From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leon Romanovsky Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA Date: Tue, 30 Aug 2016 18:01:51 +0300 Message-ID: <20160830150151.GP594@leon.nu> References: <1469800416-125043-1-git-send-email-danielj@mellanox.com> <20160830074607.GN594@leon.nu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="eB5okr78BIEWepnS" Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-rdma-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Daniel Jurgens Cc: Paul Moore , "chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org" , Stephen Smalley , Eric Paris , "dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org" , "sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org" , "hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org" , "selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org" , "linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , "linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Yevgeny Petrilin List-Id: linux-rdma@vger.kernel.org --eB5okr78BIEWepnS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Aug 30, 2016 at 02:06:53PM +0000, Daniel Jurgens wrote: > On 8/30/2016 8:53 AM, Paul Moore wrote: > > On Tue, Aug 30, 2016 at 3:46 AM, Leon Romanovsky wrote: > >> On Mon, Aug 29, 2016 at 08:00:32PM -0400, Paul Moore wrote: > >>> On Mon, Aug 29, 2016 at 5:48 PM, Daniel Jurgens wrote: > >>>> On 8/29/2016 4:40 PM, Paul Moore wrote: > >>>>> On Fri, Jul 29, 2016 at 9:53 AM, Dan Jurgens wrote: > >>>>>> From: Daniel Jurgens > >>>>> ... > >>>>> > >>>>>> Daniel Jurgens (9): > >>>>>> IB/core: IB cache enhancements to support Infiniband security > >>>>>> IB/core: Enforce PKey security on QPs > >>>>>> selinux lsm IB/core: Implement LSM notification system > >>>>>> IB/core: Enforce security on management datagrams > >>>>>> selinux: Create policydb version for Infiniband support > >>>>>> selinux: Allocate and free infiniband security hooks > >>>>>> selinux: Implement Infiniband PKey "Access" access vector > >>>>>> selinux: Add IB Port SMP access vector > >>>>>> selinux: Add a cache for quicker retreival of PKey SIDs > >>>>> Hi Daniel, > >>>>> > >>>>> My apologies for such a long delay in responding to this latest > >>>>> patchset; conferences, travel, and vacation have made for a very busy > >>>>> August. After you posted the v2 patchset we had an off-list > >>>>> discussion regarding testing the SELinux/IB integration; unfortunately > >>>>> we realized that IB hardware would be needed to test this (no IB > >>>>> loopback device), but we agreed that having tests would be beneficial. > >>>>> > >>>>> Have you done any work yet towards adding SELinux/IB tests to the > >>>>> selinux-testsuite project? > >>>>> > >>>>> * https://github.com/SELinuxProject/selinux-testsuite > >>>> Hi Paul, I've not started doing that yet. I've been waiting for feedback of any kind from the RDMA list. I thought the test updates would be more appropriate around the time I'm submitting the changes to the user space utilities to allow labeling the new types. > >>> Okay, no problem. I just want the tests in place and functional when > >>> we merge the kernel code. > >> Hi Paul, > >> > >> IMHO, you can use Soft RoCE (RXE) [1] for it. > >> > >> ---- > >> Soft RoCE (RXE) - The software RoCE driver > >> > >> ib_rxe implements the RDMA transport and registers to the RDMA core > >> device as a kernel verbs provider. It also implements the packet IO > >> layer. On the other hand ib_rxe registers to the Linux netdev stack > >> as a udp encapsulating