lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200003.6173.qm@web36607.mail.mud.yahoo.com>
Date:	Fri, 29 Feb 2008 09:26:25 -0800 (PST)
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Trond Myklebust <trond.myklebust@....uio.no>,
	casey@...aufler-ca.com
Cc:	Christoph Hellwig <hch@...radead.org>,
	Dave Quigley <dpquigl@...ho.nsa.gov>,
	Stephen Smalley <sds@...ho.nsa.gov>, viro@....linux.org.uk,
	bfields@...ldses.org, linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org,
	LSM List <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH 01/11] Security: Add hook to get full maclabel xattr name


--- Trond Myklebust <trond.myklebust@....uio.no> wrote:

> 
> ...
> > With the SGI supplied reference implementation it ought to be a
> > small matter of work to write an RFC. If the information weren't
> > SGI proprietary I could even tell you how long it ought to take
> > a junior engineer in Melbourne to write. The fact that there is
> > currently no RFC does not mean that there cannot be a RFC, only
> > that no one has written (or published) one yet.
> 
> NO! It is not a "small matter of work".

Ah, well, I don't understand why, but that's probably just
me being ignorant. It happens from time to time.

> The fact is that private crap like the 'security' and 'system' namespace
> makes describing 'xattr' as a protocol a non-starter and an
> interoperability nightmare.

Ok, I can buy that it doesn't fit in with the current protocol
mindset, and that I for one have not demonstrated that it can
be. I remember how upset the IETF got over the original CIPSO
proposal not specifying which label tag value coresponded to
"Top Secret". 

> If you can't do better than xattr for a
> security protocol, then it is time to go look for another job...

But ... I don't have a job. You're being mean. (smiley)

I think that we have a conflict between what works well for
a filesystem (xattrs are really helpful) and what works well
for a network protocol (undefined blobs of goo are atrocious)
in the case of a network file system. From either standpoint
the other is completely unworkable.

It may be the case that for NFS the proposed scheme (delta
LSM naming propriety, which is getting addressed) is the
best we can do. NFS is an old protocol (older than some of
the people reading this) and should be excused some shortcomings.

Thank you.


Casey Schaufler
casey@...aufler-ca.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