Re: [PATCH 01/11] Security: Add hook to get full maclabel xattr name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2008-02-28 at 17:26 -0800, Casey Schaufler wrote:
> --- Trond Myklebust <trond.myklebust@xxxxxxxxxx> wrote:
> 
> > 
> > On Thu, 2008-02-28 at 19:39 -0500, Christoph Hellwig wrote:
> > > On Thu, Feb 28, 2008 at 07:04:57PM -0500, Dave Quigley wrote:
> > > > There are several things here. I've spoken to several people about this
> > > > and the belief I've gotten from most of them is that a recommended
> > > > attribute is how this is to be transported. The NFSv4 spec people will
> > > > probably say that if you want xattr like functionality for NFSv4 use
> > > > named attributes. For us this is not an option since we require
> > > > semantics to label on create/open and the only way we can do this is by
> > > > adding a recommended attribute. The create/open calls in NFSv4 takes a
> > > > list of attributes to use on create as part of the request. I really
> > > > don't see a difference between the security blob and the
> > > > username/groupname that NFSv4 currently uses. Also there is a good
> > > > chance that we will need to translate labels at some point (read future
> > > > work).
> > > 
> > > Then use the existing side-band protocol and ignore the NFSv4 spec
> > > group.  They're <skip colourful language here> anyway.
> > 
> > As I've told you several times before: we're _NOT_ putting private
> > ioctl^Hxattrs onto the wire. If the protocol can't be described in an
> > RFC, then it isn't going in no matter what expletive you choose to
> > use...
> 
> With the SGI supplied reference implementation it ought to be a
> small matter of work to write an RFC. If the information weren't
> SGI proprietary I could even tell you how long it ought to take
> a junior engineer in Melbourne to write. The fact that there is
> currently no RFC does not mean that there cannot be a RFC, only
> that no one has written (or published) one yet.

NO! It is not a "small matter of work".

The fact is that private crap like the 'security' and 'system' namespace
makes describing 'xattr' as a protocol a non-starter and an
interoperability nightmare. If you can't do better than xattr for a
security protocol, then it is time to go look for another job...

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux