Difference between revisions of "Labeled NFS/TODO"

From SELinux Wiki
Jump to: navigation, search
Line 5: Line 5:
 
== Task List ==
 
== Task List ==
  
'''Linux Prototype Tasks'''
+
'''Linux Prototype Tasks:'''
 
* Label Translation Framework
 
* Label Translation Framework
 
* Provide a mechanism to allow NFSD to determine a context to perform operations as
 
* Provide a mechanism to allow NFSD to determine a context to perform operations as
Line 16: Line 16:
 
* CALIPSO MLS Format Specification Document
 
* CALIPSO MLS Format Specification Document
  
'''FreeBSD 8.0 Prototype Tasks'''
+
'''FreeBSD 8.0 Prototype Tasks:'''
 
* Implement MAC Recommended attribute
 
* Implement MAC Recommended attribute
 
* Implement RPCSECGSSv3
 
* Implement RPCSECGSSv3
Line 38: Line 38:
  
  
=== Item ===
+
=== NFSD Subject Context Selection ===
  
 
'''Description:'''
 
'''Description:'''
 +
Currently when an NFS server processes a request the kernel daemon runs in the kernel_t type. This is not ideal since there is a desire to have the kernel daemon process requests with different subject labels based on some criteria. In full mode Labeled NFS this label would be provided by the client making the request. However even in the presence of full mode it would be useful to be able to restrict clients to certain labels based on criteria other than client process label. In the event that there is no client process label being translated this framework should provide a way for administrators to specify labels for clients based on some criteria. This may include: authenticated user, network interface, or ip address. In the event that the client is asserting a process label the mechanism should also provide a way to restrict which labels the client is permitted to assert.
 +
 
'''Subtasks:'''
 
'''Subtasks:'''
*
+
* Start a list of potential external criteria to base labeling on
 +
* Design mechanism to allow kernel daemons to request a subject label based on these criteria
 +
* Implement mechanism
 +
 
 +
 
 +
'''Status:'''
 +
There currently is no progress on this task nor has anyone taken it as an item to work on.
 +
 
 +
=== RPCSECGSSv3 Implementation ===
 +
 
 +
'''Description:'''
 +
After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.
 +
 
 +
'''Subtasks:'''
 +
* Read Specification and study prior RPCSECGSS versions
 +
* Evaluate the Linux RPCSEC_GSS implementation for components needed by RPCSECGSSv3 (Kernel: net/sun/auth_gss User Space: rpc.gssd)
 +
* Provide feedback to specification writers during implementation
 +
 
 +
'''Status:'''
 +
There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.
 +
 
 +
=== MLS CALIPSO Translation Module ===
 +
 
 +
'''Description:'''
 +
To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.
 +
'''Subtasks:'''
 +
* Evaluate Linux CIPSO Label implementation
 +
* Evaluate FreeBSD CIPSO Label implementation
 +
* Port implementations as necessary
 +
* Implement module
 +
 
 
'''Status:'''
 
'''Status:'''
 +
No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed
  
 
== IETF Tasks ==
 
== IETF Tasks ==
  
 
== FreeBSD 8.0 Prototype Tasks ==
 
== FreeBSD 8.0 Prototype Tasks ==

Revision as of 22:14, 29 September 2009

Labeled NFS TODO List

This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task.

Task List

Linux Prototype Tasks:

  • Label Translation Framework
  • Provide a mechanism to allow NFSD to determine a context to perform operations as
  • Implement RPCSECGSSv3
  • Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)

IETF Tasks:

  • Labeled NFS Scope Document
  • Policy Format Specification Document
  • CALIPSO MLS Format Specification Document

FreeBSD 8.0 Prototype Tasks:

  • Implement MAC Recommended attribute
  • Implement RPCSECGSSv3
  • Implement Translation Framework
  • Implement CALIPSO MLS Translation Module

Linux Prototype Tasks

Label Translation Framework

Description: To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.

Subtasks:

  • Review existing label translation framework patches
  • Determine changes in NFS/User-space communication mechanisms since patches were written
  • Update patches to reflect new changes to rpcpipefs and to leverage changes made by idmapd

Status: When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.


NFSD Subject Context Selection

Description: Currently when an NFS server processes a request the kernel daemon runs in the kernel_t type. This is not ideal since there is a desire to have the kernel daemon process requests with different subject labels based on some criteria. In full mode Labeled NFS this label would be provided by the client making the request. However even in the presence of full mode it would be useful to be able to restrict clients to certain labels based on criteria other than client process label. In the event that there is no client process label being translated this framework should provide a way for administrators to specify labels for clients based on some criteria. This may include: authenticated user, network interface, or ip address. In the event that the client is asserting a process label the mechanism should also provide a way to restrict which labels the client is permitted to assert.

Subtasks:

  • Start a list of potential external criteria to base labeling on
  • Design mechanism to allow kernel daemons to request a subject label based on these criteria
  • Implement mechanism


Status: There currently is no progress on this task nor has anyone taken it as an item to work on.

RPCSECGSSv3 Implementation

Description: After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.

Subtasks:

  • Read Specification and study prior RPCSECGSS versions
  • Evaluate the Linux RPCSEC_GSS implementation for components needed by RPCSECGSSv3 (Kernel: net/sun/auth_gss User Space: rpc.gssd)
  • Provide feedback to specification writers during implementation

Status: There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.

MLS CALIPSO Translation Module

Description: To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD. Subtasks:

  • Evaluate Linux CIPSO Label implementation
  • Evaluate FreeBSD CIPSO Label implementation
  • Port implementations as necessary
  • Implement module

Status: No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed

IETF Tasks

FreeBSD 8.0 Prototype Tasks