linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Chuck Lever <chuck.lever@oracle.com>
To: linux-nfs@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [PATCH v2 0/5] RFC: Linux IMA on NFS prototype
Date: Thu, 07 Mar 2019 10:28:38 -0500	[thread overview]
Message-ID: <20190307151838.11306.94183.stgit@manet.1015granger.net> (raw)

This series implements support for accessing and updating the
security.ima xattr on files that reside on an NFS export. Since the
NFS protocol does not have capabilities like CAP_SYS_ADMIN, on NFS
clients, only root is allowed to set this xattr.

I'm interested in comments on the implementation, test results, or a
discussion of whether this proposal creates undesirable security
exposures.

Git repo: git://git.linux-nfs.org/projects/cel/cel-2.6.git

in the nfs-ima-prototype topic branch.


Implementation Notes

Please see the individual patch descriptions: standards action is
still required to define the official FATTR4 flag that all NFSv4.2
implementations recognize as meaning "the security.ima xattr". This
prototype is not guaranteed to interoperate with future prototypes
or standards-compliant implementations of this feature. It is for
experimental purposes only.

EVM is not supported in this prototype. The NFS protocol does not
support several of the xattrs that are protected by EVM: SMACK64,
Posix ACLs, and Linux file capabilities are not supported. When
these are present in an EVM hash, NFS clients can't retrieve them
to verify the hash.

This prototype does not match what is described in draft-ietf-nfsv4-
integrity-measurement. Since that draft was submitted, there has
been vigorous discussion on nfsv4@ietf.org about how the NFS
protocol should support Linux IMA. The prototype attempts a narrow
interpretation of what the comments have requested. The draft will
be updated to reflect the prototype implementation.


Changes since v1:
- Rebased on kernel v5.0
- Moved NFSD support out from behind CONFIG_NFSD_V4_SECURITY_LABELS
- Added a patch to remove ima_file_check call in NFSD

---

Chuck Lever (5):
      NFS: Define common IMA-related protocol elements
      NFSD: Prototype support for IMA on NFS (server)
      NFSD: Remove ima_file_check call
      NFS: Rename security xattr handler
      NFS: Prototype support for IMA on NFS (client)


 fs/nfs/nfs4_fs.h          |    1 
 fs/nfs/nfs4proc.c         |  134 +++++++++++++++++++++++++++++---
 fs/nfs/nfs4xdr.c          |  186 +++++++++++++++++++++++++++++++++++++++++++++
 fs/nfsd/nfs4proc.c        |    9 ++
 fs/nfsd/nfs4xdr.c         |   49 ++++++++++--
 fs/nfsd/nfsd.h            |    3 -
 fs/nfsd/vfs.c             |   25 +++++-
 fs/nfsd/vfs.h             |    3 +
 fs/nfsd/xdr4.h            |    3 +
 fs/xattr.c                |   25 +++---
 include/linux/nfs4.h      |    5 +
 include/linux/nfs_fs_sb.h |    1 
 include/linux/nfs_xdr.h   |   21 +++++
 13 files changed, 426 insertions(+), 39 deletions(-)

--
Chuck Lever

             reply	other threads:[~2019-03-07 15:28 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-07 15:28 Chuck Lever [this message]
2019-03-07 15:28 ` [PATCH v2 1/5] NFS: Define common IMA-related protocol elements Chuck Lever
2019-03-07 15:28 ` [PATCH v2 2/5] NFSD: Prototype support for IMA on NFS (server) Chuck Lever
2019-03-07 15:28 ` [PATCH v2 3/5] NFSD: Remove ima_file_check call Chuck Lever
2019-03-08 21:10   ` J. Bruce Fields
2019-03-08 21:11     ` Chuck Lever
2019-03-08 21:23       ` Bruce Fields
2019-03-08 21:29         ` Chuck Lever
2019-03-19 20:29           ` Mimi Zohar
2019-03-20 13:40             ` Chuck Lever
2019-03-21 11:44               ` Mimi Zohar
2019-03-21 14:04                 ` Chuck Lever
2019-03-22 22:55                   ` Mimi Zohar
2019-03-25 14:24                     ` Chuck Lever
2019-03-25 15:01                       ` Mimi Zohar
2019-03-07 15:28 ` [PATCH v2 4/5] NFS: Rename security xattr handler Chuck Lever
2019-03-07 15:29 ` [PATCH v2 5/5] NFS: Prototype support for IMA on NFS (client) Chuck Lever

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190307151838.11306.94183.stgit@manet.1015granger.net \
    --to=chuck.lever@oracle.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).