Hello, This is the latest version of the NFS label support patch set. The set contains one patch which will be removed when it makes it's way upstream from the NFS maintainers' trees. This is the patch to fix a use before init bug in the nfs4recovery code. Changes since the last patchset are listed below. If you want a tree with the patches already applied we have posted a public git tree that is ready for cloning and use. This tree can be found at http://git.selinuxproject.org/git. You can find information on how to build and setup a labeled nfs at http://www.selinuxproject.org/page/Labeled_NFS. Features: * Client * Obtains labels from server for NFS files while still allowing for SELinux context mounts to override untrusted labeled servers. * Allows setting labels on files over NFS via xattr interface. * Server * Exports labels to clients. As of the moment there is no ability to restrict this based on label components such as MLS levels. * Persistent storage of labels assuming exported file system supports it. Changes since last patchset: The life cycle management patch has been fixed to return the error from kmalloc up the call stack. The patch use to have a panic in the case of memory allocation failure which was a temporary measure until this was ready. Inode locking was added around the functions in the NFS server code which assign the label to the inode when received from the wire. Memory allocations were changed from GFP_ATOMIC to GFP_KERNEL An bug that resulted in memory corruption when MLS support was enabled has also been fixed. The process label transport mechanism has been removed from the patchset since a new version of it is in the works. This new method provides the security guarantees needed for our purposes while providing compatibility with existing rpcsec flavors and fixing a potential MITM attack against kerberos. A more detailed explanation of the mechanism will be given when the design has been solidified and we have an initial implementation. fs/Kconfig | 30 +++ fs/nfs/client.c | 16 ++ fs/nfs/dir.c | 32 +++- fs/nfs/getroot.c | 44 +++- fs/nfs/inode.c | 69 +++++- fs/nfs/namespace.c | 3 + fs/nfs/nfs3proc.c | 7 + fs/nfs/nfs4proc.c | 489 +++++++++++++++++++++++++++++++--- fs/nfs/nfs4xdr.c | 55 ++++- fs/nfs/proc.c | 12 +- fs/nfs/super.c | 46 ++++- fs/nfs/unlink.c | 12 +- fs/nfsd/export.c | 3 + fs/nfsd/nfs4proc.c | 35 +++- fs/nfsd/nfs4recover.c | 6 +- fs/nfsd/nfs4xdr.c | 106 +++++++- fs/nfsd/vfs.c | 28 ++ fs/xattr.c | 55 +++- include/linux/nfs4.h | 8 + include/linux/nfs4_mount.h | 6 +- include/linux/nfs_fs.h | 26 ++ include/linux/nfs_fs_sb.h | 2 +- include/linux/nfs_xdr.h | 7 + include/linux/nfsd/export.h | 5 +- include/linux/nfsd/nfsd.h | 9 +- include/linux/nfsd/xdr4.h | 3 + include/linux/security.h | 88 +++++++ include/linux/xattr.h | 1 + security/capability.c | 29 ++ security/security.c | 32 +++ security/selinux/hooks.c | 141 +++++++++-- security/selinux/include/security.h | 4 + security/selinux/ss/policydb.c | 5 +- security/smack/smack_lsm.c | 10 + 34 files changed, 1315 insertions(+), 109 deletions(-) -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
