IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

bfields@fieldses.org (J. Bruce Fields) Thu, 03 May 2018 15:03 UTC

Return-Path: <bfields@fieldses.org>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D80E1277BB for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 08:03:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5k-xll9QxAXN for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 08:03:46 -0700 (PDT)
Received: from fieldses.org (fieldses.org [173.255.197.46]) by ietfa.amsl.com (Postfix) with ESMTP id 18972127076 for <nfsv4@ietf.org>; Thu, 3 May 2018 08:03:46 -0700 (PDT)
Received: by fieldses.org (Postfix, from userid 2815) id 835C420A7; Thu, 3 May 2018 11:03:15 -0400 (EDT)
Date: Thu, 03 May 2018 11:03:15 -0400
To: Chuck Lever <chuck.lever@oracle.com>
Cc: "Quigley, David" <david.quigley@intel.com>, NFSv4 <nfsv4@ietf.org>
Message-ID: <20180503150315.GA14163@fieldses.org>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com> <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com> <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com> <C388AE74-D240-4CFE-92A3-D0D6B0D31077@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <C388AE74-D240-4CFE-92A3-D0D6B0D31077@oracle.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
From: bfields@fieldses.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/1jVdDutBooHW9fagquGnWAzvEnY>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 15:03:48 -0000

On Wed, May 02, 2018 at 06:50:31PM -0400, Chuck Lever wrote:
> > On May 2, 2018, at 6:36 PM, Quigley, David <david.quigley@intel.com>
> > wrote: Also having them as 3 different LFS ids make no sense. The
> > LFS is supposed to describe the format of what you are sending and
> > receiving for the sec_label field. Unless something changed in the
> > last rounds of revisions to the sec_label support there should only
> > be one value per file?
> 
> A file can have capabilities associated with it, a security.ima xattr,
> and a security.evm xattr. All three are separate objects and can
> change independently of each other. Capabilities and IMA are not at
> all related to each other, so at least these two need separate LSF
> numbers.

The client doesn't have a way to query them separately.  All you can do
is send a GETATTR {FATTR4_SEC_LABEL}, and then the server can only
return one thing.  So, I agree, overloading the security labels in this
way doesn't work.  I overlooked that!

It's no problem to define a couple new attributes instead, let's just do
that.  That will also give clients an easy way to query for IMA or
file capability support by querying the supported_attrs attributes.

--b.

v2.23.0 | Report a Bug | By Email