From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Gunthorpe Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA Date: Tue, 6 Sep 2016 15:55:48 -0600 Message-ID: <20160906215548.GA27225@obsidianresearch.com> References: <20160830184633.GE7586@obsidianresearch.com> <20160830185548.GA9768@obsidianresearch.com> <20160901163418.GA6479@obsidianresearch.com> <20160906200221.GE28416@obsidianresearch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: owner-linux-security-module@vger.kernel.org To: Daniel Jurgens Cc: Paul Moore , Leon Romanovsky , "chrisw@sous-sol.org" , Stephen Smalley , Eric Paris , "dledford@redhat.com" , "sean.hefty@intel.com" , "hal.rosenstock@gmail.com" , "selinux@tycho.nsa.gov" , "linux-security-module@vger.kernel.org" , "linux-rdma@vger.kernel.org" , Yevgeny Petrilin List-Id: linux-rdma@vger.kernel.org On Tue, Sep 06, 2016 at 08:35:56PM +0000, Daniel Jurgens wrote: > I think to control access to a VLAN for RoCE there would have to > labels for GIDs, since that's how you select which VLAN to use. Since people are talking about using GIDs for containers adding a GID constraint for all technologies makes sense to me.. But rocev1 (at least mlx4) does not use vlan ids from the GID, the vlan id is set directly in the id, so it still seems to need direct containment. I also see vlan related stuff in the iwarp providers, so they probably have a similar requirement. > required. RDMA device handle labeling isn't granular enough for > what I'm trying to accomplish. We want users with different levels > of permission to be able to use the same device, but restrict who > they can communicate with by isolating them to separate partitions. Sure, but maybe you should use the (device handle:pkey/vlan_id) as your labeling tuple not (Subnet Prefix, pkey) Jason