From: Chuck Lever <chuck.lever@oracle.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: "David P. Quigley" <dpquigl@tycho.nsa.gov>,
hch@infradead.org, viro@zeniv.linux.org.uk, sds@tycho.nsa.gov,
matthew.dodd@sparta.com, trond.myklebust@fys.uio.no,
bfields@fieldses.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
linux-nfs@vger.kernel.org
Subject: Re: [PATCH 07/10] NFSv4: Introduce new label structure
Date: Wed, 07 Jul 2010 13:42:15 -0400 [thread overview]
Message-ID: <4C34BC77.4040906@oracle.com> (raw)
In-Reply-To: <4C34A9A2.4080308@schaufler-ca.com>
On 07/ 7/10 12:21 PM, Casey Schaufler wrote:
> Chuck Lever wrote:
>> My comments below apply to the other NFS client patches as well. This
>> seemed like the right one to use for code examples.
>>
>> On 07/ 7/10 10:31 AM, David P. Quigley wrote:
[ ... snipped ... ]
>>> diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
>>> index a2abd1a..c512a0c 100644
>>> --- a/include/linux/nfs4.h
>>> +++ b/include/linux/nfs4.h
>>> @@ -167,6 +167,13 @@ struct nfs4_acl {
>>> struct nfs4_ace aces[0];
>>> };
>>>
>>> +struct nfs4_label {
>>> + void *label;
>>> + u32 len;
>>> + uint32_t lfs;
>>> +};
>>
>> If we have support for NFS labels in NFSv3, would we also use struct
>> nfs4_label?
>>
>> It seems to me you want something more generic, just like nfs_fh or
>> nfs_fattr, to represent these. Over time, I'm guessing label support
>> won't be tied to a specific NFS version. And, you are passing these
>> around in the generic NFS functions (for post-op updates and inode
>> revalidation, and what not).
>>
>> Can I recommend "struct nfs_seclabel" instead? Then have
>> nfs_seclabel_alloc() and nfs_seclabel_free().
>
> Security has been the primary consumer of labels to date, but
> the xattr concept has always been envisioned as useful in many
> ways. That, and people have so many different views on what is
> and isn't security and whether it is good or evil that you are
> asking to limit the value if you tie "security" to the names.
> Plus, it adds unnecessary characters.
My main point is that the "nfs4" prefix is probably not optimal in the
long run. It seems to me that these labels are of generic use in the
NFS client, and not necessarily specific to version 4.
next prev parent reply other threads:[~2010-07-07 17:44 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-07 14:31 Labeled-NFS: Security Label support in NFSv4 David P. Quigley
2010-07-07 14:31 ` [PATCH 01/10] Security: Add hook to calculate context based on a negative dentry David P. Quigley
2010-07-08 12:51 ` Stephen Smalley
2010-07-07 14:31 ` [PATCH 02/10] Security: Add Hook to test if the particular xattr is part of a MAC model David P. Quigley
2010-07-07 16:49 ` J. Bruce Fields
2010-07-07 14:31 ` [PATCH 03/10] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data David P. Quigley
2010-07-07 14:31 ` [PATCH 04/10] SELinux: Add new labeling type native labels David P. Quigley
2010-07-07 23:23 ` James Morris
2010-07-08 13:31 ` David P. Quigley
2010-07-08 22:33 ` James Morris
2010-07-09 14:09 ` David P. Quigley
2010-07-07 14:31 ` [PATCH 05/10] KConfig: Add KConfig entries for Labeled NFS David P. Quigley
2010-07-07 16:56 ` J. Bruce Fields
2010-07-07 17:05 ` David P. Quigley
2010-07-07 17:53 ` Chuck Lever
2010-07-07 14:31 ` [PATCH 06/10] NFSv4: Add label recommended attribute and NFSv4 flags David P. Quigley
2010-07-07 17:00 ` J. Bruce Fields
2010-07-07 23:30 ` James Morris
2010-07-08 13:39 ` David P. Quigley
2010-07-08 22:48 ` James Morris
2010-07-09 13:47 ` Stephen Smalley
2010-07-09 14:05 ` David P. Quigley
2010-07-11 5:02 ` Kyle Moffett
2010-07-11 5:12 ` Casey Schaufler
2010-07-12 14:36 ` Stephen Smalley
2010-07-17 0:09 ` Kyle Moffett
2010-07-07 14:31 ` [PATCH 07/10] NFSv4: Introduce new label structure David P. Quigley
2010-07-07 16:01 ` Chuck Lever
2010-07-07 16:21 ` Casey Schaufler
2010-07-07 16:24 ` David P. Quigley
2010-07-07 17:42 ` Chuck Lever [this message]
2010-07-07 16:22 ` David P. Quigley
2010-07-07 17:49 ` Chuck Lever
2010-07-07 18:11 ` David P. Quigley
2010-07-07 14:31 ` [PATCH 08/10] NFS: Client implementation of Labeled-NFS David P. Quigley
2010-07-07 14:31 ` [PATCH 09/10] NFS: Extend NFS xattr handlers to accept the security namespace David P. Quigley
2010-07-07 14:31 ` [PATCH 10/10] NFSD: Server implementation of MAC Labeling David P. Quigley
2010-07-07 17:21 ` J. Bruce Fields
2010-07-07 18:03 ` David P. Quigley
2010-07-07 19:24 ` J. Bruce Fields
2010-07-08 13:27 ` David P. Quigley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C34BC77.4040906@oracle.com \
--to=chuck.lever@oracle.com \
--cc=bfields@fieldses.org \
--cc=casey@schaufler-ca.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=hch@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.dodd@sparta.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=trond.myklebust@fys.uio.no \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).