| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Feb 2008 09:26:25 -0800 (PST) From: Casey Schaufler <casey@...aufler-ca.com> To: Trond Myklebust <trond.myklebust@....uio.no>, casey@...aufler-ca.com Cc: Christoph Hellwig <hch@...radead.org>, Dave Quigley <dpquigl@...ho.nsa.gov>, Stephen Smalley <sds@...ho.nsa.gov>, viro@....linux.org.uk, bfields@...ldses.org, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, LSM List <linux-security-module@...r.kernel.org> Subject: Re: [PATCH 01/11] Security: Add hook to get full maclabel xattr name --- Trond Myklebust <trond.myklebust@....uio.no> wrote: > > ... > > With the SGI supplied reference implementation it ought to be a > > small matter of work to write an RFC. If the information weren't > > SGI proprietary I could even tell you how long it ought to take > > a junior engineer in Melbourne to write. The fact that there is > > currently no RFC does not mean that there cannot be a RFC, only > > that no one has written (or published) one yet. > > NO! It is not a "small matter of work". Ah, well, I don't understand why, but that's probably just me being ignorant. It happens from time to time. > The fact is that private crap like the 'security' and 'system' namespace > makes describing 'xattr' as a protocol a non-starter and an > interoperability nightmare. Ok, I can buy that it doesn't fit in with the current protocol mindset, and that I for one have not demonstrated that it can be. I remember how upset the IETF got over the original CIPSO proposal not specifying which label tag value coresponded to "Top Secret". > If you can't do better than xattr for a > security protocol, then it is time to go look for another job... But ... I don't have a job. You're being mean. (smiley) I think that we have a conflict between what works well for a filesystem (xattrs are really helpful) and what works well for a network protocol (undefined blobs of goo are atrocious) in the case of a network file system. From either standpoint the other is completely unworkable. It may be the case that for NFS the proposed scheme (delta LSM naming propriety, which is getting addressed) is the best we can do. NFS is an old protocol (older than some of the people reading this) and should be excused some shortcomings. Thank you. Casey Schaufler casey@...aufler-ca.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists