| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Feb 2008 13:58:11 -0600 From: "Serge E. Hallyn" <serue@...ibm.com> To: David Howells <dhowells@...hat.com> Cc: Trond.Myklebust@...app.com, chuck.lever@...cle.com, casey@...aufler-ca.com, nfsv4@...ux-nfs.org, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, selinux@...ho.nsa.gov, linux-security-module@...r.kernel.org Subject: Re: [PATCH 00/37] Permit filesystem local caching Quoting David Howells (dhowells@...hat.com): > > > These patches add local caching for network filesystems such as NFS. > > The patches can roughly be broken down into a number of sets: > > (*) 01-keys-inc-payload.diff > (*) 02-keys-search-keyring.diff > (*) 03-keys-callout-blob.diff > > Three patches to the keyring code made to help the CIFS people. > Included because of patches 05-08. > > (*) 04-keys-get-label.diff > > A patch to allow the security label of a key to be retrieved. > Included because of patches 05-08. > > (*) 05-security-current-fsugid.diff > (*) 06-security-separate-task-bits.diff Seems *really* weird that every time you send this, patch 6 doesn't seem to reach me in any of my mailboxes... (did get it from the url you listed) I'm sorry if I miss where you explicitly state this, but is it safe to assume, as perusing the patches suggests, that 1. tsk->sec never changes other than in task_alloc_security()? 2. tsk->act_as is only ever dereferenced from (a) current-> except (b) in do_coredump? (thereby carefully avoiding locking issues) I'd still like to see some performance numbers. Not to object to these patches, just to make sure there's no need to try and optimize more of the dereferences away when they're not needed. Oh, manually copied from patch 6, I see you have in the task_security struct definition: kernel_cap_t cap_bset; /* ? */ That comment can be filled in with 'capability bounding set' (for this task and all its future descendents). thanks, -serge > (*) 07-security-subjective.diff > (*) 08-security-kernel_service-class.diff > (*) 09-security-kernel-service.diff > (*) 10-security-nfsd.diff > > Patches to permit the subjective security of a task to be overridden. > All the security details in task_struct are decanted into a new struct > that task_struct then has two pointers two: one that defines the > objective security of that task (how other tasks may affect it) and one > that defines the subjective security (how it may affect other objects). > > Note that I have dropped the idea of struct cred for the moment. With > the amount of stuff that was excluded from it, it wasn't actually any > use to me. However, it can be added later. > > Required for cachefiles. > > (*) 11-release-page.diff > (*) 12-fscache-page-flags.diff > (*) 13-add_wait_queue_tail.diff > (*) 14-fscache.diff > > Patches to provide a local caching facility for network filesystems. > > (*) 15-cachefiles-ia64.diff > (*) 16-cachefiles-ext3-f_mapping.diff > (*) 17-cachefiles-write.diff > (*) 18-cachefiles-monitor.diff > (*) 19-cachefiles-export.diff > (*) 20-cachefiles.diff > > Patches to provide a local cache in a directory of an already mounted > filesystem. > > (*) 21-nfs-comment.diff > (*) 22-nfs-fscache-option.diff > (*) 23-nfs-fscache-kconfig.diff > (*) 24-nfs-fscache-top-index.diff > (*) 25-nfs-fscache-server-obj.diff > (*) 26-nfs-fscache-super-obj.diff > (*) 27-nfs-fscache-inode-obj.diff > (*) 28-nfs-fscache-use-inode.diff > (*) 29-nfs-fscache-invalidate-pages.diff > (*) 30-nfs-fscache-iostats.diff > (*) 31-nfs-fscache-page-management.diff > (*) 32-nfs-fscache-read-context.diff > (*) 33-nfs-fscache-read-fallback.diff > (*) 34-nfs-fscache-read-from-cache.diff > (*) 35-nfs-fscache-store-to-cache.diff > (*) 36-nfs-fscache-mount.diff > (*) 37-nfs-fscache-display.diff > > Patches to provide NFS with local caching. > > A couple of questions on the NFS iostat changes: (1) Should I update the > iostat version number; (2) is it permitted to have conditional iostats? > > > I've brought the patchset up to date with respect to the 2.6.25-rc1 merge > window, in particular altering Smack to handle the split in objective and > subjective security in the task_struct. > > -- > A tarball of the patches is available at: > > http://people.redhat.com/~dhowells/fscache/patches/nfs+fscache-30.tar.bz2 > > > To use this version of CacheFiles, the cachefilesd-0.9 is also required. It > is available as an SRPM: > > http://people.redhat.com/~dhowells/fscache/cachefilesd-0.9-1.fc7.src.rpm > > Or as individual bits: > > http://people.redhat.com/~dhowells/fscache/cachefilesd-0.9.tar.bz2 > http://people.redhat.com/~dhowells/fscache/cachefilesd.fc > http://people.redhat.com/~dhowells/fscache/cachefilesd.if > http://people.redhat.com/~dhowells/fscache/cachefilesd.te > http://people.redhat.com/~dhowells/fscache/cachefilesd.spec > > The .fc, .if and .te files are for manipulating SELinux. > > David > - > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists