On Mon, Sep 12, 2011 at 04:23:24PM -0700, Casey Schaufler wrote: > On 9/12/2011 3:43 PM, J. Bruce Fields wrote: > > On Mon, Sep 12, 2011 at 03:38:24PM -0700, Casey Schaufler wrote: > >> On 9/12/2011 3:20 PM, J. Bruce Fields wrote: > >>> On Mon, Sep 12, 2011 at 02:34:04PM -0700, Casey Schaufler wrote: > >>>> On 9/7/2011 5:46 PM, Valdis.Kletnieks@xxxxxx wrote: > >>>>> On Mon, 05 Sep 2011 15:42:17 PDT, Casey Schaufler said: > >>>>>> On 9/5/2011 10:25 AM, Aneesh Kumar K.V wrote: > >>>>>>> The following set of patches implements VFS and ext4 changes needed to implement > >>>>>>> a new acl model for linux. Rich ACLs are an implementation of NFSv4 ACLs, > >>>>>>> extended by file( masks to fit into the standard POSIX file permission model. > >>>>>>> They are designed to work seamlessly locally as well as across the NFSv4 and > >>>>>>> CIFS/SMB2 network file system protocols. > >>>>>> POSIX ACLs predate the LSM and can't be done as an LSM due to > >>>>>> the interactions between mode bits and ACLs as defined by the > >>>>>> POSIX DRAFT specification. > >>> I don't know LSM so don't understand what you mean when you say that > >>> interactions between mode bits and ACLs would make an ACL model hard to > >>> implement as an LSM. > >> POSIX ACLs require that the file permission bits change when > >> the ACL changes. This interaction violates the strict "additional > >> restriction" model of the LSM. > > Oh, OK. Yes, rich ACLs are the same as POSIX ACLs in this respect. > > When you set an ACL the mode bits are reset to represent an "upper > > bound" on the permissions granted by the ACL. > > One of the areas in which the POSIX group was careful almost beyond > reason was the program that uses chmod() judiciously in the absence > of ACLs and how the presence of ACLs might result in a less secure > situation. Thus, a program that does > stat(..., &buf); > chmod(..., 0); > chmod(..., buf.st_mode) > > should get the exact same access at the end as it had at the beginning > and the file must be completely inaccessible after the chmod(..., 0) > regardless of the content of the ACL. Without this requirement the ACL > scheme would have worked fine as an LSM. If rich ACLs can't make these > claims, they aren't safe. Yes, see the patches--rich ACLs have the same property, using a similar mechanism. (They're essentially windows/NFSv4 ACLs + mask bits.) --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
