| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Feb 2008 21:01:29 -0800 From: Trond Myklebust <trond.myklebust@....uio.no> To: casey@...aufler-ca.com Cc: Christoph Hellwig <hch@...radead.org>, Dave Quigley <dpquigl@...ho.nsa.gov>, Stephen Smalley <sds@...ho.nsa.gov>, viro@....linux.org.uk, bfields@...ldses.org, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, LSM List <linux-security-module@...r.kernel.org> Subject: Re: [PATCH 01/11] Security: Add hook to get full maclabel xattr name On Thu, 2008-02-28 at 17:26 -0800, Casey Schaufler wrote: > --- Trond Myklebust <trond.myklebust@....uio.no> wrote: > > > > > On Thu, 2008-02-28 at 19:39 -0500, Christoph Hellwig wrote: > > > On Thu, Feb 28, 2008 at 07:04:57PM -0500, Dave Quigley wrote: > > > > There are several things here. I've spoken to several people about this > > > > and the belief I've gotten from most of them is that a recommended > > > > attribute is how this is to be transported. The NFSv4 spec people will > > > > probably say that if you want xattr like functionality for NFSv4 use > > > > named attributes. For us this is not an option since we require > > > > semantics to label on create/open and the only way we can do this is by > > > > adding a recommended attribute. The create/open calls in NFSv4 takes a > > > > list of attributes to use on create as part of the request. I really > > > > don't see a difference between the security blob and the > > > > username/groupname that NFSv4 currently uses. Also there is a good > > > > chance that we will need to translate labels at some point (read future > > > > work). > > > > > > Then use the existing side-band protocol and ignore the NFSv4 spec > > > group. They're <skip colourful language here> anyway. > > > > As I've told you several times before: we're _NOT_ putting private > > ioctl^Hxattrs onto the wire. If the protocol can't be described in an > > RFC, then it isn't going in no matter what expletive you choose to > > use... > > With the SGI supplied reference implementation it ought to be a > small matter of work to write an RFC. If the information weren't > SGI proprietary I could even tell you how long it ought to take > a junior engineer in Melbourne to write. The fact that there is > currently no RFC does not mean that there cannot be a RFC, only > that no one has written (or published) one yet. NO! It is not a "small matter of work". The fact is that private crap like the 'security' and 'system' namespace makes describing 'xattr' as a protocol a non-starter and an interoperability nightmare. If you can't do better than xattr for a security protocol, then it is time to go look for another job... -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists