[Labeled-nfs] Labeled RPC & NFS
Matthew N. Dodd
Matthew.Dodd at sparta.com
Mon Jan 14 17:46:18 EST 2008
James Morris wrote:
> On Mon, 14 Jan 2008, Matthew N. Dodd wrote:
>
>> James Morris wrote:
>>> It pretty much needs to "just work". Enabling MAC on NFS should not mean
>>> having to change authentication schemes, especially to something potentially
>>> less secure.
>> We're somewhat limited by our inability to inject random context data into the
>> GSS_RPC stream.
>>
>> As I've mentioned before, even if you solve this the current code caches
>> credential data by UID, which makes it difficult to support processes of
>> differing labels running under the same UID.
>>
>> Now, we could bump RPC_GSS_VERSION, add a flags field and TLVs to hold the
>> label, but that involves a whole lot of buy-in.
>>
>> Solving this up at the NFS layer has its own problems.
>
> Well, that was the hope. What are the problems ?
Look at the code inside the CONFIG_NFS_V4_PUTCLIENTLABEL #ifdefs.
Passing in enough context to make this behavior conditional on mount
option/server support looks to be highly intrusive. (We need struct
nfs_server to test for server capabilities.)
If its acceptable to add a pointer to every single client operation
argument structure I'll do so.
More information about the Labeled-nfs
mailing list