Labeled NFS/TODO

From SELinux Wiki
Jump to: navigation, search

Labeled NFS TODO List

This page contains a list of TODO items for the Labeled NFS project. Each section describes the high level task and subtasks identified for the task so far. These sections also have a brief description of the current status and progress of each task. This list of work items shall not be considered as a request for proposal or otherwise construed as a commitment by NSA to anyone for the procurement of equipment, services, or any obligation. The NSA reserves the right to not pursue work in any area identified below or to discontinue, at any time, research in progress in any of these areas.

Task List

Linux Prototype Tasks:

  • Label Translation Framework
  • Provide a mechanism to allow NFSD to determine a context to perform operations as
  • Implement RPCSECGSSv3
  • Develop MLS CALIPSO Translation Module (Preferably Linux/FreeBSD portable)
  • Add xattr export option to allow dumb server to specify storage location of attribute

IETF Tasks:

  • Labeled NFS Scope Document
  • Policy Format Specification Document
  • CALIPSO MLS Format Specification Document

FreeBSD 8.0 Prototype Tasks:

  • Implement MAC Recommended attribute
  • Implement RPCSECGSSv3
  • Implement Translation Framework
  • Implement CALIPSO MLS Translation Module

Linux Prototype Tasks

Label Translation Framework

Description: To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.

Subtasks:

  • Review existing label translation framework patches
  • Determine changes in NFS/User-space communication mechanisms since patches were written
  • Update patches to reflect new changes to rpcpipefs and to leverage changes made by idmapd

Status: When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.


NFSD Subject Context Selection

Description: Currently when an NFS server processes a request the kernel daemon runs in the kernel_t type. This is not ideal since there is a desire to have the kernel daemon process requests with different subject labels based on some criteria. In full mode Labeled NFS this label would be provided by the client making the request. However even in the presence of full mode it would be useful to be able to restrict clients to certain labels based on criteria other than client process label. In the event that there is no client process label being translated this framework should provide a way for administrators to specify labels for clients based on some criteria. This may include: authenticated user, network interface, or ip address. In the event that the client is asserting a process label the mechanism should also provide a way to restrict which labels the client is permitted to assert.

Subtasks:

  • Start a list of potential external criteria to base labeling on
  • Design mechanism to allow kernel daemons to request a subject label based on these criteria
  • Implement mechanism


Status: There currently is no progress on this task nor has anyone taken it as an item to work on.

RPCSECGSSv3 Implementation

Description: After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.

Subtasks:

  • Read Specification and study prior RPCSECGSS versions
  • Evaluate the Linux RPCSEC_GSS implementation for components needed by RPCSECGSSv3 (Kernel: net/sun/auth_gss User Space: rpc.gssd)
  • Provide feedback to specification writers during implementation

Status: There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.

MLS CALIPSO Translation Module

Description: To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.

Subtasks:

  • Evaluate Linux CIPSO Label implementation
  • Evaluate FreeBSD CIPSO Label implementation
  • Port implementations as necessary
  • Implement module

Status: No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed

Xattr Export Option

Description: The existing Linux implementation of Labeled NFS requires an LSM to be present since it uses that interface to set the security attributes on the file. One of the usage models for Labeled NFS is a dumb server mode where the server does not implement any sort of MAC functionality. In this case the interface to set the file labels wont work. A solution for this is to allow an administrator to provide an export option like xattr=(security.something) to store the security label in.

Subtasks:

  • Add export option to NFSv4 to allow users to specify xattr=(xattr name)
  • Modify nfs-utils to allows xattr= as a new export option
  • Modify Labeled NFS server code to use vfs_setxattr or vfs_setxattr_noperm to set the xattr directly when the xattr export option is set
  • Modify Labeled NFS server code to parse the new xattr export option and store the data so it is accessible

Status: No work has been done on this task as of date however it is a relatively low difficulty task. This task has not been claimed


IETF Tasks

Labeled NFS Scope Document

Description: As part of the IETF process several documents need to be authored. The most recent is a scope document for the NFSv4 working group which outlines the extend of the changes needed to support Labeled NFS and the external dependencies it has. Subtasks:

  • Integrate use cases from James and Jarrett
  • Write sections containing policy label format and initial formats
  • Write sections containing policy interoperability

Status:

Work has started on this document and some sections are already written. James Morris and Jarrett Lu have contributed text for the use case sections while David Quigley has started writing the other sections.

