[Labeled-nfs] Current development prototype patches.
Trond Myklebust
trond.myklebust at fys.uio.no
Tue Aug 7 18:55:19 EDT 2007
On Tue, 2007-08-07 at 18:19 -0400, Matthew N. Dodd wrote:
> Further, a well designed label set/get facility would make things much
> easier on the server side where file labels need to be changed by the
> kernel. In an ideal world I'd just notify the filesystem that the inode
> label has been changed and the filesystem code would do the right thing
> to push the label to disk.
>
> Currently the filesystem code has the "init a label" and "save the label
> to disk" operations all in one function, which isn't exactly how things
> should work either. In an ideal world we'd generate a label up in the
> VFS and push it down to the filesystem from vfs_create().
What you really want is to be able to tell the OPEN or CREATE calls that
they must attach a security label when creating a file. The problem with
that is that in the NFSv4 minor versioning rules you cannot actually
modify the OPEN and CREATE operations themselves to take additional
arguments.
One way to work around this restriction would be to add an operation
that states 'attach this security label' if this COMPOUND contains an
operation that creates a file.
IOW: add the concept of a 'current security label' and add an operation
PUT_CREATE_SECURITY_LABEL that in essence declares that any OPEN or
CREATE call that follows it in an NFSv4 COMPOUND must attach this
security label to the file it creates.
Trond
More information about the Labeled-nfs
mailing list