[Labeled-nfs] Labeled RPC & NFS
Matthew N. Dodd
Matthew.Dodd at sparta.com
Thu Nov 29 15:05:05 EST 2007
Stephen Smalley wrote:
> On Thu, 2007-11-29 at 12:51 -0500, Matthew N. Dodd wrote:
>> Other patches have addressed file labels and NFSv4.
>>
>> This set of patches provides the NFS server with the label of the
>> requesting client process. This allows the policy on the server to use
>> the actual client process label when computing an access decision.
>>
>> fs/nfsd/auth.c:nfsd_setuser() performs security_setprocattr() when a
>> label is available from the client.
>
> I think you want a different hook for that purpose, as setprocattr is
> called when userspace writes to /proc/self/attr/current and imposes a
> set of conditions and permission checks that aren't really appropriate
> for a kernel-internal operation. In fact, David Howell's patches
> already had a hook for assuming an acting SID for an operation.
Whatever works best.
>> I've created a version of the 'AUTH_UNIX' RPC_AUTH which adds a text
>> encoded label.
>
> I assume that's just for prototyping purposes? My understanding was
> that we were going to do this via GSS.
GSS adds nothing but additional complexity at this point. The key
changes here are the ones that change the various cred structures
consumed by the RPC and NFS code.
I'll look at what it would take to encode the user label as part of the
username. Thats going to involve the userland GSS daemons though.
More information about the Labeled-nfs
mailing list