All of lore.kernel.org
 help / color / mirror / Atom feed
From: Bruce Fields <bfields@fieldses.org>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	linux-integrity@vger.kernel.org
Subject: Re: [PATCH RFC 4/4] NFSD: Prototype support for IMA on NFS (server)
Date: Fri, 1 Mar 2019 10:04:01 -0500	[thread overview]
Message-ID: <20190301150401.GA17160@fieldses.org> (raw)
In-Reply-To: <A7D59BDC-08B3-4338-8E3B-6B41AC652968@oracle.com>

On Mon, Feb 18, 2019 at 02:41:24PM -0500, Chuck Lever wrote:
> 
> 
> > On Feb 18, 2019, at 2:32 PM, bfields@fieldses.org wrote:
> > 
> > On Thu, Feb 14, 2019 at 03:43:26PM -0500, Chuck Lever wrote:
> >> When NFSv4 Security Label support is enabled and kernel Integrity
> >> and IMA support is enabled (via CONFIG), then build in code to
> >> handle the "security.ima" xattr. The NFS server converts incoming
> >> GETATTR and SETATTR calls to acesses and updates of the xattr.
> >> 
> >> The FATTR4 bit is made up; meaning we still have to go through a
> >> standards process to allocate a bit that all NFS vendors agree on.
> >> Thus there is no guarantee this prototype will interoperate with
> >> others or with a future standards-based implementation.
> > 
> > Why the dependence on CONFIG_NFSD_V4_SECURITY_LABEL?
> 
> Hrm, well there is some mechanism on the client side that IMA
> needs that is behind CONFIG_NFS_V4_SECURITY_LABEL. I guess I
> didn't think about not doing the same thing on the server. It
> may just be an artifact of an earlier version of this code.
> 
> 
> > (Also, I wonder if we actually need CONFIG_NFSD_V4_SECURITY_LABEL or if
> > we could just remove it, or replace it by CONFIG_SECURITY where
> > necessary.)
> 
> On the server, there is already a (run-time) export option to
> enable and disable security labels. Is there a reason a
> distribution would want to disable client or server support
> for security labels at build time?

Distributions tend to want kernels that can do anything, with run time
controls that are adequate to handle any use cases.

So given that we need adequate run-time configuration, why might someone
also want the ability to disable at build time?  Some reasons I can
think of:

	- they need a really small kernel.
	- the feature is too hard to support, or they think it
	  introduces security risks, so they don't want their users
	  turning it on at all.

I could see any of those being reasons for someone not to want NFSD_V4
or SECURITY at all, but is there likely to be a big need to configure in
both of those things but configure out NFSD_V4_SECURITY_LABEL?  That
seems unnecessarily fine grained.

--b.

  reply	other threads:[~2019-03-01 15:04 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-14 20:43 [PATCH RFC 0/4] IMA on NFS prototype Chuck Lever
2019-02-14 20:43 ` [PATCH RFC 1/4] NFS: Define common IMA-related protocol elements Chuck Lever
2019-02-14 20:43 ` [PATCH RFC 2/4] NFS: Rename security xattr handler Chuck Lever
2019-02-14 20:43 ` [PATCH RFC 3/4] NFS: Prototype support for IMA on NFS (client) Chuck Lever
2019-02-14 20:43 ` [PATCH RFC 4/4] NFSD: Prototype support for IMA on NFS (server) Chuck Lever
2019-02-18 19:32   ` J. Bruce Fields
2019-02-18 19:41     ` Chuck Lever
2019-03-01 15:04       ` Bruce Fields [this message]
2019-03-01 16:01         ` Chuck Lever
2019-03-01 16:10           ` Bruce Fields
2019-02-20  0:36 ` [PATCH RFC 0/4] IMA on NFS prototype Mimi Zohar
2019-02-20  3:51   ` Chuck Lever
2019-02-20 12:26     ` Mimi Zohar
2019-02-21 14:49       ` Chuck Lever
2019-02-21 15:51         ` Mimi Zohar
2019-02-21 15:58           ` Chuck Lever
2019-02-22 20:16             ` J. Bruce Fields

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190301150401.GA17160@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=chuck.lever@oracle.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.