,
Dustin Kirkland <kirkland@canonical.com>
Subject: Re: [PATCH 0/4][RFC] NFSv3: implement extended attribute (XATTR) protocol
Date: Wed, 14 Oct 2009 10:05:47 -0500 [thread overview]
Message-ID: <4AD5E8CB.1070008@linux.vnet.ibm.com> (raw)
In-Reply-To: <alpine.LRH.2.00.0910141134410.4671@tundra.namei.org>
On 10/13/2009 07:48 PM, James Morris wrote:
> On Tue, 13 Oct 2009, Trond Myklebust wrote:
>
> [added the ecryptfs folk]
>
>> On Tue, 2009-10-13 at 18:02 +1100, James Morris wrote:
>>> This xattr approach would only cover the "dumb server" scenario, where the
>>> server simply stores and retrieves security labels on behalf of the
>>> client. It's intended primarily to enable things like nfsroot, backups,
>>> serving virtualized file systems etc., and not for fully trusted sharing
>>> like Labeled NFS.
>>>
>>> It is essentially just security label transport.
>>>
>>> Support for this feature would be configured at the server, possibly an
>>> option in /etc/exports which enables specific security namespaces, e.g:
>>>
>>> /opt/share 10.0.0.0/8(rw,insecure,xattr="user.*,security.SMACK64")
>>>
>>> This says that the XATTR side protocol is enabled and clients can read and
>>> write user and security.smack xattrs (local DAC would be applied to both).
>>>
>>> The server kernel would likely need to know that these are foreign labels,
>>> and not necessarily 'trust' them for its own use, so a root_squash -like
>>> option may be used to remap them to an 'untrusted' local label for local
>>> enforcement purposes -- if it was running SELinux or Smack at all, which
>>> it may not be.
>>
>> Fair enough. That might indeed work.
>>
>> One simple alternative might be to just store the exported xattrs in
>> something other than the 'security' extended attribute namespace so that
>> your server processes don't have to deal with any conflicts.
>>
>> IOW: maybe add a 'nfs.security' xattr namespace, which would contain
>> those security labels that are actually exported by this XATTR protocol,
>> and which the clients could then translate into their local 'security'
>> labels.
>
> This sounds like a really good idea, and may provide a general solution
> for non-user xattrs. i.e. any system, security or trusted xattr is stored
> in the 'nfs' namespace on the server, and these are always opaque to the
> server -- semantics are managed at the client.
>
> The wire protocol would always carry the client view, for simplicity, and
> there's no negotiation -- label mapping is always configured at the server
> by the admin.
>
> i.e. the client always sends and receives "security.selinux"; the
> server by default maps these locally as "nfs.security.selinux"; and may be
> optionally configured to map to "nfs.$(custom).security.selinux"
>
> I wonder how to handle ecryptfs -- it strikes me as a special case where
> the semantics are always local i.e. files can always be decrypted locally
> because of the crypto metatdata stored with them.
After skimming back through the thread, I'm not quite understanding the
special case that you're getting at here. Are you assuming that
eCryptfs uses the security namespace?
#define ECRYPTFS_XATTR_NAME "user.ecryptfs"
In my opinion, the option to store the eCryptfs metadata in an xattr is
a bad idea and I haven't heard of anyone actually using the feature.
I've considered removing it for a while now. Don't let this bad
eCryptfs feature get in the way of a good design decision. :)
Tyler
next prev parent reply other threads:[~2009-10-14 15:06 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-19 15:09 [PATCH 0/4][RFC] NFSv3: implement extended attribute (XATTR) protocol James Morris
2009-09-19 15:11 ` [PATCH 1/4] NFSv3: convert client to generic xattr API James Morris
2009-09-19 15:12 ` [PATCH 2/4] NFSv3: add xattr API config option for client James Morris
2009-09-19 15:13 ` [PATCH 3/4] NFSv3: add client implementation of XATTR protocol James Morris
2009-09-19 15:14 ` [PATCH 4/4] NFSv3: add server " James Morris
[not found] ` <alpine.LRH.2.00.0909200020360.31818-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2009-09-19 17:30 ` [PATCH 0/4][RFC] NFSv3: implement extended attribute (XATTR) protocol Casey Schaufler
[not found] ` <4AB51538.7060201-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2009-09-20 5:13 ` James Morris
2009-09-22 12:47 ` Christoph Hellwig
2009-09-22 13:03 ` James Morris
[not found] ` <alpine.LRH.2.00.0909222253470.21052-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2009-09-22 13:07 ` Christoph Hellwig
2009-10-06 15:18 ` Peter Staubach
[not found] ` <4ACB5FC0.7060307-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2009-10-09 0:39 ` James Morris
[not found] ` <alpine.LRH.2.00.0910091132130.32154-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2009-10-09 23:14 ` Christoph Hellwig
2009-10-12 17:50 ` Peter Staubach
2009-10-12 19:26 ` Tom Haynes
[not found] ` <CA06CB5C-6084-45AA-B185-FBDA7E3B9754-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-10-12 19:34 ` Peter Staubach
2009-10-12 22:55 ` Trond Myklebust
[not found] ` <1255388158.3711.57.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-10-12 23:08 ` J. Bruce Fields
2009-10-13 7:02 ` James Morris
[not found] ` <alpine.LRH.2.00.0910131733070.28896-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2009-10-13 18:27 ` Trond Myklebust
[not found] ` <1255458444.3711.113.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-10-14 0:48 ` James Morris
[not found] ` <alpine.LRH.2.00.0910141134410.4671-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2009-10-14 2:05 ` Casey Schaufler
2009-10-14 4:30 ` James Morris
[not found] ` <alpine.LRH.2.00.0910141526530.5279-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2009-10-14 4:50 ` Casey Schaufler
[not found] ` <4AD55879.2060207-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2009-10-14 12:46 ` Peter Staubach
2009-10-14 4:56 ` Dustin Kirkland
2009-10-14 6:02 ` James Morris
2009-10-14 15:05 ` Tyler Hicks [this message]
[not found] ` <bf63d7240910080919nf1bf6d0rd94f671d0645f674@mail.gmail.com>
2009-10-08 17:21 ` J. Bruce Fields
2009-10-09 0:31 ` James Morris
2009-10-08 17:22 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AD5E8CB.1070008@linux.vnet.ibm.com \
--to=tyhicks@linux.vnet.ibm.com \
--cc=bfields@fieldses.org \
--cc=casey@schaufler-ca.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=hch@infradead.org \
--cc=jmorris@namei.org \
--cc=kirkland@canonical.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=staubach@redhat.com \
--cc=tdh@excfb.com \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).