From: Steve Dickson <SteveD-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Trond Myklebust
<Trond.Myklebust-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org>,
"J. Bruce Fields"
<bfields-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"David P. Quigley"
<dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
Cc: Linux NFS list
<linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux FS devel list
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Security List
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
SELinux List <selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
Subject: [PATCH 00/15] lnfs: 3.8-rc6 release
Date: Fri, 8 Feb 2013 07:39:08 -0500 [thread overview]
Message-ID: <1360327163-20360-1-git-send-email-SteveD@redhat.com> (raw)
From: Steve Dickson <steved-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Here is the next release of the Label NFS code, forward ported to linux-3.8-rc6.
I've incorporated all of the code review comments (thank you for that time) with the exception of the following:
> Why not use the more common construct of defining
>
> struct nfs4_label {
> ....
> char label[NFS4_MAXLABELLEN];
> };
It makes things easier to keep label a pointer verses an array when it comes to initializing the structure (see _nfs4_get_security_label()), although I did
decrease NFS4_MAXLABELLEN to (4095 - offsetof(struct nfs4_label , label))
> + u32 attr_bitmask_nl[3];
> + /* V4 bitmask representing the
> + set of attributes supported
> + on this filesystem excluding
> + the label support bit. */
>
> Can't we just have attr_bitmask_nl point to attr_bitmask when not #ifdef
> CONFIG_NFS_V4_SECURITY_LABEL?
I'm thinking having both bitmasks makes it more obvious as to what is or is not
being used. I'm referring to the code in _nfs4_proc_getattr() and _nfs4_proc_lookup().
If the label is not set, use the non label bit mask verses hiding things behind
a pointer and not really knowing what bit mask is being used.
I also found and fixed a couple memory leaks...
The Fedora kernel rpms that have the patches are under
http://steved.fedorapeople.org/lnfs/kernels/
A wireshark rpm that can dissect the labels is under
http://steved.fedorapeople.org/lnfs/wireshark/
The actual patches from this release are under
http://steved.fedorapeople.org/lnfs/patches/lnfs-v3.8-rc6
Dave Quigley (3):
NFS:Add labels to client function prototypes
NFS: Add label lifecycle management
lnfs: Do not sleep holding the inode spin lock
David Quigley (10):
Security: Add hook to calculate context based on a negative dentry.
Security: Add Hook to test if the particular xattr is part of a MAC
model.
LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount
data.
SELinux: Add new labeling type native labels
NFSv4: Add label recommended attribute and NFSv4 flags
NFSv4: Introduce new label structure
NFSv4: Extend fattr bitmaps to support all 3 words
NFS: Client implementation of Labeled-NFS
NFS: Extend NFS xattr handlers to accept the security namespace
NFSD: Server implementation of MAC Labeling
Steve Dickson (2):
Kconfig: Add Kconfig entry for Labeled NFS V4 client
Kconfig: Add Kconfig entry for Labeled NFS V4 server
fs/nfs/Kconfig | 18 ++
fs/nfs/client.c | 2 +-
fs/nfs/dir.c | 46 ++-
fs/nfs/getroot.c | 2 +-
fs/nfs/inode.c | 140 +++++++--
fs/nfs/namespace.c | 2 +-
fs/nfs/nfs3acl.c | 4 +-
fs/nfs/nfs3proc.c | 41 +--
fs/nfs/nfs4_fs.h | 8 +-
fs/nfs/nfs4namespace.c | 2 +-
fs/nfs/nfs4proc.c | 565 ++++++++++++++++++++++++++++++++----
fs/nfs/nfs4xdr.c | 199 ++++++++++---
fs/nfs/proc.c | 15 +-
fs/nfs/super.c | 17 +-
fs/nfsd/Kconfig | 16 +
fs/nfsd/nfs4proc.c | 41 +++
fs/nfsd/nfs4xdr.c | 116 +++++++-
fs/nfsd/nfsd.h | 8 +-
fs/nfsd/vfs.c | 30 ++
fs/nfsd/vfs.h | 2 +
fs/nfsd/xdr4.h | 3 +
include/linux/nfs4.h | 8 +
include/linux/nfs_fs.h | 29 +-
include/linux/nfs_fs_sb.h | 10 +-
include/linux/nfs_xdr.h | 30 +-
include/linux/security.h | 57 +++-
include/uapi/linux/nfs4.h | 2 +-
security/capability.c | 19 +-
security/security.c | 24 +-
security/selinux/hooks.c | 92 +++++-
security/selinux/include/security.h | 2 +
security/selinux/ss/policydb.c | 5 +-
security/smack/smack_lsm.c | 11 +
33 files changed, 1352 insertions(+), 214 deletions(-)
--
1.7.11.7
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Steve Dickson <SteveD@redhat.com>
To: Trond Myklebust <Trond.Myklebust@netapp.com>,
"J. Bruce Fields" <bfields@redhat.com>,
"David P. Quigley" <dpquigl@tycho.nsa.gov>
Cc: Linux NFS list <linux-nfs@vger.kernel.org>,
Linux FS devel list <linux-fsdevel@vger.kernel.org>,
Linux Security List <linux-security-module@vger.kernel.org>,
SELinux List <selinux@tycho.nsa.gov>
Subject: [PATCH 00/15] lnfs: 3.8-rc6 release
Date: Fri, 8 Feb 2013 07:39:08 -0500 [thread overview]
Message-ID: <1360327163-20360-1-git-send-email-SteveD@redhat.com> (raw)
From: Steve Dickson <steved@redhat.com>
Here is the next release of the Label NFS code, forward ported to linux-3.8-rc6.
