From: "David P. Quigley" <selinux@davequigley.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: David Quigley <dpquigl@davequigley.com>,
trond.myklebust@netapp.com, sds@tycho.nsa.gov,
linux-nfs@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org,
"Matthew N. Dodd" <Matthew.Dodd@sparta.com>,
Miguel Rodel Felipe <Rodel_FM@dsi.a-star.edu.sg>,
Phua Eu Gene <PHUA_Eu_Gene@dsi.a-star.edu.sg>,
Khin Mi Mi Aung <Mi_Mi_AUNG@dsi.a-star.edu.sg>
Subject: Re: [PATCH 07/13] NFSv4: Introduce new label structure
Date: Mon, 12 Nov 2012 11:53:13 -0500 [thread overview]
Message-ID: <50A12979.3040902@davequigley.com> (raw)
In-Reply-To: <20121112160523.GJ30713@fieldses.org>
On 11/12/2012 11:05 AM, J. Bruce Fields wrote:
> On Mon, Nov 12, 2012 at 10:32:56AM -0500, David P. Quigley wrote:
>> On 11/12/2012 10:13 AM, J. Bruce Fields wrote:
>>> On Mon, Nov 12, 2012 at 01:15:41AM -0500, David Quigley wrote:
>>>> From: David Quigley<dpquigl@davequigley.com>
>>>>
>>>> In order to mimic the way that NFSv4 ACLs are implemented we have created a
>>>> structure to be used to pass label data up and down the call chain. This patch
>>>> adds the new structure and new members to the required NFSv4 call structures.
>>>>
>>>> Signed-off-by: Matthew N. Dodd<Matthew.Dodd@sparta.com>
>>>> Signed-off-by: Miguel Rodel Felipe<Rodel_FM@dsi.a-star.edu.sg>
>>>> Signed-off-by: Phua Eu Gene<PHUA_Eu_Gene@dsi.a-star.edu.sg>
>>>> Signed-off-by: Khin Mi Mi Aung<Mi_Mi_AUNG@dsi.a-star.edu.sg>
>>>> Signed-off-by: David Quigley<dpquigl@davequigley.com>
>>>> ---
>>>> fs/nfs/inode.c | 40 ++++++++++++++++++++++++++++++++++++++++
>>>> fs/nfsd/xdr4.h | 3 +++
>>>> include/linux/nfs4.h | 8 ++++++++
>>>> include/linux/nfs_fs.h | 14 ++++++++++++++
>>>> include/linux/nfs_xdr.h | 20 ++++++++++++++++++++
>>>> 5 files changed, 85 insertions(+)
>>>>
>>>> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
>>>> index 5c7325c..0963ad9 100644
>>>> --- a/fs/nfs/inode.c
>>>> +++ b/fs/nfs/inode.c
>>>> @@ -246,6 +246,46 @@ nfs_init_locked(struct inode *inode, void *opaque)
>>>> return 0;
>>>> }
>>>>
>>>> +#ifdef CONFIG_NFS_V4_SECURITY_LABEL
>>>> +struct nfs4_label *nfs4_label_alloc(gfp_t flags)
>>>> +{
>>>> + struct nfs4_label *label = NULL;
>>>> +
>>>> + label = kzalloc(sizeof(struct nfs4_label) + NFS4_MAXLABELLEN, flags);
>>> NFS4_MAXLABELLEN is 4096, but we usually try to avoid allocating more
>>> than that in a single allocation.
>> Should we make this smaller? I figured a page would be a good upper bound.
> If we could make it small enough so that the above fits in 4096 bytes
> that would be easier.
>
> (What does the protocol say? On a quick glance it doesn't seem to
> impose a limit.)
The spec doesn't limit the size of a label but we thought that a page
would be good. We can make it 4095 to ensure that it will always be in a
page incase a null terminator is added. I believe someone mentioned this
in the past I'm not sure why it didn't make its way in. We initially had
something much larger but Trond chimed in and said that if its larger
than a page something is wrong so we lowered it.