protocol, in that case RDMA, for sending and > >> receiving packets over any Ethernet device. This yields a RDMA > >> transport over the UDP/Ethernet network layer forming a RoCEv2 > >> compatible device. > >> > >> The configuration procedure of the Soft RoCE drivers requires > >> binding to any existing Ethernet network device. This is done with > >> /sys interface. > >> ---- > >> > >> [1] > >> https://git.kernel.org/cgit/linux/kernel/git/dledford/rdma.git/tree/drivers/infiniband/sw/rxe > > Hi Leon, > > > > It looks like v4.8 will have all the necessary pieces for this, yes? > > Is there any documentation on this other than the git log? Keep in > > mind I'm looking at this from the SELinux side, I'm very Infiniband > > ignorant at the moment; although Daniel has been very patient in > > walking me through some of the basics. > > > > Daniel, does this look like something we might be able to use? > > > I don't this will be useful, RoCE doesn't have partitions/PKeys because it uses Ethernet as the transport instead of Infiniband. > Yeah, sorry for the noise. --eB5okr78BIEWepnS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXxZ/fAAoJEORje4g2clincc4QAMAOBvmif+xvP8WG2Bz3SusS 97EkK220JQmDwhprXMa+LctrU+fI2GRvWTvA2D5JNK3qeE/Qxxvtvzqe+prrT9WX 7Meew/vPvd+dOjWoqAo/78rySEOyD80G31ybVQYp8bHPpQSrgXH6DKiw4MQCzWV7 dLLm4X3z0/m9HV5flB1DDFFwPzh9uFtRDhTCud2IW8M6OJ6S/vkxC1aFpEkLSVl+ 480vYb204VEZboNp6LQemX7PTgCHGheORt0dfagd1rfiE5GIL67TMTdEewgnx1Gl 9+poKmssV6oc3bL7lIvIXlqwjrn4XdKwPUD2cAqJzx8dM0bCqn+ykyWXJtHFmGPI h1SwB6LoBi68N/Db0kCR2zWsfe3+U3zppt0/IBhpeyqtyO76NVoHqZI51R4MUiFX 24yYM2OiG5VyvcD7axdSPo/e0/yBf0S4S4fVaP298opbTuYe/FP4VPj2Go14P2Oe sVtVzkzs9sKsN5Fl9fP1HAAvvtxjBRW7HUXmqJSD6B1MW6remRa1vueNcLRlSrqJ WkWx4gFHuLDLy3dbzA0+jScz+ilsIFF9nMxWWeUI+3Iwl2ylcEHUXdGn2B1zfHx7 Zh8tpXyV33U38aNeAnuOt2q1dmsPND1vdmNQS5G0GZFaGxnWyKY7Yj4sIdU0luEJ TGOCVKFiU6eSDDC93L1q =Bync -----END PGP SIGNATURE----- --eB5okr78BIEWepnS-- -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Tue, 30 Aug 2016 18:01:51 +0300 From: Leon Romanovsky To: Daniel Jurgens Cc: Paul Moore , "chrisw@sous-sol.org" , Stephen Smalley , Eric Paris , "dledford@redhat.com" , "sean.hefty@intel.com" , "hal.rosenstock@gmail.com" , "selinux@tycho.nsa.gov" , "linux-security-module@vger.kernel.org" , "linux-rdma@vger.kernel.org" , Yevgeny Petrilin Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA Message-ID: <20160830150151.GP594@leon.nu> References: <1469800416-125043-1-git-send-email-danielj@mellanox.com> <20160830074607.GN594@leon.nu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="eB5okr78BIEWepnS" In-Reply-To: List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --eB5okr78BIEWepnS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Aug 30, 2016 at 02:06:53PM +0000, Daniel Jurgens wrote: > On 8/30/2016 8:53 AM, Paul Moore wrote: > > On Tue, Aug 30, 2016 at 3:46 AM, Leon Romanovsky wrote: > >> On Mon, Aug 29, 2016 at 08:00:32PM -0400, Paul Moore wrote: > >>> On Mon, Aug 29, 2016 at 5:48 PM, Daniel Jurgens wrote: > >>>> On 8/29/2016 4:40 PM, Paul Moore wrote: > >>>>> On Fri, Jul 29, 2016 at 9:53 AM, Dan Jurgens wrote: > >>>>>> From: Daniel Jurgens > >>>>> ... > >>>>> > >>>>>> Daniel Jurgens (9): > >>>>>> IB/core: IB cache enhancements to support Infiniband security > >>>>>> IB/core: Enforce PKey security on QPs > >>>>>> selinux lsm IB/core: Implement LSM notification system > >>>>>> IB/core: Enforce security on management datagrams > >>>>>> selinux: Create policydb version for Infiniband support > >>>>>> selinux: Allocate and free