[PATCH v2 0/5] RFC: Linux IMA on NFS prototype

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This series implements support for accessing and updating the
security.ima xattr on files that reside on an NFS export. Since the
NFS protocol does not have capabilities like CAP_SYS_ADMIN, on NFS
clients, only root is allowed to set this xattr.

I'm interested in comments on the implementation, test results, or a
discussion of whether this proposal creates undesirable security
exposures.

Git repo: git://git.linux-nfs.org/projects/cel/cel-2.6.git

in the nfs-ima-prototype topic branch.


Implementation Notes

Please see the individual patch descriptions: standards action is
still required to define the official FATTR4 flag that all NFSv4.2
implementations recognize as meaning "the security.ima xattr". This
prototype is not guaranteed to interoperate with future prototypes
or standards-compliant implementations of this feature. It is for
experimental purposes only.

EVM is not supported in this prototype. The NFS protocol does not
support several of the xattrs that are protected by EVM: SMACK64,
Posix ACLs, and Linux file capabilities are not supported. When
these are present in an EVM hash, NFS clients can't retrieve them
to verify the hash.

This prototype does not match what is described in draft-ietf-nfsv4-
integrity-measurement. Since that draft was submitted, there has
been vigorous discussion on nfsv4@xxxxxxxx about how the NFS
protocol should support Linux IMA. The prototype attempts a narrow
interpretation of what the comments have requested. The draft will
be updated to reflect the prototype implementation.


Changes since v1:
- Rebased on kernel v5.0
- Moved NFSD support out from behind CONFIG_NFSD_V4_SECURITY_LABELS
- Added a patch to remove ima_file_check call in NFSD

---

Chuck Lever (5):
      NFS: Define common IMA-related protocol elements
      NFSD: Prototype support for IMA on NFS (server)
      NFSD: Remove ima_file_check call
      NFS: Rename security xattr handler
      NFS: Prototype support for IMA on NFS (client)


 fs/nfs/nfs4_fs.h          |    1 
 fs/nfs/nfs4proc.c         |  134 +++++++++++++++++++++++++++++---
 fs/nfs/nfs4xdr.c          |  186 +++++++++++++++++++++++++++++++++++++++++++++
 fs/nfsd/nfs4proc.c        |    9 ++
 fs/nfsd/nfs4xdr.c         |   49 ++++++++++--
 fs/nfsd/nfsd.h            |    3 -
 fs/nfsd/vfs.c             |   25 +++++-
 fs/nfsd/vfs.h             |    3 +
 fs/nfsd/xdr4.h            |    3 +
 fs/xattr.c                |   25 +++---
 include/linux/nfs4.h      |    5 +
 include/linux/nfs_fs_sb.h |    1 
 include/linux/nfs_xdr.h   |   21 +++++
 13 files changed, 426 insertions(+), 39 deletions(-)

--
Chuck Lever
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux