[Labeled-nfs] [PATCH 6/7] NFSv4: Client implementation of MAC Labeling

[Casey Schaufler]

--- Stephen Smalley <sds at tycho.nsa.gov> wrote:

> On Wed, 2007-08-01 at 14:29 -0700, Casey Schaufler wrote:
> > --- "David P. Quigley" <dpquigl at tycho.nsa.gov> wrote:
> > 
> > > From: David P. Quigley <dpquigl at tycho.nsa.gov>
> > > 
> > > There are several places where recommended attributes are implemented in
> the
> > > NFSv4 client code. This patch adds two functions to encode and decode the
> > > secid
> > > recommended attribute which makes use of the LSM hooks added earlier. It
> also
> > > adds code to grab the label from the file attribute structures and encode
> the
> > > label to be sent back to the server. Even though the code is there to
> encode
> > > a
> > > label to be sent back to the server there does not appear to be an
> interface
> > > to
> > > use it yet.
> > 
> > My usual comments regarding configuration names being SELINUX instead
> > of MAC if you stick with u32 labels.
> > 
> > Now I'm confused. Are you sending the context string on the wire,
> > or a sid? 
> 
> The context string.  But it is then mapped to a local SID when it is
> received.

For Smack I would want to pass the label (a short character string)
and then use the string unaltered. I don't need to map it to a SID.
If the interface translates the label to a SID I then have to
translate it right back to a label. I need to invoke the translation
infrastructure twice just to get back what I had originally.

My conculsion* is that the interface needs to be LSM clean, and
leave the representation and processing of the data up to the
LSM module and not make assumptions about how it should be represented.

----
* In support of my goal, of course.


Casey Schaufler
casey at schaufler-ca.com