[Labeled-nfs] Labeled NFS Update

Jarrett Lu Jarrett.Lu at Sun.COM
Thu Sep 3 19:25:11 EDT 2009 

David,

Thanks for the update. It's been a while, and I like to back up and ask 
a high level question. When accessing a remote file system object (on 
MAC systems), two important pieces of information need to be exchanged: 
(1) the credential of the requester (e.g. its label, privileges, 
security context, capabilities, etc.). The credential will be used as 
part of access control. (2) label of the object being accessed (e.g. 
security label attributes of a file). In the proposed Labeled NFS model, 
is it true that (1) will be covered by RPCSECGSSv3 and (2) will be 
covered by the new MAC Label Attributes in NFSv4.2?

Thanks.

Jarrett


On 09/03/09 14:26, David P. Quigley wrote:
> Hello Everyone,
>     I know its been a long time since we've had some traffic on the list
> so it is a good idea to inform everyone as to the current state of the
> labeled NFS work. In each section below is the most recent progress and
> then what work there is still to do.
>
> Linux Prototype:
>
> Recently Matt finished updating the prototype to redo the way it passes
> the nfs4_label structures down the call chain. After splitting this
> patch and merging it with the existing patch set the prototype was
> rebased to the latest kernel version. There are currently some problems
> with the upstream tree but they are being worked on and will hopefully
> be taken care of soon.
>
> Things still on the table for the Linux prototype are:
>
> NFSD Client Label Extensions: Extensions to the NFS server to allow for
> a NFS server running SELinux or Smack to be able to specify the process
> label of the client based on some sort of criteria. This can be the
> network interface, the user credentials, the specific IP address, or
> some other criteria. This has benefits to NFSv3 servers as well as NFSv4
> servers. 
>
> RPCSECGSSv3 implementation: While the earlier methods used for process
> label transport in labeled NFS worked they weren't ideal. A proper
> solution to this problem was put forth and it is outlined in the
> RPCSECGSSv3 specification. RPCSECGSSv3 requires either a working v1 or
> v2 implementation. Since we already have these versions available, work
> just needs to be done to provide the additional functionality that v3
> outlines.
>
> Label Translation example: We currently have some patches to provide the
> label translation framework for the NFSv4 client and server to consume.
> We need to figure out how label translation is going to work and then
> provide a library which provides that sample functionality. From there
> people can provide other translation libraries to suit their needs.
>
> IETF Documents:
>
> The most recent development in this space is that the NFSv4 working
> group has started work on the NFSv4.2 specification. The good news is
> that Mike Eisler has suggested that the MAC attribute be added to the
> list of features to be incorporated into the specification.
>
> Things in the works for the IETF:
>
> Impact Study: Tasked to us two IETF meetings ago was an Impact study.
> I've received contributions from the co-author and am working on
> integrating them into the document that the Working Group is looking
> for. Additional co-authors on this document are welcome.
>
> Label Format Specification: After wrestling with the interoperability
> problem we came to the conclusion that it makes the most sense to break
> what use to be referred to as a DOI into two parts. This method is
> similar to the original method suggested in the Labeled IPSec document
> but differs in that the first part is a label format specifier and not a
> specific MAC mechanism specifier. This document will explain how to
> specify label formats and semantics of the components of the format for
> use with Labeled NFS. This will allow us to specify an initial list of
> label formats to address some concerns from the working group about how
> implementers will be able to implement portions of the labeled NFS
> specification.
>
> Initial Label Format Document: It's unclear at the moment which label
> formats should be listed as the initial formats. One potential is taking
> the CALIPSO label format wholesale from the CALIPSO specification and
> using that as one of the initial ones.
>
>
> Additional Community Involvement:
>
> Recently I contacted several members of the FreeBSD community inquiring
> about their NFSv4 implementation for a potential second prototype. Both
> the NFSv4 maintainer and the MAC Framework maintainer responded
> favorably to the idea and have offered support when possible. If anyone
> is familiar with FreeBSD development and would like to participate in
> that process you can contact me.
>
>
>
> Hopefully this gives everyone an idea of where we are at and also
> provides some ideas for how people can get involved in the project if
> they are interested.
>
> Dave
>
> _______________________________________________
> Labeled-nfs mailing list
> Labeled-nfs at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/labeled-nfs
>

More information about the Labeled-nfs mailing list