[Labeled-nfs] [RFC] SENFS: MAC labeling support for NFSv4
Casey Schaufler
casey at schaufler-ca.com
Wed Aug 1 17:59:02 EDT 2007
--- Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Wed, 2007-08-01 at 13:55 -0700, Casey Schaufler wrote:
> > --- "David P. Quigley" <dpquigl at tycho.nsa.gov> wrote:
> >
> > > This is the first set of patches attempting to provide a generic
> framework
> > > for
> > > MAC labeling in NFSv4.
> >
> > I've read through the patches and I have one very important issue.
> > If you are going to provide a "generic" framework you need to support
> > label representations other than u32. If you only want to support
> > SELinux, and I understand that that is your initial target, a u32
> > is fine, but if you want a generic framework you need to allow for
> > the kinds of labels that have been used elsewhere. Smack (under
> > review now) uses an 8byte label. Trusted Irix uses a 510byte label,
> > and although I wouldn't expect that implementation to actually get
> > ported any time soon it provides an existence proof for large labels.
> > If you're talking about NFS you need to seriously consider what
> > TrustedSolaris requires, if just out of courtesy to those who brought
> > you NFS in the first place.
>
> The label representation over the wire isn't a u32 (or inherently
> limited in size); the u32 secid is just a handle to the label. As long
> as the code invokes a secid_to_secctx hook to obtain the actual label to
> be conveyed over the wire, there is no harm, and it is more efficient to
> handle them as secids than full labels internally.
This is true for SELinux, where the secid is a map to a sophisticated
label. On Smack the label is completely unsophisticated and
translating back and forth to secids adds unnecessary overhead.
In the spirit of LSM I suggest that blobs are more appropriate
units of data than u32s. I understand that the SELinux design
philosophy is well served by secids. My design philosophy, which
is pretty much the opposite, has no need for secids and is
negatively impacted by interfaces that require them.
Casey Schaufler
casey at schaufler-ca.com
More information about the Labeled-nfs
mailing list