IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

Chuck Lever <chuck.lever@oracle.com> Wed, 02 May 2018 22:50 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08FBC12DFDB for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 15:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uFDJk0zV0gZI for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 15:50:36 -0700 (PDT)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4709812DDD0 for <nfsv4@ietf.org>; Wed, 2 May 2018 15:50:36 -0700 (PDT)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w42MkSE8173196; Wed, 2 May 2018 22:50:34 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2017-10-26; bh=QmB+MiJuebCLOPw9LvzTnVmUCrXsQq9yZ4WSTD/aDnw=; b=isGcuYaQVXD/AEur2YJfDVjB1Y+jW+RXIYRM5hcsxF/QLWhxnpI04Coqjr99KOO86tjX 0Cm+Lw8ThmxWVmnQJ4myFqYAbUFghgw2YDTnnFz5czVeLTbG50mcuMNrA5ZxL3uG4Fgt G3FhZRTSXoZxyF4yLaQvSImxaX1ZajDrC0O/A+Aaxm81iYEvM5kAA2E7gA1k7a57I0VI 7sw4cE9Fqygw7Hwsla/rNJIZZGPMnoTxsljqp8pt0j6zh7FxXiA3EwPlXNT6TPRAhz2M Nu6+5QWNQmYgp6g2XjwAx6FXGpWyw2UmBLsFnoOWgkt6wjUga0hpj5P+yFASLSw+LF6p Yg==
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2130.oracle.com with ESMTP id 2hmeg5yd0v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 02 May 2018 22:50:34 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w42MoXG1001704 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 2 May 2018 22:50:34 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w42MoX8s010994; Wed, 2 May 2018 22:50:33 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 02 May 2018 15:50:32 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com>
Date: Wed, 02 May 2018 18:50:31 -0400
Cc: Tom Haynes <loghyr@gmail.com>, Spencer Shepler <spencer.shepler@gmail.com>, NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C388AE74-D240-4CFE-92A3-D0D6B0D31077@oracle.com>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com> <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com> <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com>
To: "Quigley, David" <david.quigley@intel.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8881 signatures=668698
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805020191
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/T63_UJ7bnxhlwqWhDZetFrZFkIs>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 22:50:38 -0000

Hi David-

> On May 2, 2018, at 6:36 PM, Quigley, David <david.quigley@intel.com> wrote:
> 
> I can understand wanting to use the sec_label field for capabilities but using it for the IMA and EVM data isn’t really in the spirit of what we designed this for. Those are integrity mechanisms and on Linux systems they are completely separate from the LSMs (access control is not integrity).

Yep, I get that, but I don't see a functional problem here. It seems like
an artificial constraint to say that we can't store IMA metadata in a
generic security label, and I don't see any explicit prohibition to doing
so laid out in the existing RFCs (if there is one, please point it out).

You can make a similar argument about file capabilities, which are not
MAC security. Should they be excluded from using a security label for this
reason?


> Also having them as 3 different LFS ids make no sense. The LFS is supposed to describe the format of what you are sending and receiving for the sec_label field. Unless something changed in the last rounds of revisions to the sec_label support there should only be one value per file?

A file can have capabilities associated with it, a security.ima xattr, and
a security.evm xattr. All three are separate objects and can change
independently of each other. Capabilities and IMA are not at all related
to each other, so at least these two need separate LSF numbers.


> Also something to consider is that Nico explicitly separates capabilities from MAC labeling in in RPCSECGSSv3. This is because traditionally capabilities and MAC systems are orthogonal to each other. I know file capabilities are different from the regular capabilities on processes in Linux but it is something to consider that on a normal Linux system they can co-exist and be enforced at the same time. With this mechanism you couldn’t support both SELinux and file-capabilities at the same time like you could on a local system.

Implementations can store the content of each LSF in separate xattrs, or
so it appears from my brief audit of the Linux implementation. I don't see
anything that prevents storing an SELinux label in one xattr, file
capabilities in a second xattr, and IMA metadata in a third xattr.


> I will be able to provide better feedback once I’ve read through the document another couple of times but those are my initial impressions just from a sec_label and LFS perspective. 

Thanks for looking!


> Dave
>  
> From: nfsv4 [mailto:nfsv4-bounces@ietf.org] On Behalf Of Tom Haynes
> Sent: Wednesday, May 2, 2018 3:30 PM
> To: Chuck Lever <chuck.lever@oracle.com>; Spencer Shepler <spencer.shepler@gmail.com>
> Cc: NFSv4 <nfsv4@ietf.org>
> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
>  
> Hey Chuck,
>  
> For the most part, my issues are the ones common to first drafts.
>  
> And Spencer S, 
>  
> Can we nominate this as official WG document? It is mature enough and on point with the earlier LFS work.
>  
> Thanks,
> Tom
>  
> Abstract
>  
> NFS version 4.2 
> Need to define NFS first.
>  
> Introduction
>  
> Before specifying new protocol,
> ->
>  
> Before specifying a new protocol,
> —
>  
> (hereafter, IMA)
> (hereafter, EVM)
> drop the hereafters
>  
> —
>  
> This is done by cryptographically signing HMAC
> please introduce HMAC
> --
> RSA public key signature
> Please define RSA
>  
> ——
>  
> The goals and use cases of the Linux Integrity Measurement
>    Architecture (IMA) are presented in further detail in [IMA-WP].
> Already have defined IMA
>  
> —
>  
> with the
>    superuser 
> What is a superuser?
>  
> ——
>  
> You then have four bullet points, which as they are complete sentences should end with ‘.’
>  
> —
>  
> execve(2)
>  
> need a citation (probably to POSIX)
>  
> ===
>  
> Section 3
>  
> Linux file capabilities
> becomes
> a capability set
> without motivating the connection.
>  
> =====
>  
> LFS
>  
> not introduced.
>  
> ====
>  
> MAC
>  
> not introduced
>  
> —
>  
>    In order to enable file capabilities to be retrieved or updated in a
>    single RPC, the text format representation of a capability set MUST
>    NOT exceed 8192 bytes in length.
>  
>    In order to enable IMA metadata to be retrieved or updated in a
>    single RPC, a signed hash MUST NOT exceed 4096 bytes in length.
> Why the restrictions? Is it a matter of the length of the compound?
>  
> ——
>  
> a Merkle
> citation?
>  
> ——
>  
> An NFSv4 server is required to enforce a suitable level of privilege
>    before allowing a local or remote agent to alter NFSv4 Security
>    Labels.  Consult Section 9.6 of [RFC7862] for further details.
>  
> Is the last sentence a sentance?
>  
> ——
>  
> Therefore additional protection using GSS
>    [RFC7861] or other security mechanisms is not mandatory.
>  
> Either define GSS or perhaps say RPCSEC_GSS?

--
Chuck Lever

v2.23.0 | Report a Bug | By Email