IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

"Quigley, David" <david.quigley@intel.com> Wed, 02 May 2018 23:11 UTC

Return-Path: <david.quigley@intel.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12585124BAC for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 16:11:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjd-LTeLOgKw for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 16:11:19 -0700 (PDT)
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FEE3127058 for <nfsv4@ietf.org>; Wed, 2 May 2018 16:11:13 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 May 2018 16:11:03 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.49,356,1520924400"; d="scan'208";a="36414843"
Received: from orsmsx103.amr.corp.intel.com ([10.22.225.130]) by fmsmga007.fm.intel.com with ESMTP; 02 May 2018 16:11:03 -0700
Received: from orsmsx154.amr.corp.intel.com (10.22.226.12) by ORSMSX103.amr.corp.intel.com (10.22.225.130) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 2 May 2018 16:11:02 -0700
Received: from orsmsx108.amr.corp.intel.com ([169.254.2.198]) by ORSMSX154.amr.corp.intel.com ([10.22.226.12]) with mapi id 14.03.0319.002; Wed, 2 May 2018 16:11:02 -0700
From: "Quigley, David" <david.quigley@intel.com>
To: 'Chuck Lever' <chuck.lever@oracle.com>
CC: Tom Haynes <loghyr@gmail.com>, Spencer Shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
Thread-Index: AQHT4lzNFhC2/z/1zUWHvcu/aQ8KtaQdBMHwgAB70ID//4tB4A==
Date: Wed, 02 May 2018 23:11:01 +0000
Message-ID: <106AF901BBB25B4082BCE4FEC2F79D440627CF26@ORSMSX108.amr.corp.intel.com>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com> <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com> <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com> <C388AE74-D240-4CFE-92A3-D0D6B0D31077@oracle.com>
In-Reply-To: <C388AE74-D240-4CFE-92A3-D0D6B0D31077@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.200.100
dlp-reaction: no-action
x-originating-ip: [10.22.254.140]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/2Te5spUImPDuWirYHpDNf3TSWY0>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 23:11:22 -0000

Hi Chuck,

I'll address each thing in turn since outlook doesn't seem to like inline commenting

I would say there is a prohibition on it as it was the only reason we went down the sec_label route in the first place. The initial proposal was to have xattrs on nfsv4 and put the security label in there. We designed the sec_label attr for MAC labels and the LFS specification is also explicitly for MAC Labels. We explicitly state that FATTR4_SEC_LABEL is a MAC Security Attribute in the 4.2 specification. This field is called sec_label which is kind of unfortunate name as it was intended to represent security labels in the traditional orange book sense.  It is not intended for arbitrary security related data. It is an access control field not an integrity field. Using the 

-----Original Message-----
From: Chuck Lever [mailto:chuck.lever@oracle.com] 
Sent: Wednesday, May 2, 2018 4:51 PM
To: Quigley, David <david.quigley@intel.com>
Cc: Tom Haynes <loghyr@gmail.com>; Spencer Shepler <spencer.shepler@gmail.com>; NFSv4 <nfsv4@ietf.org>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

Hi David-

> On May 2, 2018, at 6:36 PM, Quigley, David <david.quigley@intel.com> wrote:
> 
> I can understand wanting to use the sec_label field for capabilities but using it for the IMA and EVM data isn’t really in the spirit of what we designed this for. Those are integrity mechanisms and on Linux systems they are completely separate from the LSMs (access control is not integrity).

Yep, I get that, but I don't see a functional problem here. It seems like an artificial constraint to say that we can't store IMA metadata in a generic security label, and I don't see any explicit prohibition to doing so laid out in the existing RFCs (if there is one, please point it out).

You can make a similar argument about file capabilities, which are not MAC security. Should they be excluded from using a security label for this reason?


> Also having them as 3 different LFS ids make no sense. The LFS is supposed to describe the format of what you are sending and receiving for the sec_label field. Unless something changed in the last rounds of revisions to the sec_label support there should only be one value per file?

