[Labeled-nfs] Labeled NFS Update

[David P. Quigley]

Hello Everyone,
    I know its been a long time since we've had some traffic on the list
so it is a good idea to inform everyone as to the current state of the
labeled NFS work. In each section below is the most recent progress and
then what work there is still to do.

Linux Prototype:

Recently Matt finished updating the prototype to redo the way it passes
the nfs4_label structures down the call chain. After splitting this
patch and merging it with the existing patch set the prototype was
rebased to the latest kernel version. There are currently some problems
with the upstream tree but they are being worked on and will hopefully
be taken care of soon.

Things still on the table for the Linux prototype are:

NFSD Client Label Extensions: Extensions to the NFS server to allow for
a NFS server running SELinux or Smack to be able to specify the process
label of the client based on some sort of criteria. This can be the
network interface, the user credentials, the specific IP address, or
some other criteria. This has benefits to NFSv3 servers as well as NFSv4
servers. 

RPCSECGSSv3 implementation: While the earlier methods used for process
label transport in labeled NFS worked they weren't ideal. A proper
solution to this problem was put forth and it is outlined in the
RPCSECGSSv3 specification. RPCSECGSSv3 requires either a working v1 or
v2 implementation. Since we already have these versions available, work
just needs to be done to provide the additional functionality that v3
outlines.

Label Translation example: We currently have some patches to provide the
label translation framework for the NFSv4 client and server to consume.
We need to figure out how label translation is going to work and then
provide a library which provides that sample functionality. From there
people can provide other translation libraries to suit their needs.

IETF Documents:

The most recent development in this space is that the NFSv4 working
group has started work on the NFSv4.2 specification. The good news is
that Mike Eisler has suggested that the MAC attribute be added to the
list of features to be incorporated into the specification.

Things in the works for the IETF:

Impact Study: Tasked to us two IETF meetings ago was an Impact study.
I've received contributions from the co-author and am working on
integrating them into the document that the Working Group is looking
for. Additional co-authors on this document are welcome.

Label Format Specification: After wrestling with the interoperability
problem we came to the conclusion that it makes the most sense to break
what use to be referred to as a DOI into two parts. This method is
similar to the original method suggested in the Labeled IPSec document
but differs in that the first part is a label format specifier and not a
specific MAC mechanism specifier. This document will explain how to
specify label formats and semantics of the components of the format for
use with Labeled NFS. This will allow us to specify an initial list of
label formats to address some concerns from the working group about how
implementers will be able to implement portions of the labeled NFS
specification.

Initial Label Format Document: It's unclear at the moment which label
formats should be listed as the initial formats. One potential is taking
the CALIPSO label format wholesale from the CALIPSO specification and
using that as one of the initial ones.


Additional Community Involvement:

Recently I contacted several members of the FreeBSD community inquiring
about their NFSv4 implementation for a potential second prototype. Both
the NFSv4 maintainer and the MAC Framework maintainer responded
favorably to the idea and have offered support when possible. If anyone
is familiar with FreeBSD development and would like to participate in
that process you can contact me.



Hopefully this gives everyone an idea of where we are at and also
provides some ideas for how people can get involved in the project if
they are interested.

Dave