public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed
From: Jason Gunthorpe <jgg-uk2M96/98Pc@public.gmane.org>
To: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Bart Van Assche <bart.vanassche-Sjgp3cTcYWE@public.gmane.org>,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH, resend 4/4] IB/srp: Add RDMA/CM support
Date: Fri, 5 Jan 2018 12:25:49 -0700	[thread overview]
Message-ID: <20180105192549.GA11348@ziepe.ca> (raw)
In-Reply-To: <1515175618.3403.26.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

On Fri, Jan 05, 2018 at 01:06:58PM -0500, Doug Ledford wrote:
> > Do the userspace daemon's still manage the connection to SRP?
> >
> > If yes, then the networking information should be relative to the
> > namespace of the thing that wrote to the sysfs file..
>
> Maybe, maybe not.  It depends on the implementation.  IIRC you get one
> daemon per port, not one daemon per mount.

I don't think it depends - if we expose this sysfs file to a container
then anything less than using the contain'd net namespace sounds like
it is a path to allow the container to escape its net namespace.

The complication here is that sysfs creates a device, and that device
is currently created in the host namespace.

So from a security perspective containers shouldn't even have access
to this thing at all without more work to ensure that the created
block device is also restriced inside the container.

Since it is a sysfs file, and most container systems mount syfs ro, we
can probably get away with ignoring namespaces for now?

But using the current process namespace is also a good choice.

In princinple there can be multiple srp_daemons if they can coordinate
which ones do which. For instance a container could run its own
srp_daemon restricted to the pkeys the container has access to. If the
device stuff above was fixed then this would even make some sense...

Otherwise srp_daemon has to run in the host namespace, where the
created devices end up and it rightly should not see the netdevices
that are assigned to other namespaces.

Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  parent reply	other threads:[~2018-01-05 19:25 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-04 22:28 [PATCH, resend 0/4] IB/srp: Add RDMA/CM support Bart Van Assche
     [not found] ` <20180104222842.26756-1-bart.vanassche-Sjgp3cTcYWE@public.gmane.org>
2018-01-04 22:28   ` [PATCH, resend 1/4] IB/srp: Use kstrtoull() instead of simple_strtoull() Bart Van Assche
2018-01-04 22:28   ` [PATCH, resend 2/4] IB/srp: Make the path record query error message more informative Bart Van Assche
2018-01-04 22:28   ` [PATCH, resend 3/4] IB/srp: Refactor srp_send_req() Bart Van Assche
2018-01-04 22:28   ` [PATCH, resend 4/4] IB/srp: Add RDMA/CM support Bart Van Assche
     [not found]     ` <20180104222842.26756-5-bart.vanassche-Sjgp3cTcYWE@public.gmane.org>
2018-01-05 17:21       ` Doug Ledford
     [not found]         ` <1515172870.3403.11.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-01-05 17:34           ` Jason Gunthorpe
     [not found]             ` <20180105173448.GY11348-uk2M96/98Pc@public.gmane.org>
2018-01-05 17:51               ` Bart Van Assche
     [not found]                 ` <1515174677.3254.11.camel-Sjgp3cTcYWE@public.gmane.org>
2018-01-05 17:55                   ` Jason Gunthorpe
2018-01-05 18:06               ` Doug Ledford
     [not found]                 ` <1515175618.3403.26.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-01-05 18:12                   ` Bart Van Assche
     [not found]                     ` <1515175964.3254.15.camel-Sjgp3cTcYWE@public.gmane.org>
2018-01-05 18:15                       ` Doug Ledford
2018-01-05 19:25                   ` Jason Gunthorpe [this message]
     [not found]                     ` <20180105192549.GA11348-uk2M96/98Pc@public.gmane.org>
2018-01-05 20:23                       ` Doug Ledford
     [not found]                         ` <1515183835.3403.62.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-01-05 20:35                           ` Jason Gunthorpe
     [not found]                             ` <20180105203506.GD11348-uk2M96/98Pc@public.gmane.org>
2018-01-05 20:53                               ` Bart Van Assche
2018-01-05 23:13                               ` Doug Ledford
     [not found]                                 ` <1515193988.3403.69.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2018-01-05 23:27                                   ` Jason Gunthorpe
2018-01-05 17:45           ` Bart Van Assche
2018-01-05 17:22   ` [PATCH, resend 0/4] " Doug Ledford

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180105192549.GA11348@ziepe.ca \
    --to=jgg-uk2m96/98pc@public.gmane.org \
    --cc=bart.vanassche-Sjgp3cTcYWE@public.gmane.org \
    --cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    --cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox