From: "J. Bruce Fields" <bfields@fieldses.org>
To: andros@netapp.com
Cc: trond.myklebust@primarydata.com, schumaker.anna@gmail.com,
linux-nfs@vger.kernel.org
Subject: Re: [PATCH Version 5 08/17] SUNRPC AUTH_GSS RPCSEC_GSS_CREATE with label payload
Date: Fri, 10 Mar 2017 12:33:34 -0500 [thread overview]
Message-ID: <20170310173334.GF29791@fieldses.org> (raw)
In-Reply-To: <20170310173107.GE29791@fieldses.org>
On Fri, Mar 10, 2017 at 12:31:07PM -0500, J. Bruce Fields wrote:
> On Fri, Feb 24, 2017 at 05:19:44PM -0500, andros@netapp.com wrote:
> > From: Andy Adamson <andros@netapp.com>
> >
> > Signed-off-by: Andy Adamson <andros@netapp.com>
> > ---
> > net/sunrpc/auth_gss/auth_gss.c | 140 ++++++++++++++++++++++++++++++++++++++++-
> > 1 file changed, 138 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
> > index 6ffb16d..98971cf 100644
> > --- a/net/sunrpc/auth_gss/auth_gss.c
> > +++ b/net/sunrpc/auth_gss/auth_gss.c
> > @@ -52,9 +52,12 @@
> > #include <linux/sunrpc/gss_api.h>
> > #include <linux/uaccess.h>
> > #include <linux/hashtable.h>
> > +#include <linux/security.h>
> >
> > #include "../netns.h"
> >
> > +static int gss3_create_label(struct rpc_cred *cred, int gss_vers);
> > +
> > static const struct rpc_authops authgss_ops;
> >
> > static const struct rpc_credops gss_credops;
> > @@ -128,6 +131,20 @@ gss_put_ctx(struct gss_cl_ctx *ctx)
> > gss_free_ctx(ctx);
> > }
> >
> > +/* gss3_label_enabled:
> > + * Called to determine if Full Mode Mandatory Access Control (MAC)
> > + * over a GSS connection is desired.
> > + *
> > + * Note:
> > + * Currently Full Mode MAC is assuemed if SeLinux is enabled and
> > + * RPCSEC_GSS version 3 is in use.
>
> Eventually I guess we may want support for GSSv3-enabled copy without
> full MAC, so we'll want some way to configure this.
>
> Also, do I understand right that currently it's gssd that decides
> whether to enable GSSv3, by passing down the new version number? How
> will the user choose whether to enable GSSv3 or not?
>
> Should that be a mount option?
>
> The mount option could then cause some "use_gss3" flag to be added in
> rpc_pipefs, in an info file or whatever. I think that'd also provide
> backwards compatibility (if you're not already handling that some other
> way), since gssd could use the presence of that flag to decide whether
> the kernel was new enough to support the new downcall.
By the way, I didn't notice on a quick skim of the rest of the patches:
what happens if the server doesn't support GSSv3? Does gssd negotiate
down to GSSv2 automatically?
How do you configure this on the server? (It probably needs to be
possible to turn of mac labeling on the server.)
--b.
next prev parent reply other threads:[~2017-03-10 17:33 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-24 22:19 [PATCH Version 5 00/17] RPCSEC_GSS3 full mode label kernel patch set andros
2017-02-24 22:19 ` [PATCH Version 5 01/17] SUNRPC handle unsupported RPCSEC_GSS security service andros
2017-03-09 21:54 ` J. Bruce Fields
2017-02-24 22:19 ` [PATCH Version 5 02/17] SUNRPC: RPCNULL call with payload for GSSv3 andros
2017-03-09 22:11 ` J. Bruce Fields
2017-02-24 22:19 ` [PATCH Version 5 03/17] SELINUX export security_current_sid_to_context andros
2017-02-24 22:19 ` [PATCH Version 5 04/17] SUNRPC GSSv3: base definitions andros
2017-02-24 22:19 ` [PATCH Version 5 05/17] SUNRPC AUTH_GSS get RPCSEC_GSS version from gssd downcall andros
2017-03-10 16:18 ` J. Bruce Fields
2017-02-24 22:19 ` [PATCH Version 5 06/17] SUNRPC AUTH_GSS gss3 reply verifier andros
2017-03-10 16:51 ` J. Bruce Fields
2017-02-24 22:19 ` [PATCH Version 5 07/17] SUNRPC AUTH_GSS RPCSEC_GSS_CREATE with no payload andros
2017-03-10 17:25 ` J. Bruce Fields
2017-02-24 22:19 ` [PATCH Version 5 08/17] SUNRPC AUTH_GSS RPCSEC_GSS_CREATE with label payload andros
2017-02-27 21:47 ` Anna Schumaker
2017-03-10 17:31 ` J. Bruce Fields
2017-03-10 17:33 ` J. Bruce Fields [this message]
2017-02-24 22:19 ` [PATCH Version 5 09/17] SUNRPC AUTH_GSS store GSS3 assertions in parent gss_cl_ctx andros
2017-02-24 22:19 ` [PATCH Version 5 10/17] SUNRPC AUTH_GSS store and use gss3 label assertion andros
2017-02-24 22:19 ` [PATCH Version 5 11/17] SUNRPC AUTH_GSS free assertions andros
2017-02-24 22:19 ` [PATCH Version 5 12/17] SUNRPC: AUTH_GSS add RPC_GSS_PROC_CREATE case for wrap and unwrap andros
2017-02-24 22:19 ` [PATCH Version 5 13/17] SUNRPC SVCAUTH_GSS allow RPCSEC_GSS version 1 or 3 andros
2017-02-24 22:19 ` [PATCH Version 5 14/17] SUNRPC SVCAUTH_GSS gss3 reply verifier andros
2017-02-24 22:19 ` [PATCH Version 5 15/17] SUNRPC SVCAUTH_GSS gss3 create label andros
2017-02-24 22:19 ` [PATCH Version 5 16/17] SUNRPC SVCAUTH_GSS set gss3 label on nfsd thread andros
2017-02-24 22:19 ` [PATCH Version 5 17/17] SUNRPC SVCAUTH_gss store gss3 child handles in parent rsc andros
2017-03-09 21:47 ` [PATCH Version 5 00/17] RPCSEC_GSS3 full mode label kernel patch set J. Bruce Fields
2017-03-10 14:48 ` Andy Adamson
2017-03-10 16:36 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170310173334.GF29791@fieldses.org \
--to=bfields@fieldses.org \
--cc=andros@netapp.com \
--cc=linux-nfs@vger.kernel.org \
--cc=schumaker.anna@gmail.com \
--cc=trond.myklebust@primarydata.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).