LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* RFC Labeled NFS Initial Code Review
@ 2008-02-27 20:39 David P. Quigley
  2008-02-27 20:39 ` [PATCH 01/11] Security: Add hook to get full maclabel xattr name David P. Quigley
                   ` (10 more replies)
  0 siblings, 11 replies; 26+ messages in thread
From: David P. Quigley @ 2008-02-27 20:39 UTC (permalink / raw)
  To: hch, viro, trond.myklebust, bfields; +Cc: linux-kernel, linux-fsdevel


This patch set is the first submission to fs-devel and lkml for the purpose of
code review. To test the patch set you need patches to nfs-utils as well. Since
this is just a code review I haven't posted the patch to nfs-utils however if
you want to test the code feel free to e-mail me and I will send you the
necessary patch.

Out of all of the functionality we have prototyped I have narrowed it down to
these items which I believe is the solid base for initial kernel inclusion.
These patches provide the mechanism to allow the server to provide security
labels to the client and a method for the client to change labels on the server.
The next revision of this patch set will allow for the client's subject
(process) label to be transmitted with the access requests so the server can
also make access decisions against the acting local policy. This part of the
patch set will be made substantially cleaner by the credentials patches
proposed by David Howells.

Known Issues:

Eventually stronger notification of security label changes will be added. For
now this is accomplished by using NFS's normal cache invalidation (timeout).

When acting as root on a root_squashed export changing the label on a file
manages to set the label locally in the NFS inode but doesn't set it on the
exported file system. In this case the fault is the server is returning OK for
the setattr option instead of EPERM. This will be fixed in the next version.


^ permalink raw reply	[flat|nested] 26+ messages in thread
* RFC Labeled NFS Initial Code Review
@ 2008-02-27 22:11 David P. Quigley
  2008-02-27 22:11 ` [PATCH 10/11] NFS: Extend nfs xattr handlers to accept the security namespace David P. Quigley
  0 siblings, 1 reply; 26+ messages in thread
From: David P. Quigley @ 2008-02-27 22:11 UTC (permalink / raw)
  To: hch, viro, trond.myklebust, bfields; +Cc: linux-kernel, linux-fsdevel


This patch set is the first submission to fs-devel and lkml for the purpose of
code review. To test the patch set you need patches to nfs-utils as well. Since
this is just a code review I haven't posted the patch to nfs-utils however if
you want to test the code feel free to e-mail me and I will send you the
necessary patch.

Out of all of the functionality we have prototyped I have narrowed it down to
these items which I believe is the solid base for initial kernel inclusion.
These patches provide the mechanism to allow the server to provide security
labels to the client and a method for the client to change labels on the server.
The next revision of this patch set will allow for the client's subject
(process) label to be transmitted with the access requests so the server can
also make access decisions against the acting local policy. This part of the
patch set will be made substantially cleaner by the credentials patches
proposed by David Howells.

Known Issues:

Eventually stronger notification of security label changes will be added. For
now this is accomplished by using NFS's normal cache invalidation (timeout).

When acting as root on a root_squashed export changing the label on a file
manages to set the label locally in the NFS inode but doesn't set it on the
exported file system. In this case the fault is the server is returning OK for
the setattr option instead of EPERM. This will be fixed in the next version.

