Re: RFC: make labeled NFS opt-in

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 12, 2017 at 10:29:14AM -0500, Andy Adamson wrote:
> NFSv4.2 labeled NFS provides 'guest mode' Mandatory Access Control
> (MAC) where the client can enforce labeling and store a label on the
> server, but the server itself does not enforce the same MAC as the
> client because the client request thread label is unknown to the
> server. RPCSEC_GSS version 3 label assertions asserts the client
> thread label on the NFSD thread handling the request, and so along
> with LNFS provides Full Mode MAC.
> 
> AFAICS the only time we want GSS3 label assertions is if LNFS is
> enabled.  Does this sound right to you? If so, I will use this new per
> export LNFS option to determine when GSS3 label assertions are
> enabled.

How do you disable or enable this on the server side?

I haven't been following the GSS3 development well, apologies.  So I
guess you must do something like:

	1. decode the GSS3 stuff in the RPC layer and store the
	resulting subject label somewhere like rqstp->rq_cred.
	2. in nfsd_setuser, set the nfsd thread's label to the label
	stored in rq_cred.

You probably need to have the processing in step 1 enabled all the time,
because you don't know which export you're going to be dealing with yet
at that point.

By step 2 you have the export.  So I guess you'd use the export option
to decide whether to silently ignore the label, or apply it to the nfsd
thread?

That might make sense.

--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux