From: Ira Weiny <ira.weiny-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
To: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: "Hefty,
Sean" <sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
Hal Rosenstock
<hal-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org>,
Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>,
"selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org"
<selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
"linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Yevgeny Petrilin
<yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: Re: [RFC PATCH v2 00/13] SELinux support for Infiniband RDMA
Date: Thu, 14 Apr 2016 12:26:06 -0400 [thread overview]
Message-ID: <20160414162604.GA9697@rhel.sc.intel.com> (raw)
In-Reply-To: <AM2PR05MB1105E03BDEE8ED9552C8EDE7C4970-Wc3DjHnhGidZ7IXwgIC3xtqRiQSDpxhJvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
On Thu, Apr 14, 2016 at 01:11:15PM +0000, Daniel Jurgens wrote:
> On 4/13/2016 11:23 PM, Hefty, Sean wrote:
> >>>> Former (multicast modifications of fabric) also requires restricting
> >>>> arbitrary UD QPs as well as QP1 as SA access is QPn (n > 0) <-> QP1.
> >>>
> >>> The SA could have an option to ignore all requests that do not originate
> >> QP1,
> >>> then protect access to QP1 on the client nodes.
> >>
> >> I'm not really sure what we are protecting against here. Is it simply DoS
> >> against the SA?
> >
> > This would protect against a non-privileged QP trying to change multicast or event subscription, for example. Though it could help with DoS, by avoiding the processing associated with requests. Jason's original question was why would you want to leave qp1 open, and I think the answer to that depends on what restrictions could be enforced for qpX: X > 1. Restricting both seem desirable, IMO.
> >
>
> There are no qpX to qpX restrictions. As long as the users that created
> both QPs have permission to use the PKey in the PKey index they
> specified then they are free to communicate in any way.
For GSI (from 'random' QPs) this seams reasonable.
In InfiniBand, the pkey is ignored in SMPs (those packets on QP0/VL15). So it
does not really make sense to me to control SMPs via pkey. (OPA does check
pkeys in SMPs.)
Therefore, I agree with Jason that need to control access to QP0. Furthermore,
I think you can/should do that when the agent is registered. This will be more
performant for SMs as well.
For SA/GSI access using umad I think the best control is to limit access to the
umad char device itself? ibacm has been changed to be an SA cache (with
plugins available for both IB and OPA) and therefore it can run with sufficient
privileges to access the umad char device. Then regular user applications
don't need umad access at all.
For SA/GSI interactions from 'random' UD QPs, those can be controlled via the
Pkey mechanism you mention above.
If you do add a check on every packet in the mad stack I would like time to
evaluate how that will affect the mad interface for performance.
Ira
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Ira Weiny <ira.weiny@intel.com>
To: Daniel Jurgens <danielj@mellanox.com>
Cc: "Hefty, Sean" <sean.hefty@intel.com>,
Hal Rosenstock <hal@dev.mellanox.co.il>,
Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
Yevgeny Petrilin <yevgenyp@mellanox.com>
Subject: Re: [RFC PATCH v2 00/13] SELinux support for Infiniband RDMA
Date: Thu, 14 Apr 2016 12:26:06 -0400 [thread overview]
Message-ID: <20160414162604.GA9697@rhel.sc.intel.com> (raw)
In-Reply-To: <AM2PR05MB1105E03BDEE8ED9552C8EDE7C4970@AM2PR05MB1105.eurprd05.prod.outlook.com>
On Thu, Apr 14, 2016 at 01:11:15PM +0000, Daniel Jurgens wrote:
> On 4/13/2016 11:23 PM, Hefty, Sean wrote:
> >>>> Former (multicast modifications of fabric) also requires restricting
> >>>> arbitrary UD QPs as well as QP1 as SA access is QPn (n > 0) <-> QP1.
> >>>
> >>> The SA could have an option to ignore all requests that do not originate
> >> QP1,
> >>> then protect access to QP1 on the client nodes.
> >>
> >> I'm not really sure what we are protecting against here. Is it simply DoS
> >> against the SA?
> >
> > This would protect against a non-privileged QP trying to change multicast or event subscription, for example. Though it could help with DoS, by avoiding the processing associated with requests. Jason's original question was why would you want to leave qp1 open, and I think the answer to that depends on what restrictions could be enforced for qpX: X > 1. Restricting both seem desirable, IMO.
> >
>
> There are no qpX to qpX restrictions. As long as the users that created
> both QPs have permission to use the PKey in the PKey index they
> specified then they are free to communicate in any way.
For GSI (from 'random' QPs) this seams reasonable.
