On Sat, 4 Aug 2001, Crispin Cowan wrote: > jmjonesat_private wrote: > > > On Fri, 3 Aug 2001, Crispin Cowan wrote: > > > Can someone summarize the alleged scary boodjum of NFSv4? I'm not familiar > > > with it, and don't know what the implications of it are that LSM would have to > > > care about. > > > > I've only read RFC 3010, so my understanding is sketchy... > > Thanks! > > This makes it sound rather similar to the problem of supporting extended > attributes in other file systems. The main problem is that I don't > think the VFS layer supports extended attributes. That's a problem if > we've got fancy file systems on one side of the abstraction waving > extended attributes around, and LSM modules on the other side of the > abstraction wishing they could see and manipulate those attributes, but > unalbe to get to them. Actually, it does seem to be a similar problem, at least to me (I'm admittedly deep enough to get "the bends" here.) Since you've moved this to a branch thread, I will pursue it briefly... The question I'd next ask is (quite innocently): how would switching to authoritative hooks and moving all the in-kernel checks out to the module actually resolve this problem unless many hooks were moved even deeper (below VFS) ... ? Or (ick) does it require we also restructure/rewrite VFS and move IT out to the module, which is unacceptable to me. That's quite a can of worms. Can we make some small changes now that would facilitate this later as vfs evolves? Has anybody got a concrete example/suggestion of how this problem could be addressed now without restructuring the whole interface (and the kernel) specifically toward it? I'm not convinced that "special filesystems" are common enough to call them the "general case." I'm in the "real world" and ext2fs is pretty much all I ever use. SIMULATION of things like NFSv4 usually rides on top. Ergo, to me, at least, it's not a "make-or-break" boojum, but rather the following intellectual puzzle: can we make small changes now that will address this later without paying a horrendous cost? I'm no expert on all the filesystems and how they percolate through vfs... which makes me kind of happy vfs is there. I'm not sure NFSv4 is a unique issue that is general enough to provide "serious" concern... I'm sure I'll be argued down if it really is. > > Crispin > > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX Communications, Inc. http://wirex.com > Security Hardened Linux Distribution: http://immunix.org > Available for purchase: http://wirex.com/Products/Immunix/purchase.html > Sincerely, J. Melvin Jones |>------------------------------------------------------ || J. MELVIN JONES jmjonesat_private |>------------------------------------------------------ || Microcomputer Systems Consultant || Software Developer || Web Site Design, Hosting, and Administration || Network and Systems Administration |>------------------------------------------------------ || http://www.jmjones.com/ |>------------------------------------------------------ _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 13:20:38 PDT