diff mbox

[13/13] Kconfig: Add Kconfig entry for Labeled NFS V4 client

Message ID 1368719808-14584-14-git-send-email-SteveD@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Steve Dickson May 16, 2013, 3:56 p.m. UTC
From: Steve Dickson <steved@redhat.com>

This patch adds the NFS_V4_SECURITY_LABEL entry which
enables security label support for the NFSv4 client

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 fs/nfs/Kconfig | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

Comments

Eric Paris May 20, 2013, 8:57 p.m. UTC | #1
On Thu, May 16, 2013 at 11:56 AM, Steve Dickson <SteveD@redhat.com> wrote:
> From: Steve Dickson <steved@redhat.com>
>
> This patch adds the NFS_V4_SECURITY_LABEL entry which
> enables security label support for the NFSv4 client
>
> Signed-off-by: Steve Dickson <steved@redhat.com>
> ---
>  fs/nfs/Kconfig | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
>
> diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
> index 79c500e..771831d3 100644
> --- a/fs/nfs/Kconfig
> +++ b/fs/nfs/Kconfig
> @@ -107,6 +107,7 @@ config NFS_V4_1
>  config NFS_V4_2
>         bool "NFS client support for NFSv4.2"
>         depends on NFS_V4_1
> +       select NFS_V4_SECURITY_LABEL

So this will force it on...

>         help
>           This option enables support for minor version 1 of the NFSv4 protocol
>           in the kernel's NFS client.
> @@ -140,6 +141,24 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
>           If the NFS client is unchanged from the upstream kernel, this
>           option should be set to the default "kernel.org".
>
> +config NFS_V4_SECURITY_LABEL
> +       bool "Provide Security Label support for NFSv4 client"
> +       depends on NFS_V4 && SECURITY

Even if SECURITY is not set?

Why are you forcing this on with a select?  select is dangerous..

> +       help
> +
> +       Say Y here if you want enable fine-grained security label attribute
> +       support for NFS version 4.  Security labels allow security modules like
> +       SELinux and Smack to label files to facilitate enforcement of their policies.
> +       Without this an NFSv4 mount will have the same label on each file.
> +
> +       If you do not wish to enable fine-grained security labels SELinux or
> +       Smack policies on NFSv4 files, say N.
> +
> +       WARNING: there is still a chance of backwards-incompatible protocol changes.
> +       For now we recommend "Y" only for developers and testers."
> +
> +       If unsure, say N.
> +
>  config ROOT_NFS
>         bool "Root file system on NFS"
>         depends on NFS_FS=y && IP_PNP
> --
> 1.8.1.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Trond Myklebust May 20, 2013, 9:12 p.m. UTC | #2
On Mon, 2013-05-20 at 16:57 -0400, Eric Paris wrote:
> On Thu, May 16, 2013 at 11:56 AM, Steve Dickson <SteveD@redhat.com> wrote:
> > From: Steve Dickson <steved@redhat.com>
> >
> > This patch adds the NFS_V4_SECURITY_LABEL entry which
> > enables security label support for the NFSv4 client
> >
> > Signed-off-by: Steve Dickson <steved@redhat.com>
> > ---
> >  fs/nfs/Kconfig | 19 +++++++++++++++++++
> >  1 file changed, 19 insertions(+)
> >
> > diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
> > index 79c500e..771831d3 100644
> > --- a/fs/nfs/Kconfig
> > +++ b/fs/nfs/Kconfig
> > @@ -107,6 +107,7 @@ config NFS_V4_1
> >  config NFS_V4_2
> >         bool "NFS client support for NFSv4.2"
> >         depends on NFS_V4_1
> > +       select NFS_V4_SECURITY_LABEL
> 
> So this will force it on...
> 
> >         help
> >           This option enables support for minor version 1 of the NFSv4 protocol
> >           in the kernel's NFS client.
> > @@ -140,6 +141,24 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
> >           If the NFS client is unchanged from the upstream kernel, this
> >           option should be set to the default "kernel.org".
> >
> > +config NFS_V4_SECURITY_LABEL
> > +       bool "Provide Security Label support for NFSv4 client"
> > +       depends on NFS_V4 && SECURITY
> 
> Even if SECURITY is not set?
> 
> Why are you forcing this on with a select?  select is dangerous..