Policy Format Specification Document

Description: As part of the effort to address interoperability one avenue being explored is a method of separating the security label into two components. The outer components formerly referred to as a DOI will be replaced with a policy format specifier which will specify the syntactic format of the label enabling a separation of format and policy semantics.

Subtasks:

  • None as of yet

Status: This document has not yet been started.

CALIPSO MLS Format Specification Document

Description: As part of the development of an interoperable demonstration platform a document outlining the label format for a CALIPSO label needs to be specified. This will be used as part of the example documents for outlining an interoperable Labeled NFS environment.

Subtasks:

  • None as of yet

Status: This document has not been started however the existing CALIPSO document has a long section on how labels are represented. This might be able to be used for a large portion of the new document with permission of the original authors.

FreeBSD 8.0 Prototype Tasks

Implement MAC Recommended Attribute

Description: In order to provide object label transport a new recommended attribute has been proposed and accepted as the correct solution in NFSv4. This needs to be implemented in the FreeBSD 8.0 NFSv4 code. The specification for the attribute can be found in the IETF Internet Draft archives.

Subtasks:

  • None as of yet

Status: No work has been done on this task however members of the FreeBSD community have expressed interest in assisting with this effort.

Implement RPCSECGSSv3

Description: After several iterations of client process label transport a method was decided on by members of the NFSv4 working group. This method involves a new version of RPCSECGSS which is the security mechanism used by NFSv4 for protecting RPC communications. An initial specification has been published as a personal internet draft on the IETF website and also posted to the NFSv4 working group mailing list.

Subtasks:

  • Read Specification and study prior RPCSECGSS versions
  • Evaluate the FreeBSD 8.0 RPCSEC_GSS implementation for components needed by RPCSECGSSv3
  • Provide feedback to specification writers during implementation

Status: There is no current implementation effort for RPCSECGSSv3 however there are ongoing efforts in the NFSv4 Working Group concerning the authoring and publication of the specification document.

Implement Translation Framework

Description: To handle the scenario where NFS servers and clients may not be running the same MAC policy or even MAC model there needs to be a way for the client or server to translate the MAC label into a format it can understand. The exact semantics of these translations are still being worked through however a mechanism is needed to allow for the kernel and user space to communicate. In addition to this a framework for supplying translation modules needs to be present to allow for a plugable method of dealing with these translations.

Subtasks:

  • Evaluate kernel/userspace communication mechanisms for use in the framework
  • Attempt to port daemon and library implemented for the Linux translation framework
  • If porting is not possible implement labelmapd and label mapping library

Status: When the Labeled NFS effort was first started an initial prototype of the translation framework and daemon were written. These patches still exist but need to be updated to the latest version of Labeled NFS and of nfs-utils. The patches can be made available anyone who wants to attempt to update the code.

Implement CALIPSO MLS Translation Module

Description: This task is identical to the one listed under the Linux Prototype section.

To show an interoperable demonstration platform for Labeled NFS a CALIPSO label format translation module needs to be created to allow the Linux and FreeBSD prototypes to communication with each other. This module should preferably be written in a way so that it is portable to Linux and FreeBSD.

Subtasks:

  • Evaluate Linux CIPSO Label implementation
  • Evaluate FreeBSD CIPSO Label implementation
  • Port implementations as necessary
  • Implement module

Status: No work has been done on this task as of date however Linux does have an existing CIPSO label implementation which may provide a good starting point. This task has not been claimed