IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

Chuck Lever <chuck.lever@oracle.com> Thu, 03 May 2018 13:49 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA3D12E040 for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 06:49:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vB4k2Xg3WKtV for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 06:49:05 -0700 (PDT)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5B2412DA69 for <nfsv4@ietf.org>; Thu, 3 May 2018 06:49:05 -0700 (PDT)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w43DeZXP082136; Thu, 3 May 2018 13:49:03 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2017-10-26; bh=DOjlMZTOcZkzagEAbAK/aBo2gISuswPrhq8UROOzjrg=; b=rWJDy46jIolg8wHcXnYKJLYGxD5Pi0ZGXLT1jcn/L7/bFbCQvsn/RRrZcFauHF5T+AWn fEtzRElc2oQG4M5XFr51MctqaNfHzJghuOGb31cnR7Us0QYkjGPlxbXH0EvdR6OIw4rv aAzxy7AuvPbjxQ5lKZRAwKyxOZeyOr8V3ApLc8Ez9tZa8Cu1tEa6lj2AlVxNno918aVl LKJQloL86breiH0uMK/TmXnjoXW826raqfsYjMCp3T07bcfzE3hErQJ/HXzu0Cv+oxc9 Q/z5ywz3o0D1Hm8tRsN4ypbpTpc2b/KF0U4TT8u7U4RKuPHobfWqQSRUG17LUioUhz1o 5g==
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp2120.oracle.com with ESMTP id 2hmgxg1ue7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 03 May 2018 13:49:03 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w43Dn2J2011353 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 3 May 2018 13:49:02 GMT
Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w43Dn2kU018429; Thu, 3 May 2018 13:49:02 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 May 2018 06:49:02 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <AEEFCC10-2709-4F03-9C9B-49580D518B46@gmail.com>
Date: Thu, 03 May 2018 09:49:00 -0400
Cc: NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D74605A3-59EE-4237-A270-2CBDD3C7F2D3@oracle.com>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com> <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com> <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com> <C388AE74-D240-4CFE-92A3-D0D6B0D31077@oracle.com> <106AF901BBB25B4082BCE4FEC2F79D440627CF0A@ORSMSX108.amr.corp.intel.com> <7898FB59-A717-47E4-AF9B-38720EF40E56@oracle.com> <AEEFCC10-2709-4F03-9C9B-49580D518B46@gmail.com>
To: Tom Haynes <loghyr@gmail.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8881 signatures=668698
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805030122
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/_nRArApDiOonHtLNRwQ7f4H4kP4>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 13:49:08 -0000


> On May 2, 2018, at 8:12 PM, Tom Haynes <loghyr@gmail.com> wrote:
> 
> Hey Chuck,
> 
> For some reason I thought you were describing what Linux was doing, not something new...
> 
> But yeah, David is right, only one LFS is going to work.
> 
> I’ll have to check if xattrs allows for system atttrs, but if it does, why can’t you use them?

Hi Tom-

NFSv4 xattrs expose only the user namespace. xattrs in the security.yada namespace
are not exposed to NFS clients, for example.

Initially we were thinking of using NFSv4 security labels only for experimentation,
but there didn't seem to be any reason not to use them for the long-term solution.
Since it now appears that there can't be a separate label for security.ima and
security.evm, that makes it challenging to use security labels even for
experimentation.