I've incorporated all of the code review comments (thank you for that time) with the exception of the following:
> Why not use the more common construct of defining
>
> struct nfs4_label {
> ....
> char label[NFS4_MAXLABELLEN];
> };
It makes things easier to keep label a pointer verses an array when it comes to initializing the structure (see _nfs4_get_security_label()), although I did
decrease NFS4_MAXLABELLEN to (4095 - offsetof(struct nfs4_label , label))
> + u32 attr_bitmask_nl[3];
> + /* V4 bitmask representing the
> + set of attributes supported
> + on this filesystem excluding
> + the label support bit. */
>
> Can't we just have attr_bitmask_nl point to attr_bitmask when not #ifdef
> CONFIG_NFS_V4_SECURITY_LABEL?
I'm thinking having both bitmasks makes it more obvious as to what is or is not
being used. I'm referring to the code in _nfs4_proc_getattr() and _nfs4_proc_lookup().
If the label is not set, use the non label bit mask verses hiding things behind
a pointer and not really knowing what bit mask is being used.
I also found and fixed a couple memory leaks...
The Fedora kernel rpms that have the patches are under
http://steved.fedorapeople.org/lnfs/kernels/
A wireshark rpm that can dissect the labels is under
http://steved.fedorapeople.org/lnfs/wireshark/
The actual patches from this release are under
http://steved.fedorapeople.org/lnfs/patches/lnfs-v3.8-rc6
Dave Quigley (3):
NFS:Add labels to client function prototypes
NFS: Add label lifecycle management
lnfs: Do not sleep holding the inode spin lock
David Quigley (10):
Security: Add hook to calculate context based on a negative dentry.
Security: Add Hook to test if the particular xattr is part of a MAC
model.
LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount
data.
SELinux: Add new labeling type native labels
NFSv4: Add label recommended attribute and NFSv4 flags
NFSv4: Introduce new label structure
NFSv4: Extend fattr bitmaps to support all 3 words
NFS: Client implementation of Labeled-NFS
NFS: Extend NFS xattr handlers to accept the security namespace
NFSD: Server implementation of MAC Labeling
Steve Dickson (2):
Kconfig: Add Kconfig entry for Labeled NFS V4 client
Kconfig: Add Kconfig entry for Labeled NFS V4 server
fs/nfs/Kconfig | 18 ++
fs/nfs/client.c | 2 +-
fs/nfs/dir.c | 46 ++-
fs/nfs/getroot.c | 2 +-
fs/nfs/inode.c | 140 +++++++--
fs/nfs/namespace.c | 2 +-
fs/nfs/nfs3acl.c | 4 +-
fs/nfs/nfs3proc.c | 41 +--
fs/nfs/nfs4_fs.h | 8 +-
fs/nfs/nfs4namespace.c | 2 +-
fs/nfs/nfs4proc.c | 565 ++++++++++++++++++++++++++++++++----
fs/nfs/nfs4xdr.c | 199 ++++++++++---
fs/nfs/proc.c | 15 +-
fs/nfs/super.c | 17 +-
fs/nfsd/Kconfig | 16 +
fs/nfsd/nfs4proc.c | 41 +++
fs/nfsd/nfs4xdr.c | 116 +++++++-
fs/nfsd/nfsd.h | 8 +-
fs/nfsd/vfs.c | 30 ++
fs/nfsd/vfs.h | 2 +
fs/nfsd/xdr4.h | 3 +
include/linux/nfs4.h | 8 +
include/linux/nfs_fs.h | 29 +-
include/linux/nfs_fs_sb.h | 10 +-
include/linux/nfs_xdr.h | 30 +-
include/linux/security.h | 57 +++-
include/uapi/linux/nfs4.h | 2 +-
security/capability.c | 19 +-
security/security.c | 24 +-
security/selinux/hooks.c | 92 +++++-
security/selinux/include/security.h | 2 +
security/selinux/ss/policydb.c | 5 +-
security/smack/smack_lsm.c | 11 +
33 files changed, 1352 insertions(+), 214 deletions(-)
--
1.7.11.7
next reply other threads:[~2013-02-08 12:39 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-08 12:39 Steve Dickson [this message]
2013-02-08 12:39 ` [PATCH 00/15] lnfs: 3.8-rc6 release Steve Dickson
2013-02-08 12:39 ` [PATCH 01/15] Security: Add hook to calculate context based on a negative dentry Steve Dickson
2013-02-08 12:39 ` [PATCH 02/15] Security: Add Hook to test if the particular xattr is part of a MAC model Steve Dickson