>
>>>> + label->label = (void *)(label + 1);
>>>> + label->len = NFS4_MAXLABELLEN;
>>>> + /* 0 is the null format meaning that the data is not to be translated */
>>>> + label->lfs = 0;
>>>> + label->pi = 0;
>>> What's "pi"?
>>>
>>> --b.
>> In the LFS document we talk about how a policy identifier is a
>> recommended field. It isn't implemented yet as we're setting both
>> the LFS and the PI to 0 but I added it for when we put the LFS
>> mapping daemon in next. The idea is that even though we have a label
>> and we specify the format with the LFS we need to identify what
>> version of policy it is so we can ensure that the actual meaning of
>> a value is correct.
> And, my bad, this is in the spec--sorry, I need to go study it.
>
> --b.
>
Its ok. It's been in the works so long its hard to keep track of it all.
next prev parent reply other threads:[~2012-11-12 16:53 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-12 6:15 Labeled NFS [v5] David Quigley
2012-11-12 6:15 ` [PATCH 01/13] Security: Add hook to calculate context based on a negative dentry David Quigley
2012-11-12 12:13 ` J. Bruce Fields
2012-11-12 14:52 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 02/13] Security: Add Hook to test if the particular xattr is part of a MAC model David Quigley
2012-11-12 12:15 ` J. Bruce Fields
2012-11-12 14:56 ` Dave Quigley
2012-11-12 16:36 ` J. Bruce Fields
2012-11-12 19:36 ` David P. Quigley
2012-11-12 21:43 ` J. Bruce Fields
2012-11-13 0:12 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 03/13] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data David Quigley
2012-11-12 6:15 ` [PATCH 04/13] SELinux: Add new labeling type native labels David Quigley
2012-11-12 6:15 ` [PATCH 05/13] KConfig: Add KConfig entries for Labeled NFS David Quigley
2012-11-12 14:45 ` J. Bruce Fields
2012-11-12 14:57 ` Dave Quigley
2012-11-12 6:15 ` [PATCH 06/13] NFSv4: Add label recommended attribute and NFSv4 flags David Quigley
2012-11-12 6:15 ` [PATCH 07/13] NFSv4: Introduce new label structure David Quigley
2012-11-12 15:13 ` J. Bruce Fields
2012-11-12 15:32 ` David P. Quigley
2012-11-12 16:05 ` J. Bruce Fields
2012-11-12 16:53 ` David P. Quigley [this message]
2012-11-12 17:50 ` J. Bruce Fields
2012-11-12 6:15 ` [PATCH 08/13] NFSv4: Extend fattr bitmaps to support all 3 words David Quigley
2012-11-12 6:15 ` [PATCH 09/13] NFS:Add labels to client function prototypes David Quigley
2012-11-12 6:15 ` [PATCH 10/13] NFS: Add label lifecycle management David Quigley
2012-11-12 15:33 ` J. Bruce Fields
2012-11-12 15:36 ` David P. Quigley
2012-11-12 6:15 ` [PATCH 11/13] NFS: Client implementation of Labeled-NFS David Quigley
2012-11-12 6:15 ` [PATCH 12/13] NFS: Extend NFS xattr handlers to accept the security namespace David Quigley
2012-11-12 6:15 ` [PATCH 13/13] NFSD: Server implementation of MAC Labeling David Quigley
2012-11-12 16:31 ` J. Bruce Fields
2012-11-12 15:23 ` Labeled NFS [v5] J. Bruce Fields
2012-11-12 15:34 ` David P. Quigley
2012-11-12 16:09 ` J. Bruce Fields
