IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

Chuck Lever <chuck.lever@oracle.com> Wed, 02 May 2018 23:27 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 682E912E059 for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 16:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OG4t3UpFJALa for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 16:27:45 -0700 (PDT)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEAE512E91F for <nfsv4@ietf.org>; Wed, 2 May 2018 16:27:43 -0700 (PDT)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w42NQSFX123095; Wed, 2 May 2018 23:27:42 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2017-10-26; bh=c3uA+3DZaSBFxaovZeEzkrmZGM3pwRr65KH9vmk1QWg=; b=Dy9L2TPdU2j5gvZxpBRp2g/Kri4mI47mzdhmHmMfHXJA5BPdWbRqSLKAsHEX8SOkIb0y zB5K40hqo/pgYsodXDDmBJsviNWgpzGoCAeaFP9bsxut3chBz5SjMKyJo3yqkOgb81jZ Z3Q9GmgVquMnRtXWeVgt9B9Tidf1pFtuF3SxJM5NmsJxto7QtrOOXSU86ptFKSiGKfHP kDtFVt2kA0fUC3xkinGNTO0GlOrlMdTmSWSsydWMk9Jjuc+Or6EqZA4krOwI5ebd+Z3Y rCj6jR+SPOhdLR8uag9GyzV1777CT0lVDUxTffJUK3T5rNvb5HFvnUpIYhMKBKg5wOrx 2w==
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2hmgxfybck-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 02 May 2018 23:27:42 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w42NRfXR026877 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 2 May 2018 23:27:41 GMT
Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w42NRfdq024802; Wed, 2 May 2018 23:27:41 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 02 May 2018 16:27:40 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <106AF901BBB25B4082BCE4FEC2F79D440627CF0A@ORSMSX108.amr.corp.intel.com>
Date: Wed, 02 May 2018 19:27:39 -0400
Cc: Tom Haynes <loghyr@gmail.com>, Spencer Shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7898FB59-A717-47E4-AF9B-38720EF40E56@oracle.com>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com> <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com> <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com> <C388AE74-D240-4CFE-92A3-D0D6B0D31077@oracle.com> <106AF901BBB25B4082BCE4FEC2F79D440627CF0A@ORSMSX108.amr.corp.intel.com>
To: "Quigley, David" <david.quigley@intel.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8881 signatures=668698
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805020196
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/EqJavUsh1Sxyn5qWhzn9QLRfatM>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 23:27:48 -0000


> On May 2, 2018, at 7:10 PM, Quigley, David <david.quigley@intel.com> wrote:
> 
> Hi Chuck,
> 
> I'll address each thing in turn since outlook doesn't seem to like inline commenting
> 
> I would say there is a prohibition on it as it was the only reason we went down the sec_label route in the first place. The initial proposal was to have xattrs on nfsv4 and put the security label in there. We designed the sec_label attr for MAC labels and the LFS specification is also explicitly for MAC Labels. We explicitly state that FATTR4_SEC_LABEL is a MAC Security Attribute in the 4.2 specification. This field is called sec_label which is kind of unfortunate name as it was intended to represent security labels in the traditional orange book sense.  It is not intended for arbitrary security related data. It is an access control field not an integrity field. Using it as a blob store for integrity data is similar to the pushback I received from Trond when I wanted to put this data in xattrs to begin with.
> 
> I also said I could see why you'd want to use it for capability data but to be honest capabilities should have their own mechanism just like how they do in Linux today. Its unfortunate that all of this is stores in xattrs on Linux because it really shouldn't be. The initial version of SELinux had new system calls for getting and setting security related information. It was only because the way of handling things at the time was to extend interfaces through the file system and psudo filesystems that SELinux and IMA look the way they do today. If you look at other systems that did it properly (FreeBSD) they introduced proper syscalls for all of this.
> 
> With respect to the three LFS numbers they are only supposed to cover data in the sec_label attribute. Do you only intend on storing one of the three in the attribute? How is this supposed to work? If you have a setfattr with an IMA LFS encoded attribute and then an EVM encoded attribute it would just overwrite it. You wouldn't be able to store them independently with the one attribute as it is unless I am misunderstanding something.

Let's dive into this one for a moment.

Are you saying that a file is allowed only one NFSv4 security label at a time,
similar to the way a file can have only one NFSv4 ACL?

If that's the case, then NFSv4 security labels are not going to work at all,
and we'll have to create a separate purpose-built mechanism for each of these
objects. Obviously we do need to store an ACL and an SELinux label and IMA
metadata and file capabilities separately.


