IETF Logo Mail Archive

Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

"Quigley, David" <david.quigley@intel.com> Wed, 02 May 2018 22:36 UTC

Return-Path: <david.quigley@intel.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72A2412DA4B for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 15:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3alAQKsyN4R for <nfsv4@ietfa.amsl.com>; Wed, 2 May 2018 15:36:36 -0700 (PDT)
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 453F012DA49 for <nfsv4@ietf.org>; Wed, 2 May 2018 15:36:36 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 May 2018 15:36:35 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos; i="5.49,356,1520924400"; d="scan'208,217"; a="37004851"
Received: from orsmsx108.amr.corp.intel.com ([10.22.240.6]) by fmsmga008.fm.intel.com with ESMTP; 02 May 2018 15:36:35 -0700
Received: from orsmsx163.amr.corp.intel.com (10.22.240.88) by ORSMSX108.amr.corp.intel.com (10.22.240.6) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 2 May 2018 15:36:34 -0700
Received: from orsmsx108.amr.corp.intel.com ([169.254.2.198]) by ORSMSX163.amr.corp.intel.com ([169.254.9.158]) with mapi id 14.03.0319.002; Wed, 2 May 2018 15:36:34 -0700
From: "Quigley, David" <david.quigley@intel.com>
To: Tom Haynes <loghyr@gmail.com>, Chuck Lever <chuck.lever@oracle.com>, Spencer Shepler <spencer.shepler@gmail.com>
CC: NFSv4 <nfsv4@ietf.org>
Thread-Topic: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
Thread-Index: AQHT4lzNFhC2/z/1zUWHvcu/aQ8KtaQdBMHw
Date: Wed, 02 May 2018 22:36:34 +0000
Message-ID: <106AF901BBB25B4082BCE4FEC2F79D440627CED6@ORSMSX108.amr.corp.intel.com>
References: <152337099624.13448.11040477333954216664.idtracker@ietfa.amsl.com> <FB6B8D57-CEF6-46E1-97C7-E43C7E49752F@oracle.com> <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com>
In-Reply-To: <2CBB38A6-45FF-46A4-96A5-5D1B431E1365@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.200.100
dlp-reaction: no-action
x-originating-ip: [10.22.254.140]
Content-Type: multipart/alternative; boundary="_000_106AF901BBB25B4082BCE4FEC2F79D440627CED6ORSMSX108amrcor_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/oEan1sH7tXfY1zAGw6aVY4UwesQ>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 22:36:38 -0000

I can understand wanting to use the sec_label field for capabilities but using it for the IMA and EVM data isn’t really in the spirit of what we designed this for. Those are integrity mechanisms and on Linux systems they are completely separate from the LSMs (access control is not integrity).

Also having them as 3 different LFS ids make no sense. The LFS is supposed to describe the format of what you are sending and receiving for the sec_label field. Unless something changed in the last rounds of revisions to the sec_label support there should only be one value per file?

Also something to consider is that Nico explicitly separates capabilities from MAC labeling in in RPCSECGSSv3. This is because traditionally capabilities and MAC systems are orthogonal to each other. I know file capabilities are different from the regular capabilities on processes in Linux but it is something to consider that on a normal Linux system they can co-exist and be enforced at the same time. With this mechanism you couldn’t support both SELinux and file-capabilities at the same time like you could on a local system.

I will be able to provide better feedback once I’ve read through the document another couple of times but those are my initial impressions just from a sec_label and LFS perspective.

Dave

From: nfsv4 [mailto:nfsv4-bounces@ietf.org] On Behalf Of Tom Haynes
Sent: Wednesday, May 2, 2018 3:30 PM
To: Chuck Lever <chuck.lever@oracle.com>; Spencer Shepler <spencer.shepler@gmail.com>
Cc: NFSv4 <nfsv4@ietf.org>
Subject: Re: [nfsv4] New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

Hey Chuck,

For the most part, my issues are the ones common to first drafts.

And Spencer S,

Can we nominate this as official WG document? It is mature enough and on point with the earlier LFS work.

Thanks,
Tom

Abstract


NFS version 4.2
Need to define NFS first.

Introduction


Before specifying new protocol,
->


Before specifying a new protocol,
—


(hereafter, IMA)

(hereafter, EVM)
drop the hereafters

—


This is done by cryptographically signing HMAC
please introduce HMAC

--

RSA public key signature
Please define RSA

——


The goals and use cases of the Linux Integrity Measurement

   Architecture (IMA) are presented in further detail in [IMA-WP].
Already have defined IMA

—


with the

   superuser
What is a superuser?

——

You then have four bullet points, which as they are complete sentences should end with ‘.’

—


execve(2)

need a citation (probably to POSIX)

===

Section 3


Linux file capabilities

becomes

a capability set

without motivating the connection.



=====



LFS



not introduced.



====



MAC



not introduced



—



   In order to enable file capabilities to be retrieved or updated in a

   single RPC, the text format representation of a capability set MUST

   NOT exceed 8192 bytes in length.



   In order to enable IMA metadata to be retrieved or updated in a

   single RPC, a signed hash MUST NOT exceed 4096 bytes in length.

Why the restrictions? Is it a matter of the length of the compound?



——



a Merkle

citation?



——



An NFSv4 server is required to enforce a suitable level of privilege

   before allowing a local or remote agent to alter NFSv4 Security

   Labels.  Consult Section 9.6 of [RFC7862] for further details.



Is the last sentence a sentance?



——



Therefore additional protection using GSS

   [RFC7861] or other security mechanisms is not mandatory.



Either define GSS or perhaps say RPCSEC_GSS?

v2.23.0 | Report a Bug | By Email