In InfiniBand, the pkey is ignored in SMPs (those packets on QP0/VL15). So it
does not really make sense to me to control SMPs via pkey. (OPA does check
pkeys in SMPs.)
Therefore, I agree with Jason that need to control access to QP0. Furthermore,
I think you can/should do that when the agent is registered. This will be more
performant for SMs as well.
For SA/GSI access using umad I think the best control is to limit access to the
umad char device itself? ibacm has been changed to be an SA cache (with
plugins available for both IB and OPA) and therefore it can run with sufficient
privileges to access the umad char device. Then regular user applications
don't need umad access at all.
For SA/GSI interactions from 'random' UD QPs, those can be controlled via the
Pkey mechanism you mention above.
If you do add a check on every packet in the mad stack I would like time to
evaluate how that will affect the mad interface for performance.
Ira
next prev parent reply other threads:[~2016-04-14 16:26 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-06 23:33 [RFC PATCH v2 00/13] SELinux support for Infiniband RDMA Dan Jurgens
2016-04-06 23:33 ` [RFC PATCH v2 07/13] selinux: Add a cache for quicker retreival of PKey SIDs Dan Jurgens
2016-04-06 23:33 ` [RFC PATCH v2 08/13] ib/core: IB cache enhancements to support Infiniband security Dan Jurgens
[not found] ` <1459985638-37233-9-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-04-07 2:53 ` Leon Romanovsky
2016-04-07 2:53 ` Leon Romanovsky
2016-04-07 15:43 ` Daniel Jurgens
2016-04-07 15:43 ` Daniel Jurgens
2016-04-07 15:09 ` Leon Romanovsky
2016-04-07 15:09 ` Leon Romanovsky
2016-04-06 23:33 ` [RFC PATCH v2 11/13] ib/core: Enforce Infiniband device SMI security Dan Jurgens
[not found] ` <1459985638-37233-12-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-04-07 20:44 ` Leon Romanovsky
2016-04-07 20:44 ` Leon Romanovsky
2016-04-07 21:55 ` Daniel Jurgens
2016-04-07 21:55 ` Daniel Jurgens
[not found] ` <1459985638-37233-1-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-04-06 23:33 ` [RFC PATCH v2 01/13] security: Add LSM hooks for Infiniband security Dan Jurgens
2016-04-06 23:33 ` [RFC PATCH v2 02/13] selinux: Create policydb version for Infiniband support Dan Jurgens
2016-04-06 23:33 ` [RFC PATCH v2 03/13] selinux: Implement Infiniband flush callback Dan Jurgens
2016-04-06 23:33 ` [RFC PATCH v2 04/13] selinux: Allocate and free infiniband security hooks Dan Jurgens
[not found] ` <1459985638-37233-5-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-04-11 15:24 ` Casey Schaufler
2016-04-11 15:24 ` Casey Schaufler
2016-04-11 20:41 ` Daniel Jurgens
2016-04-06 23:33 ` [RFC PATCH v2 05/13] selinux: Implement Infiniband PKey "Access" access vector Dan Jurgens
2016-04-06 23:33 ` [RFC PATCH v2 06/13] selinux: Add IB Device SMI " Dan Jurgens
2016-04-06 23:33 ` [RFC PATCH v2 09/13] ib/core: Enforce PKey security when modifying QPs Dan Jurgens
[not found] ` <1459985638-37233-10-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-04-07 16:31 ` Leon Romanovsky
2016-04-07 16:31 ` Leon Romanovsky
2016-04-07 17:03 ` Daniel Jurgens
2016-04-07 17:03 ` Daniel Jurgens
[not found] ` <DB5PR05MB111169883324ADC42E52C4D6C4900-8IvNv+8VlcBJTpKhoUy7I9qRiQSDpxhJvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
2016-04-07 17:39 ` leon-2ukJVAZIZ/Y
2016-04-07 17:39 ` leon
2016-04-07 17:44 ` Daniel Jurgens
2016-04-07 17:44 ` Daniel Jurgens
2016-04-07 21:02 ` Daniel Jurgens
2016-04-07 21:02 ` Daniel Jurgens
[not found] ` <DB5PR05MB11113874870EBBE896E0D601C4900-8IvNv+8VlcBJTpKhoUy7I9qRiQSDpxhJvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