> I will have to look at what was done with the final implementation that made its way into the Linux kernel but the sec_label attribute is supposed to be limited to one value per file. It is not supposed to be a multiplexed attribute based on the LFS. Security labels in a MAC sense are explicitly one value per file.
> 
> I will give it a closer read tonight and look at the implementation in the Linux Kernel. However it was not intended that if you do serfattr with two different lfs that you would store two different values.
> 
> Dave
> 
> -----Original Message-----
> From: Chuck Lever [mailto:chuck.lever@oracle.com] 
> Sent: Wednesday, May 2, 2018 4:51 PM
> To: Quigley, David <david.quigley@intel.com>
> Cc: Tom Haynes <loghyr@gmail.com>; Spencer Shepler <spencer.shepler@gmail.com>; NFSv4 <nfsv4@ietf.org>
> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
> 
> Hi David-
> 
>> On May 2, 2018, at 6:36 PM, Quigley, David <david.quigley@intel.com> wrote:
>> 
>> I can understand wanting to use the sec_label field for capabilities but using it for the IMA and EVM data isn’t really in the spirit of what we designed this for. Those are integrity mechanisms and on Linux systems they are completely separate from the LSMs (access control is not integrity).
> 
> Yep, I get that, but I don't see a functional problem here. It seems like an artificial constraint to say that we can't store IMA metadata in a generic security label, and I don't see any explicit prohibition to doing so laid out in the existing RFCs (if there is one, please point it out).
> 
> You can make a similar argument about file capabilities, which are not MAC security. Should they be excluded from using a security label for this reason?
> 
> 
>> Also having them as 3 different LFS ids make no sense. The LFS is supposed to describe the format of what you are sending and receiving for the sec_label field. Unless something changed in the last rounds of revisions to the sec_label support there should only be one value per file?
> 
> A file can have capabilities associated with it, a security.ima xattr, and a security.evm xattr. All three are separate objects and can change independently of each other. Capabilities and IMA are not at all related to each other, so at least these two need separate LSF numbers.
> 
> 
>> Also something to consider is that Nico explicitly separates capabilities from MAC labeling in in RPCSECGSSv3. This is because traditionally capabilities and MAC systems are orthogonal to each other. I know file capabilities are different from the regular capabilities on processes in Linux but it is something to consider that on a normal Linux system they can co-exist and be enforced at the same time. With this mechanism you couldn’t support both SELinux and file-capabilities at the same time like you could on a local system.
> 
> Implementations can store the content of each LSF in separate xattrs, or so it appears from my brief audit of the Linux implementation. I don't see anything that prevents storing an SELinux label in one xattr, file capabilities in a second xattr, and IMA metadata in a third xattr.
> 
> 
>> I will be able to provide better feedback once I’ve read through the document another couple of times but those are my initial impressions just from a sec_label and LFS perspective. 
> 
> Thanks for looking!
> 
> 
>> Dave
>> 
>> From: nfsv4 [mailto:nfsv4-bounces@ietf.org] On Behalf Of Tom Haynes
>> Sent: Wednesday, May 2, 2018 3:30 PM
>> To: Chuck Lever <chuck.lever@oracle.com>; Spencer Shepler 
>> <spencer.shepler@gmail.com>
>> Cc: NFSv4 <nfsv4@ietf.org>
>> Subject: Re: [nfsv4] New Version Notification for 
>> draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
>> 
>> Hey Chuck,
>> 
>> For the most part, my issues are the ones common to first drafts.
>> 
>> And Spencer S,
>> 
>> Can we nominate this as official WG document? It is mature enough and on point with the earlier LFS work.
>> 
>> Thanks,
>> Tom
>> 
>> Abstract
>> 
>> NFS version 4.2
>> Need to define NFS first.
>> 
>> Introduction
>> 
>> Before specifying new protocol,
>> ->
>> 
>> Before specifying a new protocol,
>> —
>> 
>> (hereafter, IMA)
>> (hereafter, EVM)
>> drop the hereafters
>> 
>> —
>> 
>> This is done by cryptographically signing HMAC please introduce HMAC
>> --
>> RSA public key signature
>> Please define RSA
>> 
>> ——
>> 
>> The goals and use cases of the Linux Integrity Measurement
>>  Architecture (IMA) are presented in further detail in [IMA-WP].
>> Already have defined IMA
>> 
>> —
>> 
>> with the
>>  superuser
>> What is a superuser?
>> 
>> ——
>> 
>> You then have four bullet points, which as they are complete sentences should end with ‘.’
>> 
>> —
>> 
>> execve(2)
>> 
>> need a citation (probably to POSIX)
>> 
>> ===
>> 
>> Section 3
>> 
>> Linux file capabilities
>> becomes
>> a capability set
>> without motivating the connection.
>> 
>> =====
>> 
>> LFS
>> 
>> not introduced.
>> 
>> ====
>> 
>> MAC
>> 
>> not introduced
>> 
>> —
>> 
>>  In order to enable file capabilities to be retrieved or updated in a
>>  single RPC, the text format representation of a capability set MUST
>>  NOT exceed 8192 bytes in length.
>> 
>>  In order to enable IMA metadata to be retrieved or updated in a
>>  single RPC, a signed hash MUST NOT exceed 4096 bytes in length.
>> Why the restrictions? Is it a matter of the length of the compound?
>> 
>> ——
>> 
>> a Merkle
>> citation?
>> 
>> ——
>> 
>> An NFSv4 server is required to enforce a suitable level of privilege
>>  before allowing a local or remote agent to alter NFSv4 Security
>>  Labels.  Consult Section 9.6 of [RFC7862] for further details.
>> 
>> Is the last sentence a sentance?
>> 
>> ——
>> 
>> Therefore additional protection using GSS
>>  [RFC7861] or other security mechanisms is not mandatory.
>> 
>> Either define GSS or perhaps say RPCSEC_GSS?
> 
> --
> Chuck Lever
> 
> 
> 

--
Chuck Lever

v2.23.0 | Report a Bug | By Email