[Labeled-nfs] Current development prototype patches.
Trond Myklebust
trond.myklebust at fys.uio.no
Mon Aug 6 19:04:17 EDT 2007
On Mon, 2007-08-06 at 15:27 -0700, Casey Schaufler wrote:
> Ok, so you're right. What is your recommendation on getting xattrs
> into a "real" protocol before they ship me off to the California
> Home for the Bewildered? We implemented the SGI xattr extension ten
> years ago and no one has done boo in the "real" protocol space the
> entire time since, it's still the best available implementation. I
> am supporting the work here in hopes that even if it turns out not
> to my liking it may at least break the current technology logjam.
If all you want to do is add EAs, then they can trivially be added as a
new attribute type in the NFSv4 GETATTR call.
I must admit, though, that I'm less partial to the idea of adding full
support for Linux EAs simply because they do much more than just
security labels. Defining all the different types of functionality that
EAs add for the benefit of other client and server implementers is going
to be a lot of work for whoever takes on the task of writing the RFC.
AFAIK, we haven't even written up a proper definition of the various
types of xattr on Linux.
To simplify the task, I believe you should, and rather concentrate on
carefully defining the behaviour of "security.*" and "user.*" and then
simply refuse to export "system.*" and "trusted.*".
The documentation issue is the main reason why I'd be more partial to
the approach that David is taking. His is a more limited project (just
define SeLinux labels over NFSv4) and thus is easier to describe in an
RFC.
Trond
More information about the Labeled-nfs
mailing list