[RFC] Security Enhanced NFS (SENFS) Requirements - draft 05

[James Morris]

On Sat, 23 Jun 2007, J. Bruce Fields wrote:

> This mostly seems to be an argument that we need something more than an
> xattr protocol on its own, which is obviously true.  But I don't
> understand why xattrs couldn't be used just for the purpose of getting
> and setting file labels.  Maybe an example would help me understand the
> problems you're seeing?

I didn't say they couldn't be used.

NFSv4 has an existing extensible mechanism for modifying and retrieving 
authorization of objects (SETATTR/GETATTR), which maps well to the 
requirements e.g. the bitmap4 structure can be used to unambiguously 
signify whether security labels are supported.

If Linux-style xattrs are to be implemented in NFSv4, then they could be 
used, although I'm not sure it would be the cleanest approach.

I think network xattrs work well when they are opaque and user-managed, so 
that the semantics at the NFS layer are simple and consistent.  With 
security labels, things are quite different in that they need to be 
interpreted and managed by the kernel, and that more generally, different 
types of kernel-managed labels may have vastly different semantics and are 
not necessarily a good case for a general solution.  For example, consider 
xattrs used for other security mechanisms such as filesystem encryption or 
integrity labeling.  I think there will be many instances of special case 
behavior with kernel-managed labels that do not fit cleanly with a 
generalized mechanism.  Again, please note that ACLs do not use xattrs 
over the wire, even though they could technically and do at the local 
filesystem level.

It's not something I have extraordinarily strong feelings about.  If the 
consensus is to do this with xattrs, then that's ok.


- James
-- 
James Morris
<jmorris at namei.org>