From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Gunthorpe Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA Date: Thu, 29 Sep 2016 16:41:46 -0600 Message-ID: <20160929224146.GE27229@obsidianresearch.com> References: <20160830184633.GE7586@obsidianresearch.com> <20160830185548.GA9768@obsidianresearch.com> <20160901163418.GA6479@obsidianresearch.com> <20160906200221.GE28416@obsidianresearch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-rdma-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Paul Moore Cc: Daniel Jurgens , Leon Romanovsky , "chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org" , Stephen Smalley , Eric Paris , "dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org" , "sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org" , "hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org" , "selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org" , "linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , "linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Yevgeny Petrilin List-Id: linux-rdma@vger.kernel.org On Thu, Sep 29, 2016 at 06:16:03PM -0400, Paul Moore wrote: > The queue pair (QP) concept lives in the RDMA layer and isn't tied to > any particular transport. They appear to be somewhat analogous to > network sockets, although I'm guessing they can't be shared/passed > between process like a network socket, yes? Yes > The IB partition is similar to a ethernet VLAN in that it providedes > enforced separation across the network; IB uses partition keys, VLANs > use tags/IDs. IB partition keys are a 16 bit number, > GIDs appear to be a 16 byte number created from some combination of > IP address, MAC address, and VLAN ID. There are several gid formats IB/OPA: 128 bit IPv6 address RoCEv1: Sort of a link local IPv6 (?), vlan is specified directly by apps RoCEv2: Some sort of label that also implies a vlan tag We also have iwarp vs rocee where AFAIK iwarp should get the vlan tag from the IP socket that is allocated against the eth interface. > In the case of RDMA over IB, we want to control QP access to > partitions/pkeys; in the case of RDMA over ethernet we want to control > QP access to VLANs/GIDs. Broadly, yes, and I don't know what restriction iwarp would need. Probably restrict access based on the eth device, but that will probably need additional selinux checking in the rdma core. There are also UD QPs which are like UDP sockets, so every address handle creation will need a security check too. Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Thu, 29 Sep 2016 16:41:46 -0600 From: Jason Gunthorpe To: Paul Moore Cc: Daniel Jurgens , Leon Romanovsky , "chrisw@sous-sol.org" , Stephen Smalley , Eric Paris , "dledford@redhat.com" , "sean.hefty@intel.com" , "hal.rosenstock@gmail.com" , "selinux@tycho.nsa.gov" , "linux-security-module@vger.kernel.org" , "linux-rdma@vger.kernel.org" , Yevgeny Petrilin Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA Message-ID: <20160929224146.GE27229@obsidianresearch.com> References: <20160830184633.GE7586@obsidianresearch.com> <20160830185548.GA9768@obsidianresearch.com> <20160901163418.GA6479@obsidianresearch.com> <20160906200221.GE28416@obsidianresearch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On Thu, Sep 29, 2016 at 06:16:03PM -0400, Paul Moore wrote: > The queue pair (QP) concept lives in the RDMA layer and isn't tied to > any particular transport. They appear to be somewhat analogous to > network sockets, although I'm guessing they can't be shared/passed > between process like a network socket, yes? Yes > The IB partition is similar to a ethernet VLAN in that it providedes > enforced separation across the network; IB uses partition keys, VLANs > use tags/IDs. IB partition keys are a 16 bit number, > GIDs appear to be a 16 byte number created from some combination of > IP address, MAC address, and VLAN ID. There are several gid formats IB/OPA: 128 bit IPv6 address RoCEv1: Sort of a link local IPv6 (?), vlan is specified directly by apps RoCEv2: Some sort of label that also implies a vlan tag We also have iwarp vs rocee where AFAIK iwarp should get the vlan tag from the IP socket that is allocated against the eth interface. > In the case of RDMA over IB, we want to control QP access to > partitions/pkeys; in the case of RDMA over ethernet we want to control > QP access to VLANs/GIDs. Broadly, yes, and I don't know what restriction iwarp would need. Probably restrict access based on the eth device, but that will probably need additional selinux checking in the rdma core. There are also UD QPs which are like UDP sockets, so every address handle creation will need a security check too. Jason