2016-04-07 21:10 ` leon-2ukJVAZIZ/Y
2016-04-07 21:10 ` leon
2016-04-07 21:23 ` Daniel Jurgens
2016-04-07 21:23 ` Daniel Jurgens
[not found] ` <DB5PR05MB11115DF816F6CEAD7738201EC4900-8IvNv+8VlcBJTpKhoUy7I9qRiQSDpxhJvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
2016-04-07 23:24 ` leon-2ukJVAZIZ/Y
2016-04-07 23:24 ` leon
2016-04-06 23:33 ` [RFC PATCH v2 10/13] ib/core: Enforce PKey security on management datagrams Dan Jurgens
[not found] ` <1459985638-37233-11-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-04-07 20:39 ` Leon Romanovsky
2016-04-07 20:39 ` Leon Romanovsky
2016-04-06 23:33 ` [RFC PATCH v2 12/13] ib/core: Track which QPs are using which port and PKey index Dan Jurgens
[not found] ` <1459985638-37233-13-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-04-07 20:53 ` Leon Romanovsky
2016-04-07 20:53 ` Leon Romanovsky
2016-04-06 23:33 ` [RFC PATCH v2 13/13] ib/core: Implement the Infiniband flush callback Dan Jurgens
2016-04-11 20:11 ` [RFC PATCH v2 00/13] SELinux support for Infiniband RDMA Jason Gunthorpe
2016-04-11 20:11 ` Jason Gunthorpe
2016-04-11 20:38 ` Daniel Jurgens
2016-04-11 20:38 ` Daniel Jurgens
[not found] ` <DB5PR05MB111168B6670B36F12979705BC4940-8IvNv+8VlcBJTpKhoUy7I9qRiQSDpxhJvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
2016-04-11 22:12 ` Jason Gunthorpe
2016-04-11 22:12 ` Jason Gunthorpe
2016-04-11 22:30 ` Daniel Jurgens
2016-04-11 22:30 ` Daniel Jurgens
[not found] ` <DB5PR05MB1111E6A72480FF78AAB12747C4940-8IvNv+8VlcBJTpKhoUy7I9qRiQSDpxhJvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
2016-04-11 23:12 ` Jason Gunthorpe
2016-04-11 23:12 ` Jason Gunthorpe
2016-04-11 23:35 ` Daniel Jurgens
2016-04-11 23:35 ` Daniel Jurgens
2016-04-12 0:06 ` Jason Gunthorpe
[not found] ` <20160412000621.GD5861-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-04-12 5:21 ` Hal Rosenstock
2016-04-12 5:21 ` Hal Rosenstock
2016-04-12 17:06 ` Hefty, Sean
2016-04-12 17:58 ` Jason Gunthorpe
[not found] ` <20160412175837.GA15027-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-04-13 12:09 ` Hal Rosenstock
2016-04-13 12:09 ` Hal Rosenstock
2016-04-13 13:17 ` Daniel Jurgens
2016-04-13 13:17 ` Daniel Jurgens
2016-04-13 5:07 ` Hal Rosenstock
2016-04-13 16:47 ` Hefty, Sean
[not found] ` <1828884A29C6694DAF28B7E6B8A82373AB041285-P5GAC/sN6hkd3b2yrw5b5LfspsVTdybXVpNB7YpNyf8@public.gmane.org>
2016-04-14 0:27 ` Ira Weiny
2016-04-14 0:27 ` Ira Weiny
2016-04-14 0:31 ` Ira Weiny
2016-04-14 4:22 ` Hefty, Sean
2016-04-14 4:22 ` Hefty, Sean
2016-04-14 13:11 ` Daniel Jurgens
2016-04-14 13:11 ` Daniel Jurgens
[not found] ` <AM2PR05MB1105E03BDEE8ED9552C8EDE7C4970-Wc3DjHnhGidZ7IXwgIC3xtqRiQSDpxhJvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
2016-04-14 16:26 ` Ira Weiny [this message]
2016-04-14 16:26 ` Ira Weiny
2016-04-14 16:49 ` Daniel Jurgens
2016-04-14 16:49 ` Daniel Jurgens
[not found] ` <AM2PR05MB11059E1985CE6544FAE4BA00C4970-Wc3DjHnhGidZ7IXwgIC3xtqRiQSDpxhJvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
2016-04-14 21:58 ` Ira Weiny
2016-04-14 21:58 ` Ira Weiny
2016-04-14 13:06 ` Daniel Jurgens
2016-04-14 13:06 ` Daniel Jurgens
2016-04-12 16:45 ` Daniel Jurgens
2016-04-12 16:45 ` Daniel Jurgens
2016-04-12 5:12 ` Hal Rosenstock
2016-04-12 16:43 ` Daniel Jurgens
2016-04-12 16:43 ` Daniel Jurgens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160414162604.GA9697@rhel.sc.intel.com \
--to=ira.weiny-ral2jqcrhueavxtiumwx3w@public.gmane.org \
--cc=danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=hal-LDSdmyG8hGV8YrgS2mwiifqBs+8SCbDb@public.gmane.org \
--cc=jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.