> Tom
> 
>> On May 2, 2018, at 4:27 PM, Chuck Lever <chuck.lever@oracle.com> wrote:
>> 
>> 
>> 
>>> On May 2, 2018, at 7:10 PM, Quigley, David <david.quigley@intel.com> wrote:
>>> 
>>> Hi Chuck,
>>> 
>>> I'll address each thing in turn since outlook doesn't seem to like inline commenting
>>> 
>>> I would say there is a prohibition on it as it was the only reason we went down the sec_label route in the first place. The initial proposal was to have xattrs on nfsv4 and put the security label in there. We designed the sec_label attr for MAC labels and the LFS specification is also explicitly for MAC Labels. We explicitly state that FATTR4_SEC_LABEL is a MAC Security Attribute in the 4.2 specification. This field is called sec_label which is kind of unfortunate name as it was intended to represent security labels in the traditional orange book sense.  It is not intended for arbitrary security related data. It is an access control field not an integrity field. Using it as a blob store for integrity data is similar to the pushback I received from Trond when I wanted to put this data in xattrs to begin with.
>>> 
>>> I also said I could see why you'd want to use it for capability data but to be honest capabilities should have their own mechanism just like how they do in Linux today. Its unfortunate that all of this is stores in xattrs on Linux because it really shouldn't be. The initial version of SELinux had new system calls for getting and setting security related information. It was only because the way of handling things at the time was to extend interfaces through the file system and psudo filesystems that SELinux and IMA look the way they do today. If you look at other systems that did it properly (FreeBSD) they introduced proper syscalls for all of this.
>>> 
>>> With respect to the three LFS numbers they are only supposed to cover data in the sec_label attribute. Do you only intend on storing one of the three in the attribute? How is this supposed to work? If you have a setfattr with an IMA LFS encoded attribute and then an EVM encoded attribute it would just overwrite it. You wouldn't be able to store them independently with the one attribute as it is unless I am misunderstanding something.
>> 
>> Let's dive into this one for a moment.
>> 
>> Are you saying that a file is allowed only one NFSv4 security label at a time,
>> similar to the way a file can have only one NFSv4 ACL?
>> 
>> If that's the case, then NFSv4 security labels are not going to work at all,
>> and we'll have to create a separate purpose-built mechanism for each of these
>> objects. Obviously we do need to store an ACL and an SELinux label and IMA
>> metadata and file capabilities separately.
>> 
>> 
>>> I will have to look at what was done with the final implementation that made its way into the Linux kernel but the sec_label attribute is supposed to be limited to one value per file. It is not supposed to be a multiplexed attribute based on the LFS. Security labels in a MAC sense are explicitly one value per file.
>>> 
>>> I will give it a closer read tonight and look at the implementation in the Linux Kernel. However it was not intended that if you do serfattr with two different lfs that you would store two different values.
>>> 
>>> Dave
>>> 
>>> -----Original Message-----
>>> From: Chuck Lever [mailto:chuck.lever@oracle.com] 
>>> Sent: Wednesday, May 2, 2018 4:51 PM
>>> To: Quigley, David <david.quigley@intel.com>
>>> Cc: Tom Haynes <loghyr@gmail.com>; Spencer Shepler <spencer.shepler@gmail.com>; NFSv4 <nfsv4@ietf.org>
>>> Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
>>> 
>>> Hi David-
>>> 
>>>> On May 2, 2018, at 6:36 PM, Quigley, David <david.quigley@intel.com> wrote:
>>>> 
>>>> I can understand wanting to use the sec_label field for capabilities but using it for the IMA and EVM data isn’t really in the spirit of what we designed this for. Those are integrity mechanisms and on Linux systems they are completely separate from the LSMs (access control is not integrity).
>>> 
>>> Yep, I get that, but I don't see a functional problem here. It seems like an artificial constraint to say that we can't store IMA metadata in a generic security label, and I don't see any explicit prohibition to doing so laid out in the existing RFCs (if there is one, please point it out).
>>> 
>>> You can make a similar argument about file capabilities, which are not MAC security. Should they be excluded from using a security label for this reason?
>>> 
>>> 
>>>> Also having them as 3 different LFS ids make no sense. The LFS is supposed to describe the format of what you are sending and receiving for the sec_label field. Unless something changed in the last rounds of revisions to the sec_label support there should only be one value per file?
>>> 
>>> A file can have capabilities associated with it, a security.ima xattr, and a security.evm xattr. All three are separate objects and can change independently of each other. Capabilities and IMA are not at all related to each other, so at least these two need separate LSF numbers.
>>> 
>>> 
>>>> Also something to consider is that Nico explicitly separates capabilities from MAC labeling in in RPCSECGSSv3. This is because traditionally capabilities and MAC systems are orthogonal to each other. I know file capabilities are different from the regular capabilities on processes in Linux but it is something to consider that on a normal Linux system they can co-exist and be enforced at the same time. With this mechanism you couldn’t support both SELinux and file-capabilities at the same time like you could on a local system.
>>> 
>>> Implementations can store the content of each LSF in separate xattrs, or so it appears from my brief audit of the Linux implementation. I don't see anything that prevents storing an SELinux label in one xattr, file capabilities in a second xattr, and IMA metadata in a third xattr.
>>> 
>>> 
>>>> I will be able to provide better feedback once I’ve read through the document another couple of times but those are my initial impressions just from a sec_label and LFS perspective. 
>>> 
>>> Thanks for looking!
>>> 
>>> 
>>>> Dave
>>>> 
>>>> From: nfsv4 [mailto:nfsv4-bounces@ietf.org] On Behalf Of Tom Haynes
>>>> Sent: Wednesday, May 2, 2018 3:30 PM
>>>> To: Chuck Lever <chuck.lever@oracle.com>; Spencer Shepler 
>>>> <spencer.shepler@gmail.com>
>>>> Cc: NFSv4 <nfsv4@ietf.org>
>>>> Subject: Re: [nfsv4] New Version Notification for 
>>>> draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
>>>> 
>>>> Hey Chuck,
>>>> 
>>>> For the most part, my issues are the ones common to first drafts.
>>>> 
>>>> And Spencer S,
>>>> 
>>>> Can we nominate this as official WG document? It is mature enough and on point with the earlier LFS work.
>>>> 
>>>> Thanks,
>>>> Tom
>>>> 
>>>> Abstract
>>>> 
>>>> NFS version 4.2
>>>> Need to define NFS first.
>>>> 
>>>> Introduction
>>>> 
>>>> Before specifying new protocol,
>>>> ->
>>>> 
>>>> Before specifying a new protocol,
>>>> —
>>>> 
>>>> (hereafter, IMA)
>>>> (hereafter, EVM)
>>>> drop the hereafters
>>>> 
>>>> —
>>>> 
>>>> This is done by cryptographically signing HMAC please introduce HMAC
>>>> --
>>>> RSA public key signature
>>>> Please define RSA
>>>> 
>>>> ——
>>>> 
>>>> The goals and use cases of the Linux Integrity Measurement
>>>> Architecture (IMA) are presented in further detail in [IMA-WP].
>>>> Already have defined IMA
>>>> 
>>>> —
>>>> 
>>>> with the
>>>> superuser
>>>> What is a superuser?
>>>> 
>>>> ——
>>>> 
>>>> You then have four bullet points, which as they are complete sentences should end with ‘.’
>>>> 
>>>> —
>>>> 
>>>> execve(2)
>>>> 
>>>> need a citation (probably to POSIX)
>>>> 
>>>> ===
>>>> 
>>>> Section 3
>>>> 
>>>> Linux file capabilities
>>>> becomes
>>>> a capability set
>>>> without motivating the connection.
>>>> 
>>>> =====
>>>> 
>>>> LFS
>>>> 
>>>> not introduced.
>>>> 
>>>> ====
>>>> 
>>>> MAC
>>>> 
>>>> not introduced
>>>> 
>>>> —
>>>> 
>>>> In order to enable file capabilities to be retrieved or updated in a
>>>> single RPC, the text format representation of a capability set MUST
>>>> NOT exceed 8192 bytes in length.
>>>> 
>>>> In order to enable IMA metadata to be retrieved or updated in a
>>>> single RPC, a signed hash MUST NOT exceed 4096 bytes in length.
>>>> Why the restrictions? Is it a matter of the length of the compound?
>>>> 
>>>> ——
>>>> 
>>>> a Merkle
>>>> citation?
>>>> 
>>>> ——
>>>> 
>>>> An NFSv4 server is required to enforce a suitable level of privilege
>>>> before allowing a local or remote agent to alter NFSv4 Security
>>>> Labels.  Consult Section 9.6 of [RFC7862] for further details.
>>>> 
>>>> Is the last sentence a sentance?
>>>> 
>>>> ——
>>>> 
>>>> Therefore additional protection using GSS
>>>> [RFC7861] or other security mechanisms is not mandatory.
>>>> 
>>>> Either define GSS or perhaps say RPCSEC_GSS?
>>> 
>>> --
>>> Chuck Lever
>>> 
>>> 
>>> 
>> 
>> --
>> Chuck Lever
>> 
>> 
>> 
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

--
Chuck Lever

v2.23.0 | Report a Bug | By Email