Re: [PATCH 13/14] NFSD: Server implementation of MAC Labeling

[Dave Quigley <dpquigl@xxxxxxxxxxxxxxx>]

On 3/28/2013 3:19 PM, J. Bruce Fields wrote:
> Dave, I think these are both questions for you?
>
> --b.
>
> On Thu, Mar 28, 2013 at 02:58:45PM -0400, bfields wrote:
> > On Thu, Mar 28, 2013 at 09:54:04AM -0400, Steve Dickson wrote:
> > > @@ -1988,6 +2044,50 @@ nfsd4_encode_aclname(struct svc_rqst *rqstp, struct nfs4_ace *ace,
> > >   			      FATTR4_WORD0_RDATTR_ERROR)
> > >   #define WORD1_ABSENT_FS_ATTRS FATTR4_WORD1_MOUNTED_ON_FILEID
> > >
> > > +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> > > +static inline __be32
> > > +nfsd4_encode_security_label(struct svc_rqst *rqstp, struct dentry *dentry, __be32 **pp, int *buflen)
> > > +{
> > > +	void *context;
> > > +	int err;
> > > +	int len;
> > > +	uint32_t pi = 0;
> > > +	uint32_t lfs = 0;
> > > +	__be32 *p = *pp;
> > > +
> > > +	err = 0;
> > > +	(void)security_inode_getsecctx(dentry->d_inode, &context, &len);
> > > +	if (len < 0)
> > > +		return nfserrno(len);
> > > +
> > > +	if (*buflen < ((XDR_QUADLEN(len) << 2) + 4 + 4 + 4)) {
> > > +		err = nfserr_resource;
> > > +		goto out;
> > > +	}
> > > +
> > > +	/* XXX: A call to the translation code should be placed here
> > > +	 * for now send 0  until we have that to indicate the null
> > > +	 * translation */
> >
> > Could we better a better comment here?

We could remove this comment all together if you want. We're trying to 
indicate that at some point in the future there will be a label 
translation facility like idmapd but for labels instead. This is where 
the call would go if we had it. I had a basic version of the code a long 
time ago and that is where I had the call but there was way too much 
work to make it usable for now. Instead I just pass the null translation 
indicator on the wire and we wave our hands and say don't look at the 
man behind the curtain.

> ...
> > > +#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
> > > +__be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct svc_fh *fhp,
> > > +		struct nfs4_label *label)
> > > +{
> > > +	__be32 error;
> > > +	int host_error;
> > > +	struct dentry *dentry;
> > > +
> > > +	/* XXX: should we have a MAY_SSECCTX? */
> >
> > Again: could we get an answer to this question?

I'm pretty sure we can just remove that comment. It was a question from 
about 5 years ago now and I never found a compelling reason to say yes 
to it.

> > --b.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html