public inbox for linux-nfs@vger.kernel.org
 help / color / mirror / Atom feed
From: Trond Myklebust <trondmy@hammerspace.com>
To: "omosnace@redhat.com" <omosnace@redhat.com>,
	"olga.kornievskaia@gmail.com" <olga.kornievskaia@gmail.com>
Cc: "selinux@vger.kernel.org" <selinux@vger.kernel.org>,
	"linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>,
	"anna.schumaker@netapp.com" <anna.schumaker@netapp.com>,
	"paul@paul-moore.com" <paul@paul-moore.com>,
	"stephen.smalley.work@gmail.com" <stephen.smalley.work@gmail.com>
Subject: Re: [PATCH 2/2] NFSv4.2: condition READDIR's mask for security label based on LSM state
Date: Thu, 5 Nov 2020 21:18:11 +0000	[thread overview]
Message-ID: <a96c14c0f86ec274d5bdc255050ae71238bb43fe.camel@hammerspace.com> (raw)
In-Reply-To: <CAN-5tyF+cLpmT=rwAYvQQ445tjFKZtGq+Qzf6rDGg8COPpFRwA@mail.gmail.com>

On Thu, 2020-11-05 at 14:51 -0500, Olga Kornievskaia wrote:
> On Thu, Nov 5, 2020 at 1:55 PM Ondrej Mosnacek <omosnace@redhat.com>
> wrote:
> > 
> > On Thu, Nov 5, 2020 at 6:33 PM Olga Kornievskaia
> > <olga.kornievskaia@gmail.com> wrote:
> > > From: Olga Kornievskaia <kolga@netapp.com>
> > > 
> > > Currently, the client will always ask for security_labels if the
> > > server
> > > returns that it supports that feature regardless of any LSM
> > > modules
> > > (such as Selinux) enforcing security policy. This adds
> > > performance
> > > penalty to the READDIR operation.
> > > 
> > > Instead, query the LSM module to find if anything is enabled and
> > > if not, then remove FATTR4_WORD2_SECURITY_LABEL from the bitmask.
> > 
> > Having spent some time staring at some of the NFS code very
> > recently,
> > I can't help but suggest: Would it perhaps be enough to decide
> > whether
> > to ask for labels based on (NFS_SB(dentry->d_sb)->caps &
> > NFS_CAP_SECURITY_LABEL)? It is set when mounting the FS iff some
> > LSM
> > confirms via the security_sb_*_mnt_opts() hook that it wants the
> > filesystem to give it labels (or at least that's how I interpret
> > the
> > cryptic name) [1]. It's just a shot in the dark, but it seems to
> > fit
> > this use case.
> > 
> > [1]
> > https://elixir.bootlin.com/linux/v5.10-rc2/source/fs/nfs/getroot.c#L148
> 
> Very interesting. I was not aware of something like that nor was it
> mentioned when I asked on the selinux mailing list. I wonder if this
> is a supported feature that will always stay? In that case, NFS
> wouldn't need the extra hook that was added for this series. I will
> try this out and report back.

NFS_CAP_SECURITY_LABEL is just the NFS server capability flag. It tells
you whether or not the client believes that the server might support
NFSv4.2 requests for labelled NFS metadata.

My understanding of Olga's requirement is that she needs to be able to
ignore that flag and simply not query for labelled NFS metadata if the
NFS client is not configured to enforce the LSM policy. The objective
is to avoid unnecessary RPC traffic to the server to query for data
that is unused.

-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@hammerspace.com



  parent reply	other threads:[~2020-11-05 21:18 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-05 17:33 [PATCH 1/2] [lsm] introduce a new hook to query LSM for functionality Olga Kornievskaia
2020-11-05 17:33 ` [PATCH 2/2] NFSv4.2: condition READDIR's mask for security label based on LSM state Olga Kornievskaia
2020-11-05 18:55   ` Ondrej Mosnacek
2020-11-05 19:51     ` Olga Kornievskaia
2020-11-05 20:24       ` Ondrej Mosnacek
2020-11-05 21:18       ` Trond Myklebust [this message]
2020-11-05 21:43         ` Olga Kornievskaia
2020-11-06  8:47           ` Ondrej Mosnacek
2020-11-05 23:06   ` kernel test robot
2020-11-05 19:39 ` [PATCH 1/2] [lsm] introduce a new hook to query LSM for functionality Casey Schaufler
2020-11-07  1:33 ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a96c14c0f86ec274d5bdc255050ae71238bb43fe.camel@hammerspace.com \
    --to=trondmy@hammerspace.com \
    --cc=anna.schumaker@netapp.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=olga.kornievskaia@gmail.com \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox