IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

Chuck Lever <chuck.lever@oracle.com> Thu, 03 May 2018 17:10 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0E5B129C6B for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 10:10:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnpd2M-8NhKb for <nfsv4@ietfa.amsl.com>; Thu, 3 May 2018 10:10:20 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F1A4129502 for <nfsv4@ietf.org>; Thu, 3 May 2018 10:10:20 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w43H1QQT188495; Thu, 3 May 2018 17:10:18 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2017-10-26; bh=hDPCAjqJ2t8Ndy8hNGUnMTCmLzPqRYXY6nnZzZ15nLg=; b=DPdmBAIxhqFsJNI1uGsYLCXm4ra+toTE3cR6RbmikU6sO4hyhUIy3zpc1tFvPs356P1H vbP4ZTaD3diEU+OYA7/E/UCvlGP0X0v6A3j55HELyf4o4xsupwMX+iHERzrhw4Li50wY r64uommxn9Fzng3tLEZSwZ4oD+XIH7a97hflFq+H6ubhtji6LcwjvFh+e/O0/qr9XhbO S3VcurPIoxeXcJVVnw0s1gN8C2QyZ/x5rlISHQRYUDgR02DAGMMry7YTx/huc3BW+d3T xhfh8m3hSm6Wnbx4zvgmoB9SNW29vkVmQ09xaK+3v5fh6PSaodXosL711ZChfz2407Ji 6g==
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2120.oracle.com with ESMTP id 2hmhmftrh9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 03 May 2018 17:10:18 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w43HAInV010638 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 3 May 2018 17:10:18 GMT
Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w43HAHAX005970; Thu, 3 May 2018 17:10:18 GMT
Received: from anon-dhcp-171.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 May 2018 10:10:17 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <255272D7-E755-491D-B2CC-5167ABA4C70B@gmail.com>
Date: Thu, 03 May 2018 13:10:16 -0400
Cc: NFSv4 <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7420A8F9-0E4D-45AA-8D90-703EE51BC728@oracle.com>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com> <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com> <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com> <C388AE74-D240-4CFE-92A3-D0D6B0D31077@oracle.com> <106AF901BBB25B4082BCE4FEC2F79D440627CF0A@ORSMSX108.amr.corp.intel.com> <7898FB59-A717-47E4-AF9B-38720EF40E56@oracle.com> <AEEFCC10-2709-4F03-9C9B-49580D518B46@gmail.com> <D74605A3-59EE-4237-A270-2CBDD3C7F2D3@oracle.com> <255272D7-E755-491D-B2CC-5167ABA4C70B@gmail.com>
To: Tom Haynes <loghyr@gmail.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8882 signatures=668698
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805030148
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/ayaK-Wl7wLutg8CEIYT_XqUNmd4>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 17:10:22 -0000


> On May 3, 2018, at 11:42 AM, Tom Haynes <loghyr@gmail.com> wrote:
> 
> 
> 
>> On May 3, 2018, at 6:49 AM, Chuck Lever <chuck.lever@oracle.com> wrote:
>> 
>> 
>> 
>>> On May 2, 2018, at 8:12 PM, Tom Haynes <loghyr@gmail.com> wrote:
>>> 
>>> Hey Chuck,
>>> 
>>> For some reason I thought you were describing what Linux was doing, not something new...
>>> 
>>> But yeah, David is right, only one LFS is going to work.
>>> 
>>> I’ll have to check if xattrs allows for system atttrs, but if it does, why can’t you use them?
>> 
>> Hi Tom-
>> 
>> NFSv4 xattrs expose only the user namespace. xattrs in the security.yada namespace
>> are not exposed to NFS clients, for example.
>> 
>> Initially we were thinking of using NFSv4 security labels only for experimentation,
>> but there didn't seem to be any reason not to use them for the long-term solution.
>> Since it now appears that there can't be a separate label for security.ima and
>> security.evm, that makes it challenging to use security labels even for
>> experimentation.
>> 
> 
> No, they are not challenging to use for experimentation if you are using LNFS as designed.

I meant:

It is challenging to use NFSv4 security labels to experiment with IMA,
because IMA requires storing two independent metadata objects per file.

To experiment, I would need to find a way of encoding both objects so
that they could be stored together in the same label. That potentially
introduces a read-modify-write cycle if a client wants to update just
one of those objects.


> I.e., someone can go in and implement a new Label Format Specifier and use 128 - 255.

However if the existing seclabel implementation (Linux) does not pay
attention to or store the LSF values, there is already an interoperability
problem with experimental implementations, isn't there? That can be
fixed, though.


> BTW, it is also the case that you could not use LFS values of 1, 2, and 3 as described in RFC7569.
> The allowed new values start at 260.

The range past 255 appears to be for MAC content. I chose LFS values in
the reserved range because both IMA and file capabilities are not MAC,
similar to SELinux contexts, which appears to use reserved value 0.
I was told that SELinux is not MAC.

All academic now. I think everyone would be more comfortable with new
fattr4 attributes rather than abusing security labels, so I will pursue
the former instead.

Thanks for your review!


--
Chuck Lever

v2.23.0 | Report a Bug | By Email