[NT ACLS] Using the security.* namespace for NTACL considered improper

[Jeremy Allison]

On Tue, Jan 19, 2010 at 02:34:47PM -0500, simo wrote:
> Tridge, Jeremy,
> I was following discussions on #samba-technical today and it came up
> that we have started using security.NTACL as the namespace where to
> store NT ACLs.
> 
> Talking with Christoph Hellwig he said that security.* should *not* be
> used as it is reserved for LSM modules (like SeLinux).
> 
> Looking at man 5 attr this is briefly hinted indeed, and after further
> discussion it became clear that we should used the trusted.* namespace
> instead as this is what the man page says about it:
> 
>         Trusted  extended  attributes  are  visible and accessible only
>         to processes that have the CAP_SYS_ADMIN capability (the super
>         user  usually has  this  capability).  Attributes in this class
>         are used to implement mechanisms in user space (i.e., outside
>         the kernel) which keep information in extended attributes to
>         which ordinary processes should not have access.
> 
> 
> I think we should comply, and start moving NTACL to from security.NTACL
> to trusted.NTACL as soon as possible, before it get widely used.
> 
> What do you think ?

Raise a "blocker" bug in 3.5.0 to make sure we don't
ship a production release with this. Once we've shipped
there's no going back.

I'll make the change to "trusted.*" in the code, and
attach the change to the bug.

Jeremy.