2012-11-12 20:56 ` Steve Dickson
2012-11-13 1:39 ` Dave Quigley
2012-11-13 12:55 ` Steve Dickson
2012-11-14 4:32 ` Dave Quigley
2012-11-14 13:45 ` J. Bruce Fields
2012-11-14 13:50 ` David Quigley
2012-11-14 13:59 ` J. Bruce Fields
2012-11-14 14:01 ` David Quigley
2012-11-14 14:04 ` David Quigley
2012-11-14 14:24 ` J. Bruce Fields
2012-11-14 14:30 ` David Quigley
2012-11-15 16:00 ` Casey Schaufler
2012-11-15 20:28 ` David Quigley
2012-11-16 3:34 ` Casey Schaufler
2012-11-16 3:43 ` David Quigley
2012-11-16 4:58 ` Dave Quigley
2012-11-16 4:59 ` Dave Quigley
2012-11-14 13:56 ` David Quigley
2012-11-12 16:33 ` J. Bruce Fields
2012-11-12 20:44 ` Dave Quigley
2012-11-12 22:23 ` Casey Schaufler
2012-11-13 3:16 ` Dave Quigley
2012-11-20 21:09 ` Casey Schaufler
2012-11-21 0:04 ` Dave Quigley
2012-11-21 0:29 ` Dave Quigley
2012-11-21 0:32 ` Casey Schaufler
2012-11-21 0:37 ` Dave Quigley
2012-11-21 2:52 ` Casey Schaufler
2012-11-21 3:28 ` Dave Quigley
2012-11-28 18:57 ` Casey Schaufler
2012-11-29 1:14 ` Dave Quigley
2012-11-29 2:08 ` Casey Schaufler
2012-11-29 22:28 ` Casey Schaufler
2012-11-29 22:49 ` David Quigley
2012-11-30 0:02 ` David Quigley
2012-11-30 0:07 ` David Quigley
2012-11-30 0:34 ` Casey Schaufler
2012-11-30 0:46 ` David Quigley
2012-11-30 1:50 ` Casey Schaufler
2012-11-30 2:02 ` David Quigley
2012-11-30 12:14 ` J. Bruce Fields
2012-11-30 12:57 ` David Quigley
2012-11-30 13:17 ` David Quigley
2012-11-30 13:28 ` Stephen Smalley
2012-11-30 13:35 ` David Quigley
2012-11-30 13:50 ` Stephen Smalley
2012-11-30 14:02 ` David Quigley
2012-11-30 16:21 ` Casey Schaufler
2012-11-30 16:28 ` David Quigley
2012-12-03 18:27 ` Casey Schaufler
2012-11-30 16:55 ` J. Bruce Fields
2012-11-30 16:59 ` David Quigley
2012-11-30 13:20 ` David Quigley
-- strict thread matches above, loose matches on Subject: below --
2012-12-17 15:42 [PATCH 00/13] NFSv4: Label NFS Patches Steve Dickson
2012-12-17 15:43 ` [PATCH 07/13] NFSv4: Introduce new label structure Steve Dickson
2013-05-13 19:11 [PATCH 00/13] lnfs: linux-3.10-rc1 release Steve Dickson
2013-05-13 19:11 ` [PATCH 07/13] NFSv4: Introduce new label structure Steve Dickson
2013-05-16 15:56 Froe e71bf1d708e1294b3bae64d04f03228b3625f2a3 Mon Sep 17 00:00:00 2001 Steve Dickson
2013-05-16 15:56 ` [PATCH 07/13] NFSv4: Introduce new label structure Steve Dickson
2013-05-20 19:12 ` Myklebust, Trond
2013-05-21 18:53 ` Steve Dickson
2013-05-21 18:55 ` Myklebust, Trond
2013-05-22 16:50 [PATCH 00/13] lnfs: 3.10-rc2 release Steve Dickson
2013-05-22 16:50 ` [PATCH 07/13] NFSv4: Introduce new label structure Steve Dickson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A12979.3040902@davequigley.com \
--to=selinux@davequigley.com \
--cc=Matthew.Dodd@sparta.com \
--cc=Mi_Mi_AUNG@dsi.a-star.edu.sg \
--cc=PHUA_Eu_Gene@dsi.a-star.edu.sg \
--cc=Rodel_FM@dsi.a-star.edu.sg \
--cc=bfields@fieldses.org \
--cc=dpquigl@davequigley.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=trond.myklebust@netapp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).