2013-02-08 12:39 ` [PATCH 03/15] LSM: Add flags field to security_sb_set_mnt_opts for in kernel mount data Steve Dickson
2013-02-08 12:39 ` [PATCH 04/15] SELinux: Add new labeling type native labels Steve Dickson
2013-02-08 12:39 ` [PATCH 05/15] NFSv4: Add label recommended attribute and NFSv4 flags Steve Dickson
2013-02-08 12:39 ` [PATCH 06/15] NFSv4: Introduce new label structure Steve Dickson
2013-02-12 22:07 ` J. Bruce Fields
[not found] ` <20130212220741.GJ10267-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2013-02-12 22:28 ` Myklebust, Trond
2013-02-12 22:28 ` Myklebust, Trond
2013-02-12 22:32 ` J. Bruce Fields
2013-02-12 22:40 ` Myklebust, Trond
2013-02-12 23:06 ` J. Bruce Fields
2013-02-13 0:30 ` Steve Dickson
2013-02-08 12:39 ` [PATCH 07/15] NFSv4: Extend fattr bitmaps to support all 3 words Steve Dickson
2013-02-08 12:39 ` [PATCH 08/15] NFS:Add labels to client function prototypes Steve Dickson
2013-02-08 12:39 ` [PATCH 09/15] NFS: Add label lifecycle management Steve Dickson
2013-02-12 22:27 ` J. Bruce Fields
2013-02-16 20:28 ` Steve Dickson
[not found] ` <1360327163-20360-1-git-send-email-SteveD-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-02-08 12:39 ` [PATCH 10/15] NFS: Client implementation of Labeled-NFS Steve Dickson
2013-02-08 12:39 ` Steve Dickson
2013-02-12 23:03 ` J. Bruce Fields
2013-02-16 20:35 ` Steve Dickson
[not found] ` <511FED8E.7020308-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2013-02-16 22:30 ` J. Bruce Fields
2013-02-16 22:30 ` J. Bruce Fields
2013-02-17 1:24 ` Steve Dickson
2013-02-17 1:47 ` Steve Dickson
2013-02-08 12:39 ` [PATCH 11/15] NFS: Extend NFS xattr handlers to accept the security namespace Steve Dickson
2013-02-08 12:39 ` [PATCH 12/15] lnfs: Do not sleep holding the inode spin lock Steve Dickson
[not found] ` <1360327163-20360-13-git-send-email-SteveD-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-02-13 15:16 ` J. Bruce Fields
2013-02-13 15:16 ` J. Bruce Fields
[not found] ` <20130213151610.GI14195-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2013-02-16 20:36 ` Steve Dickson
2013-02-16 20:36 ` Steve Dickson
2013-02-08 12:39 ` [PATCH 13/15] Kconfig: Add Kconfig entry for Labeled NFS V4 client Steve Dickson
2013-02-08 12:39 ` [PATCH 14/15] NFSD: Server implementation of MAC Labeling Steve Dickson
2013-02-12 22:54 ` J. Bruce Fields
2013-02-12 23:07 ` J. Bruce Fields
[not found] ` <20130212225425.GM10267-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2013-02-16 20:44 ` Steve Dickson
2013-02-16 20:44 ` Steve Dickson
[not found] ` <511FEFCB.2090002-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2013-02-16 22:34 ` J. Bruce Fields
2013-02-16 22:34 ` J. Bruce Fields
2013-02-08 12:39 ` [PATCH 15/15] Kconfig: Add Kconfig entry for Labeled NFS V4 server Steve Dickson
2013-02-12 21:41 ` [PATCH 00/15] lnfs: 3.8-rc6 release J. Bruce Fields
2013-02-12 22:02 ` Casey Schaufler
2013-02-12 22:02 ` Casey Schaufler
2013-02-12 22:13 ` J. Bruce Fields
2013-02-13 0:32 ` Steve Dickson
2013-02-13 0:55 ` Casey Schaufler
2013-02-13 0:55 ` Casey Schaufler
2013-02-12 23:11 ` J. Bruce Fields
[not found] ` <20130212231113.GQ10267-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2013-02-12 23:18 ` Myklebust, Trond
2013-02-12 23:18 ` Myklebust, Trond
2013-02-13 0:11 ` J. Bruce Fields
2013-02-13 0:21 ` J. Bruce Fields
2013-02-13 0:28 ` Steve Dickson
2013-02-13 15:05 ` J. Bruce Fields
2013-02-13 15:33 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1360327163-20360-1-git-send-email-SteveD@redhat.com \
--to=steved-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=Trond.Myklebust-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org \
--cc=bfields-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=dpquigl-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.