A file can have capabilities associated with it, a security.ima xattr, and a security.evm xattr. All three are separate objects and can change independently of each other. Capabilities and IMA are not at all related to each other, so at least these two need separate LSF numbers.


> Also something to consider is that Nico explicitly separates capabilities from MAC labeling in in RPCSECGSSv3. This is because traditionally capabilities and MAC systems are orthogonal to each other. I know file capabilities are different from the regular capabilities on processes in Linux but it is something to consider that on a normal Linux system they can co-exist and be enforced at the same time. With this mechanism you couldn’t support both SELinux and file-capabilities at the same time like you could on a local system.

Implementations can store the content of each LSF in separate xattrs, or so it appears from my brief audit of the Linux implementation. I don't see anything that prevents storing an SELinux label in one xattr, file capabilities in a second xattr, and IMA metadata in a third xattr.


> I will be able to provide better feedback once I’ve read through the document another couple of times but those are my initial impressions just from a sec_label and LFS perspective. 

Thanks for looking!


> Dave
>  
> From: nfsv4 [mailto:nfsv4-bounces@ietf.org] On Behalf Of Tom Haynes
> Sent: Wednesday, May 2, 2018 3:30 PM
> To: Chuck Lever <chuck.lever@oracle.com>; Spencer Shepler 
> <spencer.shepler@gmail.com>
> Cc: NFSv4 <nfsv4@ietf.org>
> Subject: Re: [nfsv4] New Version Notification for 
> draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
>  
> Hey Chuck,
>  
> For the most part, my issues are the ones common to first drafts.
>  
> And Spencer S,
>  
> Can we nominate this as official WG document? It is mature enough and on point with the earlier LFS work.
>  
> Thanks,
> Tom
>  
> Abstract
>  
> NFS version 4.2
> Need to define NFS first.
>  
> Introduction
>  
> Before specifying new protocol,
> ->
>  
> Before specifying a new protocol,
> —
>  
> (hereafter, IMA)
> (hereafter, EVM)
> drop the hereafters
>  
> —
>  
> This is done by cryptographically signing HMAC please introduce HMAC
> --
> RSA public key signature
> Please define RSA
>  
> ——
>  
> The goals and use cases of the Linux Integrity Measurement
>    Architecture (IMA) are presented in further detail in [IMA-WP].
> Already have defined IMA
>  
> —
>  
> with the
>    superuser
> What is a superuser?
>  
> ——
>  
> You then have four bullet points, which as they are complete sentences should end with ‘.’
>  
> —
>  
> execve(2)
>  
> need a citation (probably to POSIX)
>  
> ===
>  
> Section 3
>  
> Linux file capabilities
> becomes
> a capability set
> without motivating the connection.
>  
> =====
>  
> LFS
>  
> not introduced.
>  
> ====
>  
> MAC
>  
> not introduced
>  
> —
>  
>    In order to enable file capabilities to be retrieved or updated in a
>    single RPC, the text format representation of a capability set MUST
>    NOT exceed 8192 bytes in length.
>  
>    In order to enable IMA metadata to be retrieved or updated in a
>    single RPC, a signed hash MUST NOT exceed 4096 bytes in length.
> Why the restrictions? Is it a matter of the length of the compound?
>  
> ——
>  
> a Merkle
> citation?
>  
> ——
>  
> An NFSv4 server is required to enforce a suitable level of privilege
>    before allowing a local or remote agent to alter NFSv4 Security
>    Labels.  Consult Section 9.6 of [RFC7862] for further details.
>  
> Is the last sentence a sentance?
>  
> ——
>  
> Therefore additional protection using GSS
>    [RFC7861] or other security mechanisms is not mandatory.
>  
> Either define GSS or perhaps say RPCSEC_GSS?

--
Chuck Lever

v2.23.0 | Report a Bug | By Email