infiniband security hooks > >>>>>> selinux: Implement Infiniband PKey "Access" access vector > >>>>>> selinux: Add IB Port SMP access vector > >>>>>> selinux: Add a cache for quicker retreival of PKey SIDs > >>>>> Hi Daniel, > >>>>> > >>>>> My apologies for such a long delay in responding to this latest > >>>>> patchset; conferences, travel, and vacation have made for a very busy > >>>>> August. After you posted the v2 patchset we had an off-list > >>>>> discussion regarding testing the SELinux/IB integration; unfortunately > >>>>> we realized that IB hardware would be needed to test this (no IB > >>>>> loopback device), but we agreed that having tests would be beneficial. > >>>>> > >>>>> Have you done any work yet towards adding SELinux/IB tests to the > >>>>> selinux-testsuite project? > >>>>> > >>>>> * https://github.com/SELinuxProject/selinux-testsuite > >>>> Hi Paul, I've not started doing that yet. I've been waiting for feedback of any kind from the RDMA list. I thought the test updates would be more appropriate around the time I'm submitting the changes to the user space utilities to allow labeling the new types. > >>> Okay, no problem. I just want the tests in place and functional when > >>> we merge the kernel code. > >> Hi Paul, > >> > >> IMHO, you can use Soft RoCE (RXE) [1] for it. > >> > >> ---- > >> Soft RoCE (RXE) - The software RoCE driver > >> > >> ib_rxe implements the RDMA transport and registers to the RDMA core > >> device as a kernel verbs provider. It also implements the packet IO > >> layer. On the other hand ib_rxe registers to the Linux netdev stack > >> as a udp encapsulating protocol, in that case RDMA, for sending and > >> receiving packets over any Ethernet device. This yields a RDMA > >> transport over the UDP/Ethernet network layer forming a RoCEv2 > >> compatible device. > >> > >> The configuration procedure of the Soft RoCE drivers requires > >> binding to any existing Ethernet network device. This is done with > >> /sys interface. > >> ---- > >> > >> [1] > >> https://git.kernel.org/cgit/linux/kernel/git/dledford/rdma.git/tree/drivers/infiniband/sw/rxe > > Hi Leon, > > > > It looks like v4.8 will have all the necessary pieces for this, yes? > > Is there any documentation on this other than the git log? Keep in > > mind I'm looking at this from the SELinux side, I'm very Infiniband > > ignorant at the moment; although Daniel has been very patient in > > walking me through some of the basics. > > > > Daniel, does this look like something we might be able to use? > > > I don't this will be useful, RoCE doesn't have partitions/PKeys because it uses Ethernet as the transport instead of Infiniband. > Yeah, sorry for the noise. --eB5okr78BIEWepnS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXxZ/fAAoJEORje4g2clincc4QAMAOBvmif+xvP8WG2Bz3SusS 97EkK220JQmDwhprXMa+LctrU+fI2GRvWTvA2D5JNK3qeE/Qxxvtvzqe+prrT9WX 7Meew/vPvd+dOjWoqAo/78rySEOyD80G31ybVQYp8bHPpQSrgXH6DKiw4MQCzWV7 dLLm4X3z0/m9HV5flB1DDFFwPzh9uFtRDhTCud2IW8M6OJ6S/vkxC1aFpEkLSVl+ 480vYb204VEZboNp6LQemX7PTgCHGheORt0dfagd1rfiE5GIL67TMTdEewgnx1Gl 9+poKmssV6oc3bL7lIvIXlqwjrn4XdKwPUD2cAqJzx8dM0bCqn+ykyWXJtHFmGPI h1SwB6LoBi68N/Db0kCR2zWsfe3+U3zppt0/IBhpeyqtyO76NVoHqZI51R4MUiFX 24yYM2OiG5VyvcD7axdSPo/e0/yBf0S4S4fVaP298opbTuYe/FP4VPj2Go14P2Oe sVtVzkzs9sKsN5Fl9fP1HAAvvtxjBRW7HUXmqJSD6B1MW6remRa1vueNcLRlSrqJ WkWx4gFHuLDLy3dbzA0+jScz+ilsIFF9nMxWWeUI+3Iwl2ylcEHUXdGn2B1zfHx7 Zh8tpXyV33U38aNeAnuOt2q1dmsPND1vdmNQS5G0GZFaGxnWyKY7Yj4sIdU0luEJ TGOCVKFiU6eSDDC93L1q =Bync -----END PGP SIGNATURE----- --eB5okr78BIEWepnS--