Eric is right. In any case, we already agreed that we don't need _both_
a NFSv4.2 and a NFSv4 security label switch.

Please just get rid of NFS_V4_SECURITY_LABEL.
Trond Myklebust May 20, 2013, 9:14 p.m. UTC | #3
On Mon, 2013-05-20 at 17:12 -0400, Trond Myklebust wrote:
> On Mon, 2013-05-20 at 16:57 -0400, Eric Paris wrote:
> > On Thu, May 16, 2013 at 11:56 AM, Steve Dickson <SteveD@redhat.com> wrote:
> > > From: Steve Dickson <steved@redhat.com>
> > >
> > > This patch adds the NFS_V4_SECURITY_LABEL entry which
> > > enables security label support for the NFSv4 client
> > >
> > > Signed-off-by: Steve Dickson <steved@redhat.com>
> > > ---
> > >  fs/nfs/Kconfig | 19 +++++++++++++++++++
> > >  1 file changed, 19 insertions(+)
> > >
> > > diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
> > > index 79c500e..771831d3 100644
> > > --- a/fs/nfs/Kconfig
> > > +++ b/fs/nfs/Kconfig
> > > @@ -107,6 +107,7 @@ config NFS_V4_1
> > >  config NFS_V4_2
> > >         bool "NFS client support for NFSv4.2"
> > >         depends on NFS_V4_1
> > > +       select NFS_V4_SECURITY_LABEL
> > 
> > So this will force it on...
> > 
> > >         help
> > >           This option enables support for minor version 1 of the NFSv4 protocol
> > >           in the kernel's NFS client.
> > > @@ -140,6 +141,24 @@ config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
> > >           If the NFS client is unchanged from the upstream kernel, this
> > >           option should be set to the default "kernel.org".
> > >
> > > +config NFS_V4_SECURITY_LABEL
> > > +       bool "Provide Security Label support for NFSv4 client"
> > > +       depends on NFS_V4 && SECURITY
> > 
> > Even if SECURITY is not set?
> > 
> > Why are you forcing this on with a select?  select is dangerous..
> 
> Eric is right. In any case, we already agreed that we don't need _both_
> a NFSv4.2 and a NFSv4 security label switch.
> 
> Please just get rid of NFS_V4_SECURITY_LABEL.
> 

Sorry. I mean, just replace it with

config NFS_V4_SECURITY_LABEL
	bool
	depend on NFS_V4_2 && SECURITY
	default Y
diff mbox

Patch

diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
index 79c500e..771831d3 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -107,6 +107,7 @@  config NFS_V4_1
 config NFS_V4_2
 	bool "NFS client support for NFSv4.2"
 	depends on NFS_V4_1
+	select NFS_V4_SECURITY_LABEL
 	help
 	  This option enables support for minor version 1 of the NFSv4 protocol
 	  in the kernel's NFS client.
@@ -140,6 +141,24 @@  config NFS_V4_1_IMPLEMENTATION_ID_DOMAIN
 	  If the NFS client is unchanged from the upstream kernel, this
 	  option should be set to the default "kernel.org".
 
+config NFS_V4_SECURITY_LABEL
+	bool "Provide Security Label support for NFSv4 client"
+	depends on NFS_V4 && SECURITY
+	help
+
+	Say Y here if you want enable fine-grained security label attribute
+	support for NFS version 4.  Security labels allow security modules like
+	SELinux and Smack to label files to facilitate enforcement of their policies.
+	Without this an NFSv4 mount will have the same label on each file.
+
+	If you do not wish to enable fine-grained security labels SELinux or
+	Smack policies on NFSv4 files, say N.
+
+	WARNING: there is still a chance of backwards-incompatible protocol changes.  
+	For now we recommend "Y" only for developers and testers."
+
+	If unsure, say N.
+
 config ROOT_NFS
 	bool "Root file system on NFS"
 	depends on NFS_FS=y && IP_PNP