 fs/Kconfig                          |   17 ++
 fs/attr.c                           |   43 ++++
 fs/nfs/client.c                     |   16 ++
 fs/nfs/dir.c                        |  101 ++++++++++-
 fs/nfs/getroot.c                    |   33 +++
 fs/nfs/inode.c                      |   58 ++++++-
 fs/nfs/namespace.c                  |    3 +
 fs/nfs/nfs3proc.c                   |   15 ++
 fs/nfs/nfs4proc.c                   |  369 +++++++++++++++++++++++++++++++++--
 fs/nfs/nfs4xdr.c                    |   49 +++++
 fs/nfs/proc.c                       |   13 ++-
 fs/nfs/super.c                      |   25 +++-
 fs/nfsd/export.c                    |    3 +
 fs/nfsd/nfs4xdr.c                   |   90 +++++++++-
 fs/nfsd/vfs.c                       |    7 +
 fs/xattr.c                          |   33 +++-
 include/linux/fcntl.h               |    1 +
 include/linux/fs.h                  |   11 +
 include/linux/fsnotify.h            |    6 +
 include/linux/inotify.h             |    3 +-
 include/linux/nfs4.h                |    2 +
 include/linux/nfs4_mount.h          |    3 +-
 include/linux/nfs_fs.h              |   41 ++++
 include/linux/nfs_fs_sb.h           |    1 +
 include/linux/nfs_mount.h           |    3 +-
 include/linux/nfs_xdr.h             |    4 +
 include/linux/nfsd/export.h         |    5 +-
 include/linux/nfsd/nfsd.h           |    7 +-
 include/linux/security.h            |   19 ++
 include/linux/xattr.h               |    1 +
 security/dummy.c                    |   13 ++
 security/security.c                 |   17 ++
 security/selinux/hooks.c            |   89 ++++++++--
 security/selinux/include/security.h |    2 +
 security/selinux/ss/policydb.c      |    5 +-
 35 files changed, 1059 insertions(+), 49 deletions(-)


^ permalink raw reply	[flat|nested] 26+ messages in thread

end of thread, other threads:[~2008-02-29  6:58 UTC | newest]

Thread overview: 26+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-27 20:39 RFC Labeled NFS Initial Code Review David P. Quigley
2008-02-27 20:39 ` [PATCH 01/11] Security: Add hook to get full maclabel xattr name David P. Quigley
2008-02-27 20:39 ` [PATCH 02/11] Security: Add hook to calculate context based on a negative dentry David P. Quigley
2008-02-27 20:39 ` [PATCH 03/11] VFS: Add security label support to *notify David P. Quigley
2008-02-28 20:10   ` Josef 'Jeff' Sipek
2008-02-28 20:39     ` Dave Quigley
2008-02-28 21:15       ` Josef 'Jeff' Sipek
2008-02-28 21:05         ` Dave Quigley
2008-02-28 21:39           ` Josef 'Jeff' Sipek
2008-02-28 21:26             ` Dave Quigley
2008-02-29  6:57   ` Andrew Morton
2008-02-27 20:39 ` [PATCH 04/11] KConfig: Add KConfig entries for SELinux labeled NFS David P. Quigley
2008-02-27 20:39 ` [PATCH 05/11] NFSv4: Add label recommended attribute and NFSv4 flags David P. Quigley
2008-02-27 20:39 ` [PATCH 06/11] SELinux: Add new labeling type native labels David P. Quigley
2008-02-27 20:39 ` [PATCH 07/11] NFS/SELinux: Add security_label text mount option to nfs and add handling code to the security server David P. Quigley
2008-02-27 20:39 ` [PATCH 08/11] NFS: Introduce lifecycle management for label attribute David P. Quigley
2008-02-28  1:04   ` James Morris
2008-02-28  0:47     ` Dave Quigley
2008-02-28  1:22       ` James Morris
2008-02-28 20:07     ` Dave Quigley
2008-02-28 23:00       ` James Morris
2008-02-28 22:43         ` Dave Quigley
2008-02-27 20:39 ` [PATCH 09/11] NFS: Client implementation of Labeled-NFS David P. Quigley
2008-02-27 20:39 ` [PATCH 10/11] NFS: Extend nfs xattr handlers to accept the security namespace David P. Quigley
2008-02-27 20:39 ` [PATCH 11/11] NFSD: Server implementation of MAC Labeling David P. Quigley
2008-02-27 22:11 RFC Labeled NFS Initial Code Review David P. Quigley
2008-02-27 22:11 ` [PATCH 10/11] NFS: Extend nfs xattr handlers to accept the security namespace David P. Quigley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).